The use of selfies to verify identity online is an emerging trend in some parts of the world since the pandemic forced more business to go digital. Some banks - and even governments - have begun requiring live images over Zoom or similar in order to participate in the modern economy. The question must be asked, though: is it cyber smart?

Just last Monday the Southeast Asian nation of Vietnam began requiring face scans on phone banking apps as proof of identity for all digital transactions of around $400 and above.

The nation's residents are not able to opt out of the banking rules, despite Vietnam regularly finding itself ranked poorly when it comes to internet privacy or cyber security.

Local media has weighed in to suggest that selfies will not improve security. And just days into the new regime, some apps have already been called out for accepting still photos instead of a live image of the individual.

Concerns aren't limited to Vietnam. Late last month, US cyber security firm Resecurity flagged similar concerns when it found a spike in leaked identity documents containing selfies of Singaporeans on the dark web.

Many of those selfies were provided to fintech and e-commerce providers and later leaked. Resecurity asserted that some were captured by cyber crime groups that run fake telemarketing or customer support scams and gather selfies so they can sell them to other miscreants.

The rise of selfies for identity verification

"Using selfies for identity verification has been growing steadily for around the last five years, but the inflection point was during the pandemic when people were forced to engage digitally," VP analyst at Gartner, Akif Khan, told The Register.

Khan, who regularly helps guide organizations through the process of implementing selfie-based authentication, rated interest as "very high." He's seen steady growth with a recent "uptick."

Fintech veteran, policy wonk, and CEO at consultancy New World Advisors Katie Mitchell agreed with Khan. "As more financial services are online, there's been a need to replicate account opening services for that environment," she told The Register.

"Subsequently, there's the need now for proof of personhood for lots of things we do online."

According to Mitchell, anti-money-laundering (AML) and know your customer (KYC) processes are sometimes covered by laws and sometimes set by standard bodies, like the US National Institute of Standards and Technology (NIST).

Whoever defines AML and KYC processes, they are seldom globally interoperable - they vary by jurisdiction and are constantly updated.

"Separately those jurisdictions will have data protection and privacy laws as well. Those don't necessarily refer to the processes of biometric collection that are required for account verification and opening in a way that's comprehensive. There's a gap in arbitrage there," explained Mitchell

According to Acronis CISO Kevin Reed, that lack of regulation is sometimes the problem. But at other times, it's the organization that collected and managed the selfie that is at fault.

"Getting a selfie for KYC purposes is not a problem on its own - the problem is that this data is not properly handled and in many cases is never discarded after the verification is complete," Reed told The Reg. That dilemma is compounded when lots of people have access to the files.

"If they are of any value to criminals - and a data pack allowing a crim to complete KYC is certainly valuable - someone will try to steal them," explained Reed.

Resecurity's report featured an example of a Singapore-based digital payments provider whose ID verification method involved an individual holding their government ID along with a piece of paper with a specific message hand written on it.

Reed called this method "slightly better" than a simple photo - but not "a significant improvement" as it's easily editable.

"I would say that process would deter a casual attacker, but any one vaguely motivated would find way around it," Gartner's Khan told The Reg of still selfies. In his experience, businesses that rely on simple still selfies are typically smaller outfits that have experienced fraud and have implemented a selfie-based stopgap as they scramble to put a proper solution in place.

Liveness checks are part of the solution

Khan's clients use vendors whose product includes liveness checks integrated into websites or mobile apps. The process of authenticating that the image is a real person in real time is typically completely outsourced.

The outsourcer will look for markers on the ID - like a hologram, security features, the way light reflects, plus the depth and edges of a physical credential.

They will also often require video from the individual undergoing the check - asking for a facial expression or a head turn. Some liveness checks even search for signs of blood flow.

After liveness is determined and the ID is deemed not forged, biometrics are compared to the ID.

And because the vendor is controlling the capture, it can even detect deepfake injection attacks.

The whole process will usually be aided by machine learning and typically takes under 20 seconds to complete. The vendors either store the data for a defined period of time or purge it immediately.

Verification stills on dark web could be useless

Khan thinks concern about identity theft from still images and picture IDs found on the dark web is overblown, as most entities will require liveness checks for opening bank accounts and other tasks.

The flat images Resecurity warned about therefore become more and more useless as liveness checks evolve.

"I work in security - nothing is foolproof," admitted Khan. He added that the real concern is what happens when accessibility, diversity, and inclusion measures come into play.

It's important to make sure all people can adequately access these verification systems - but in making exception processes to ensure all users can employ liveness checks, vendors need to be careful not to inadvertently create a workaround.

He warned, "You have to think about how to be inclusive while stopping a threat actor from pretending." ®

https://www.theregister.com//2024/07/08/selfie_authentication_security/