720-891-1663

AI, Alerts, Android, Apple, Best Practices, Hacks, Legal, Safety, Security Practices, Software Development

Mobile Malware Defeats Biometrics

Leave a comment

Security or convenience, pick one.

Background: there is a difference between IDENTIFICATION and AUTHENTICATION.

Identification is the equivalent of a userid. Userids are not secret.

Authentication is the equivalent of a password. Passwords are secret.

Many systems use biometrics like a face scan to BOTH identify a user and authenticate that it is really that user. While that is convenient, it is not secure.

Case in point.

New malware called GoldPickAxe is a Chinese-based malware. It works on both iOS and Android devices and pretends that it is a government service app.

Right now, we are seeing it being deployed in Asia, but it is not hard for malware to cross the ocean.

It works because the deepfake technology is a match for current biometric authentication measures.

Or, more accurately, for biometric authentication measures that were designed 5 years ago and implemented 2-3 years ago.

In this case the bank of Thailand mandated facial recognition last year to cut down on fraud. It is not working. They are, apparently, using it to replace both the userid and the password.

Because, after all, passwords are inconvenient and MFA is even more inconvenient. In this particular scam, they tricked the user into using this fake government app, which scanned the user’s face, asked them to upload their government ID and submit their phone number.

This works because it looks like an official government app.

Here is the bottom line.

IF YOU ARE A SERVICE PROVIDER, YOU NO LONGER HAVE THE LUXURY OF YEARS TO UPDATE YOUR SECURITY MODELS. AI IS MOVING AT WARP SPEED; HACKERS DON’T CARE ABOUT GUARDRAILS AND THEY WILL WIN. YOU NEED TO MOVE AT WARP 10. SORRY IF THAT MAKES YOU UNCOMFORTABLE. THE HACKERS DON’T CARE.

On the other side, if you are a consumer, rethink the concept of convenience wins over security. At least in those cases that matter to you such as your bank accounts or your retirement savings. I am less concerned about your TikTok account – unless you are one of the few that actually earns a living from that.

I know that a face scan is convenient as is a fingerprint on your phone and both Apple and Google are spending fortunes to try and stay ahead of the bad actors, but are you willing to risk your retirement savings? If you are, then continue what you are doing. If you are not, then change.

If you need help, please contact us.

Credit: Dark Reading

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2024 CyberCecurity, All rights reserved. Privacy Policy