Australians are being warned about the dangers of using digital wallets because facial recognition software is not completely foolproof.
Cyber security expert Benjamin Britton has disputed assurances from the Australian Payments Network, an industry body, that its systems were safe, arguing biometrics technology had flaws.
‘Biometrics are highly flawed, especially facial recognition ones,’ he told Daily Mail Australia.
‘We’ve seen incidences of facial recognition technology being bypassed by people simply having a monitor screen in front of them – the face of the person who is supposed to be used for the facial recognition – and actually holding the phone up to it, from the front camera, like it’s the person looking at it and it’s actually passed in some cases.’
The warning about biometric technology is being issued following an international police investigation into stolen account data on individuals, also known as a digital fingerprint, being sold on the dark web Genesis Market.
This has led to the arrests of 10 Australians in three states.
Mr Britton, who works with defence contractors and provides advice on IT hacking, warned artificial intelligence could potentially be used to hack into digital wallets – with a third of Australian in-person transactions now done this way.
‘A lot of attacks these days are automated and done by AI,’ he said.
‘Give AI the problem of finding a way to rob every digital wallet on Earth, and it will come up with a solution and be able to potentially implement it.’
The Australian Payments Network – also known as AusPayNet – said, in a blog, it was ‘impossible’ to steal a credit card from a digital wallet and make payments because every transaction had a unique cryptogram that was cross checked by the online card issuer.
‘This cryptogram is checked by the card issuer’s systems, making replay attacks (where card data is listened to in-flight and then reused in a separate payment) impossible,’ it said.
Mr Britton said it was arrogant to suggest a system was completely secure, saying the worst criminals – known as black hat hackers – were often very determined.
‘There is a sense of arrogance coming out from them,’ he said.
‘They think their system is foolproof – the fact they said in there ‘impossible’, that’s something that you’d never, ever, ever, ever say, especially in the hacking field.
Australians are being warned about the dangers of using digital wallets because facial recognition software is not completely foolproof
‘To have arrogance in the cyber security world always leads to getting breached by black hat hackers who are all super arrogant and cocky people – it becomes almost a taunt to the cyber gifted to challenge them.
Apple’s digital Wallet design features
Every Apple Pay purchase has to be authenticated with Touch ID or Face ID.
No information can be sent without the user authenticating.
Actual card numbers are not stored on the device or on Apple servers.
A unique Device Account Number is created, encrypted in such a way that Apple can’t decrypt it.
It is stored in an iPhone, Apple Watch or iPad.
Apple says it doesn’t share a consumer’s card numbers with merchants.
‘Nothing is ever impossible, it’s virtually impossible but it’s not impossible and that’s only with today’s computing.’
Mr Britton suggested the payments industry offer a $1million reward, as part of a controlled test, for any ethical hacker able to steal a credit card from a digital wallet, noting how messaging app Telegram offered $US300,000 as a reward nine years ago.
‘It’s one thing to have a theory that you’re secure, you must test it,’ he said.
‘If they are so confident that no one can steal this and that it’s incredibly secure, then they should put up a $1million bounty to any hacker in the world who can steal a card and do payments.’
AusPayNet said cards stored in digital wallets did not have the data stored alongside a primary account number – the 14 to 19-digit credit card number usually on the front of a card.
‘Cards stored in digital wallets operate differently, and those differences make them more secure, not less,’ it said.
The industry group argued credit card details were instead stored via a token, which had to be authenticated with a fingerprint or a facial biometric for any information to be sent.
‘The token itself is a surrogate, non-sensitive value, unique to that device and stored in its secure element, which has no use if stolen,’ it said.
The Australian Federal Police on Thursday announced the arrest of 10 Australians, in three states, in connection with a criminal network selling online user fingerprints on the Genesis Market.
The Australian Federal Police on Thursday announced the arrest of 10 Australians, in three states, in connection with a criminal network selling online user fingerprints on the Genesis Market
The AFP’s assistant commissioner on cyber command Scott Lee said Australians needed to be mindful about having their banking details sold on the dark web (pictured is one of the arrests)
Investigators have identified 36,000 compromised Australian devices available for sale on the Genesis Market, with more than 600 reports to the federal government’s ReportCyber website that matches stolen information sold on the dark web.
The American FBI, Europol and the Netherlands Police have been conducting a large-scale international investigation.
The AFP’s assistant commissioner on cyber command Scott Lee said Australians needed to be mindful about having their banking details sold on the dark web.
‘For a small cost, individuals with nefarious intentions could purchase a packaged dataset that would allow them to gain access to a victim’s government services and online banking,’ he said.
The Reserve Bank of Australia’s Financial Stability Review for April warned against complacency with online payments.
‘Recent operational and cyber incidents, both domestically and internationally, highlight the importance of financial market infrastructures continually assessing and improving their operational resilience and security,’ it said.
‘Cyber risk is one of the key risks facing the global financial system.’
Mr Britton said 3D imagery was already able to generate realistic photographs of people, pointing to deep fakes of former U.S.president Donald Trump and Australian media personality Richard Wilkins being arrested.
‘This is only the tip of the iceberg on what AI can do,’ he said.
Cyber security expert Benjamin Britton has disputed assurances from the Australian Payments Network, an industry body, that its systems are safe, arguing biometrics technology has flaws
‘If you look at AI, how it’s generating all these new photographs and all these new videos and even stealing people’s voices – now the deep fakes are to the point where they can actually make the mouth move the same, they can make the words coming out of the mouth sound identical to the person.’
Cyber criminals could also potentially teach AI how to be a better hacker than a human.
‘A black hat hacker who makes their millions illegally, they can actually teach that AI all of their own tricks that they know – the AI will improve on those tricks,’ Mr Britton said.
‘Because it’s learnt those tricks, it thinks up its own tricks and then they give it problems to solve like, ‘How do I steal every card in the country and how do I get to payments and how can I move the money around and not get caught?’.’
Then there is the issue of realistic silicon masks, available in China, that could be used to fool the facial recognition software on smartphones if a criminal was able to create a fake version of someone’s face using 3D printing.
‘It’s not too far off: they already have realistic masks that you can put on your face and you cannot tell,’ Mr Britton said.
‘The potential is there with 3D printing – it would be very difficult to do but it’s not impossible to happen.’
The payments industry described biometrics as ‘something you have’ but Mr Britton said even biometric tokens could be stolen and copied – from fingerprints to facial recognition – because this information had to be stored in a server.
‘They can still be stolen, they are not foolproof,’ he said.
‘It’s stored a copy of it somewhere, and whilst it’s stored usually very secure, the point is, if it’s there, it’s like a password hash – it can be stolen and it can be cracked.’
The American FBI, Europol and the Netherlands Police have been conducting a large-scale international investigation (pictured is a seized smartphone in Australia showing a crypto currency transaction)
Australians are increasingly using their smartphones to pay for goods with Reserve Bank data showing a third a payments last year were made this way, with cash making up just 13 per cent of transactions
Apple designed the Wallet app so credit card details aren’t stored in a server or on the device itself.
But Mr Britton said a hacker could still potentially access details in the Wallet, even if this was extremely difficult.
‘Even if the device has pin codes and biometrics set to access apps, those details are stored somewhere on the device – usually encrypted – and it is possible to extract and crack those credentials,’ he said.
Devices can also potentially be cloned.
‘A device ID and details can be cloned and spoofed in order to impersonate that device,’ Mr Britton said.
‘If someone gains remote access to a device like a phone, they essentially have administrator rights to access any app they wish and exchange information with the device at will even if the device is not jail broken.’
Australians are increasingly using their smartphones to pay for goods with Reserve Bank data showing a third of in-person payments last year were made this way, with cash making up just 13 per cent of transactions.
Cards still make up two-thirds of transactions, mainly via the tap-and-go method with a very small proportion of consumers still preferring to insert their card.
Cyber security expert disputes Australian Payments Network
ASSURANCE 1: Credit cards in a digital wallet are safe because they are not stored alongside a primary account number – the digits on a plastic card that’s in the app.‘Cards stored in digital wallets operate differently, and those differences make them more secure, not less.’
REBUTTAL: ‘A device ID and details can be cloned and spoofed in order to impersonate that device.If someone gains remote access to a device like a phone, they essentially have administrator rights to access any app they wish and exchange information with the device at will even if the device is not jail broken.’
ASSURANCE 2: Credit cards in digital wallets store a token that represents a primary account number with each payment requiring a unique cryptogram that has to be verified with every transaction.‘This cryptogram is checked by the card issuer’s systems, making replay attacks (where card data is listened to in-flight and then reused in a separate payment) impossible.’
REBUTTAL: ‘To say something is impossible in terms of hacking is music to a hacker’s ears because it suggests complacency and to the very best of black hat hackers, it issues them a ‘challenge’.The most secure facilities, agencies and departments have all suffered successful hacking attacks at some point.’
ASSURANCE 3: Credit card payments made by a digital wallet are more secure because they use biometrics – ‘something you are’ rather than just ‘something you know’.
They argue it’s a myth a transaction done offline is safer.
REBUTTAL: ‘A physical debit card is not connected to the internet.So for a hacker to attempt to steal the card details, they would need in person physical access or to physically skim the card.
With mobile devices, digital wallets and digital cards, they are all on devices that are connected to the internet.If the device is connected to the internet, then it can be hacked and a range of details and data stolen.’
ASSURANCE 4: It’s a common myth that a criminal has to stand close to someone and, using a skimming device, extract enough card data to make a counterfeit card or an online purchase.‘Such mobile skimming devices cannot collect enough data from the card to clone a contactless card or complete an online purchase.’
REBUTTAL: ‘A criminal doesn’t have to stand right next to someone in order to skim their device.All that is needed is physical access to the device.This can be when someone leaves their phone lying around.
‘Card data is tokenised.If it is tokenised then there is a security risk that token can be stole, copied and used to impersonate the user and their security credentials.’
ASSURANCE 5: Many Australians now prefer the security (and convenience) of digital payments, including those made through digital wallets.
REBUTTAL: ‘Cash is king, and as we move into this more advanced and connected world, advanced technology can be better utilised in creating physical cash money that is incredibly difficult to counterfeit.
They could have a system of exchange where for every digital dollar that exists, a physical dollar must exist somewhere for it.’
Source: Benjamin Britton’s response to an Australian Payments Network blog, April 4, 2023
***
Read more at DailyMail.co.uk.
![[apk_updated] Libertex: Trade Stocks & Forex](https://crypto247.news/wp-content/uploads/2023/04/58446-download-libertex-trade-stocks-forex-apk-1024x538.jpg)