A false invoicing case involving more than 500 million yuan was prosecuted by the Shanghai prosecutor, leading to an illegal face recognition case
"Face recognition and cracking technology" has become a black industry, and "face protection" urgently needs to be checked for deficiencies
Our reporter Lan Tianming
As an easy-to-use biometric verification technology, face recognition is currently widely used in industries such as government affairs, security, finance, and consumption.
However, the Xinhua Daily Telegraph reporter found that there are obvious security loopholes in face recognition technology, and there are major hidden dangers to the safety of society and property, and it is urgent to conduct systematic security investigations and plug leaks.
An invoice case leads to an illegal face recognition case
The reporter learned from the Shanghai Procuratorate that in a recent case of the Hongkou District People’s Procuratorate in Shanghai, the defendant registered a "leather bag company" for false VAT invoices by cracking face recognition technology and other methods. Ordinary invoice.
It is reported that multiple defendants issued ordinary value-added tax for others with a total of more than 500 million yuan.
In the case, the criminal suspect first completed the registration of the "Leather Bag Company" through the relevant government affairs platform. In the process, the face recognition of the registrant on the platform was the key to successful registration.
In order to achieve this goal, members of the suspects who specialize in face recognition and cracking said that they usually buy other people's high-definition avatars and ID information at a price of 30 yuan each from others, and then use the "Live Photo" App to check the high-definition avatar Processing is performed to make the photo "moving" and form a video of actions including nodding, shaking your head, blinking, and opening your mouth.
"After acquiring the video, we use a specially processed mobile phone to'hijack' the camera. During the face authentication process, the mobile phone camera will not be activated. The system obtains the previously prepared video. The system will think that I am in front of the camera and finally passed Certification." The suspect said.
At the same time, the group also cracked a facial recognition system widely used to manage electronic business license apps.
After the criminal suspect downloads the electronic business license, he will add the clerk's identity information in the App.
The false invoicing group uses the electronic business license as a clerical clerk.
According to the suspect's account, the types of apps he cracked are very wide, involving apps with a huge number of users, such as government affairs, security, finance, payment, and living consumption.
The crack price of each order ranges from 25 yuan to 300 yuan.
Crack the face recognition system of 19 mobile phones in 15 minutes
"Crack the face recognition system of 19 mobile phones in 15 minutes." According to the reporter's understanding, the team established by the Institute of Artificial Intelligence of Tsinghua University, Ruilai Wisdom, recently disclosed new research results: researchers based on a photo and through research algorithms, Make a pair of special "glasses", you can swipe your face to unlock other people's mobile phone or App identity authentication.
The researcher revealed to reporters that his team had cracked the face recognition and unlocking system of 19 smartphones within 15 minutes after wearing self-made glasses through counter-sample attacks.
Also cracked are more than ten financial and government service apps.
Researchers said that, combined with personal information such as ID numbers, they can even pretend to be the owner of the phone to open an online bank account.
In the "Face Recognition Technology" group, hackers become "guests"
The reporter found that there are a large number of groups that provide services for cracking face recognition technology on the Internet, and most of the group names use keywords such as "face" and "recognition technology" to evade supervision.
The group size varies from 100 to 300 people.
In a group called "Facial Recognition Technology", some people paid a fee to invite people in the group who could crack the facial recognition audit of payment software.
Hackers have become the "noble guests" sought after by people.
In addition, some groups share information and resources on cracking technology.
A group called "VX Three Colors Over Face" claimed to be "a handle for cracking face recognition technology" and "suitable for novices and novices who want to enter the industry". There are as many as 300 people in the group.
A user named "Blue Leaf" sent a video of App facial recognition security cracking to reporters and said that a special mobile phone could be sold.
After importing the self-made facial motion video, all the application software installed on the mobile phone can automatically skip the face authentication link.
The price of each mobile phone is 1,650 yuan.
He also told reporters that fake facial action videos can be completed using apps such as "You and Me Back then", "Live Photos", and "Easy Face Change".
"We learned that some companies need to perform face recognition check-in for work attendance, and some employees entrust hackers to hack the check-in app and use face recognition loopholes to complete check-in. The hacker only needs to pay 30 yuan a month." A network security company The relevant person in charge revealed to reporters.
In the aforementioned case of false invoices, in addition to using cracking technology to engage in false invoices, the criminal suspects also used registered new accounts to defraud various App subsidies and other illegal crimes.
Zhang Xudong, senior product manager of Ruilai Wisdom, told reporters that the current cracking of face recognition technology is mainly for prosthetic attacks for live detection, but the threat of anti-sample attacks against the AI algorithm itself has gradually become prominent.
"Because the face recognition technology in the industry mainly fixes several methods, the similarity is very high. If hackers provide an open source software dedicated to cracking face recognition and it is widely circulated on the Internet, criminals will use vulnerabilities to implement various apps. Illegal crimes will be like "entering no one's land."" Zhang Xudong said.
In the opinion of Cao Liang, a security expert at New H3C Group, whether it is a counter-sample attack or a prosthetic attack for live detection, the ultimate goal is to deceive the "machine eye."
"Current face recognition algorithms are mostly based on the recognition of'three points, five points, seven points' on the face, and authentication is achieved through the activities of the eyes, nose, mouth, ears and head. Hackers can fully understand the inside of the machine. Verify the mechanism and judgment rules, and then find a way to bypass the security protection." He said.
Pay close attention to check the deficiencies and make up for the leaks, and make every face "safe"
Experts believe that relevant vulnerabilities in core App applications in the fields of domestic government affairs, security, finance, payment, and consumption should be eliminated as soon as possible, and patches should be applied in time to prevent major incidents that endanger social security and property security.
Carry out software and hardware "confrontation upgrade".
Zhang Xudong said that the top priority is to improve and upgrade the face recognition technology vulnerabilities involving government affairs, security, finance, consumer and other industries.
“Especially for stakeholders, confidentiality, and public interest related platforms and technical service providers, it is necessary to give priority to completing technical reinforcement, and to prevent and reject mobile phone simulators. At the same time, encourage and guide more mobile phone manufacturers to Support 3D face recognition technology when upgrading." Zhang Xudong said.
"Mobile phone manufacturers can have built-in security modules when writing mobile phone systems to prevent hackers from bypassing the mobile phone camera activation link, hijacking the camera, and achieving security at the source." Cao Liang said.
Formulate and implement safety standards for face recognition.
Cao Liang said that for products that use face recognition technology in core areas, the regulatory authorities can formulate and strictly implement relevant standards to ensure that products meet safety technical requirements.
"According to the differentiated requirements for security in public or commercial applications of face recognition, we can formulate hierarchical and multi-level national security standards and industry security standards." He said.
Strengthen judicial crackdowns and protect every "face".
"Offenders may be suspected of damaging computer information systems. Law enforcement and judicial organs should strengthen their crackdowns to form a deterrent." said Guo Yutao, a partner of Beijing Gefeng Law Firm.
He suggested that the current major government affairs, finance, e-commerce and other platforms have collected a large amount of face data, which not only has the problem of duplication of construction, but also has security risks and risks.
At the national and provincial levels, a unified commercial security big data center can be established to prevent the abuse and leakage of facial information.
"The models of face recognition algorithm suppliers may be required to be trained in the big data center, so that the data and models cannot be physically connected to the private network. Algorithm suppliers can rent the data and computing power of the big data center to upgrade and upgrade the algorithm model. Update." he said.