Protecting your data from face-stealing scams

Adrian Stanford, Group CTO at ESET Southern Africa.

As facial recognition technology becomes more widespread, many people are embracing it as a secure and convenient means of authentication. 

With tech giants like Apple popularising Face ID, which not only encrypts facial data and only stores it on device in Secure Enclave, but also uses sophisticated 3D scanning that can’t be easily fooled or compromised, financial institutions however have also integrated facial recognition into their security protocols. 

However, Adrian Stanford, Group CTO at ESET Southern Africa, says the latest ESET Threat Report H1 2024 reveals that cybercriminals are adapting quickly to the use of less sophisticated biometric technology.

Using advanced techniques, attackers are now exploiting AI-driven face-swapping services to bypass security measures and gain unauthorised access to victims’ accounts via fake mobile applications.

“While facial recognition is undoubtedly a popular and useful security tool, it’s crucial to understand its limitations. Simply relying on camera-based biometrics can provide a false sense of security. Cyber criminals are continuously innovating, and they have found ways to manipulate even the most some facial recognition technologies to suit their objectives.”

The power of biometric authentication

Biometric authentication methods, including facial and fingerprint recognition, are becoming increasingly popular among consumers and businesses alike. 

According to research in 2023, more than 50% of consumers used biometric authentication for online transactions, while fingerprint and facial recognition emerged as the top biometric methods, used by nearly 30% and 50% of consumers respectively. 

Additionally, the adoption of biometric authentication is gaining significant traction among IT and cybersecurity professionals, with many organisations shifting towards these methods to replace traditional passwords in workplace environments.

This growing reliance on biometrics reflects a global trend. The biometric market, valued at approximately $5 billion in 2022, is expected to reach $19.3 billion by 2032.

“Biometric technology provides ease of use and a level of security that many people find reassuring. However, this demand has also attracted the attention of cybercriminals who are adept at exploiting new technologies,” Stanford notes.

The malware threat

As biometric systems become more sophisticated, so do the tactics used by cybercriminals.

“The GoldPickaxe malware is one of the latest threats to exploit biometric data. Posing as legitimate apps, these fake applications trick users into providing videos of their faces and other personal information, which are then used to create deepfake videos. These realistic-looking videos are capable of bypassing some forms of biometric security,” Stanford explains.

GoldPickaxe malware has been observed targeting both Android and iOS users by impersonating legitimate applications. In one case, it posed as a Thai government app, collecting sensitive information such as identification documents, SMS messages, and facial recognition data.

Victims are tricked into installing a mobile device management (MDM) profile, which allows attackers to control the victim’s iOS device. On Android, it is typically distributed through websites masquerading as the Google Play Store. The ultimate aim is to gain access to users’ banking applications and other high-value targets.

How to avoid face-stealing scams

“While biometric security is a powerful tool, it is not infallible. Users should remain vigilant and take additional steps to protect their personal information,” says Stanford.

  • Download apps only from official sources

Always use official app stores, such as Google Play or the Apple App Store, to reduce the risk of downloading malicious applications.

  • Be cautious of ‘too good to be true’ offers

Always try to verify claims about eligibility for prizes, discounts, or, as in the case of GoldPickaxe, refunds and bonuses. If it seems too good to be true, it probably is.

  • Use Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring multiple forms of identification before granting access.

  • Verify the authenticity of financial apps

Scrutinise any app that requests biometric data, particularly financial applications. Look for reviews and official endorsements before proceeding.

  • Run regular security scans

Suspicious activity on your smartphone? Run a security scan with a reputable security app. If you discover a malicious app, delete it and restart your phone. Resetting your Android device to factory settings may be necessary.

“Creating fake videos using AI for scams sounds scary, but even these elaborate attacks can be avoided or stopped via appropriate cybersecurity solutions and sufficient awareness. While no single technology is the ultimate answer for everything, reliable cybersecurity consists of a multilayered defence combined with a prevention-first approach,” adds Stanford.

Read more