When the banner's face recognition system is broken

not

The protection capacity of banks is related to the security of the depositors

Li Hong (pseudonym) never expected that the scammer stole nearly 430,000 yuan from her Bank of Communications card, such as no one.

If you want to transfer it from the Bank of Communications card, users need to perform face recognition on the mobile banking app and verify SMS. Li Hong was caught in a trap of the scammers. Her mobile phone text message was intercepted, and the mobile phone number was set up to transfer, making her verification code fall into the hands of others, and could not answer the bank's confirmation call.

What's more, "face recognition" was broken. The background of the banking system shows that when the password is reset and large transfer, "Li Hong" has performed six face recognition comparison, all showing "successful biopsy".

Those face recognition was not operated by Li Hong, who was in Beijing, and the IP address of the login was displayed in Taiwan. When Li Hong himself logged in to the mobile banking, the money of Cari had been transferred away. She went to the police station to report the case, and the police quickly determined that she had encountered telecommunications fraud and filed a case for investigation.

Since it is not my own operation, why can I still "succeed in biopsy"? Li Hong suspected the security of the Face recognition system of the Bank of Communications, and brought the Bank of Communications to court on the grounds of "deserted card dispute" to ask for compensation.

Figure/IC

On June 30, 2022, the People's Court of Fengtai District, Beijing, rejected all Li Hong's demands in the first instance. She is going to continue appeal.

Everyone has only one face. Because it is not easy to imitate, face recognition is considered to have high security. In recent years, it has been commonly applied to bank verification to ensure capital security. But what exceeds ordinary people is that the human face has a unique biometric information and is a sensitive personal information. It is exposed under the ubiquitous camera and is easy to obtain. It is not uncommon for the case where the face recognition system is not mature today, and it is common for cases to deceive the audit system with synthetic activities.

Experts who have been paying attention to personal information protection for a long time are full of worry about the abuse of face recognition. Lao Dongyan, a professor at the Law School of Tsinghua University, pointed out that from the reasonable setting of the institutional framework, the party who creates more risks and obtain more income should bear more risks and responsibilities. As a participant in risk manufacturing, banks also benefit more in this way, and they should bear the risk liability for proportional to its gains. "

She also pointed out that with the development of artificial intelligence and the higher technological content of fraud, banks should keep pace with the times, so that their security technology exceeds criminal methods. If the bank is responsible for the vulnerability of face recognition technology, it will help to urge banks to block technical security loopholes and prevent the crime of fraud.

He was deceived 429,000 yuan

From the moment he connected the phone, Li Hong was caught in a fan of "assisting the case". It was 10:30 am on June 19, 2021. The person who claimed to be "Police Officer Chen Jie of the Beijing Public Security Bureau" told Li Hong that her passport was suspected of illegal entry in Harbin, and let her go to Harbin City The Public Security Bureau reported the case. The other party easily reported Li Hong's ID number, which made her start to believe in the "police officer" on the phone.

Li Hong was transferred to the "Police Officer Liu" of the Harbin Public Security Bureau. The other party told her that she was suspected of "Li Yan's anti -money laundering case" and asked her to log in to a website to view the "official document". After Li Hong login the website provided by the other party, Li Hong found that on a "wanted announcement" on a blue background, he printed his ID card photos, ID number and other household registration information.

This caused her to panic, because in her ordinary cognition, this information can only be obtained only in the public security. Next, she conducted the command of "Police Officer". According to the instructions, she downloaded the "Public Security Protection" software and video conference software from the website.

"Public Security Protection" is a "Li Gui" mobile phone software commonly used by scammers. Its design imitates the "National Anti -Fraud Center". If the victim enters a bank card and password in it, the scammer can obtain this information in the background.

Although "attention" is an ordinary video conference software, it provides a shared screen function. At the request of "Police Officer Liu", Li Hong shared his mobile phone screen to the other party through "attention", so that she had mastered the type of app she installed. The mobile phone number sets the call transfer and cannot receive SMS and telephone.

The easiest to be ignored is "face -to -face". The other party told Li Hong that in order to verify that she was operating, she had to open the conference mode through "attention", so Li Hong's face information was easily exposed to the other side. This has also become a key part of the other party's implementation of fraud.

Li Hong never hung up the phone, and "Police Officer Liu" deliberately made her isolated from the outside world. At 13:46 pm, according to the requirements, Li Hong rushed to the Changxin Store Sub -branch of the Bank of Communications and issued a debit card. The bank's card opening record shows that Li Hong reserves his mobile phone number and allows the debit card to transfer the card through three ways of "online banking, mobile banking, and self -service equipment". Among other functions, she chose "small amounts to be free to open."

This means that she still needs to be verified when she conducts transfers within 50,000 yuan. In addition, Li Hong also set up a transfer limit, which can only transfer 50,000 yuan per day.

In the process of applying for a debit card, the Bank of Communications issued the "Beijing Public Security Bureau to prevent telecommunications fraud security reminder form" to Li Hong. In this prompt, it states that the type of business is "opening online banking or mobile banking", and reminds her that there may be those who pretend to be a public prosecution law to inform her of involving the case and ask her account to transfer it to the other party. Or tell the online banking password. Li Hong signed on this prompt. Li Hong's just debit card, this card was controlled by the scammer. The bank background showed that at 13:51 on the same day, after 15 minutes of the card, some scammers were reset and verified by face recognition, and reset the username and password of Li Hong, and logged in to her mobile banking. However, Li Hong didn't know this. She was transferred to all savings to the card in accordance with the requirements of "Police Officer Liu" to "investigate personal property", and all cash obtained by loans.

The transaction record shows that from 14:06 to 14:09, Li Hong transferred 5 to 5 to 250,000 yuan, 14:11 and 14:13, and then transferred to 50,000 yuan in two strokes. At this time There are 300,000 yuan. In just a few minutes, 14: 20 scammers transferred the 300,000 yuan through the mobile banking of Li Hong. Since then, at 14:30, Li Hong was remitted with 129,000 yuan to Kane, and the money was transferred out at 14:40. At this point, the scammer transferred 429,000 yuan in Li Hong.

After the scammers mastered Li Hong's "face recognition+dynamic password", she logged in to her mobile banking by modifying the password. Since then, she will be unaccompanied. Even if Li Hong sets the limit of 50,000 yuan per day, It was also easily modified after the scammers logged in, and then each large transfer also passed the "face recognition+dynamic password" verification.

The Bank of Communications Beijing Changxin Store Sub -branch responded in the court that "transaction passwords, dynamic passwords, and customer identification mode of assistant face recognition" meet the regulatory requirements, and during the process of Li Hong's transfer After sending a SMS password, SMS risk prompt to her, and found abnormalities in the internal system big data analysis, Li Hong's mobile phone was called to verify the transfers and transferred transfers.

However, Li Hong said that for the bank's call sends 22 SMS passwords and SMS risks, she received only 11 of them, and she did not receive the call from the bank. The reason behind this was that her text message was intercepted by the scammer, and the call called to the scammer's mobile phone.

The call recording provided by the bank shows that at 14:23 on the day, when the scammer was transferring the 300,000 yuan in the Li Hong's bank card, the bank customer service dialed the mobile phone number reserved by Li Hong and asked if the other party was Li Hong himself. , Whether the transfer of the transfer, the information of the receipt, the relationship with the receipt, the use of the transfer, etc., the per capita recognition of the call is the operation of myself, and also said that it is a friend relationship with the payee.

At 16:00 in the afternoon, Li Hong noticed the abnormal attitude of "Police Officer Liu". She logged in to the mobile bank for the first time with her mobile phone on 16:39, but found that the money had been stolen. She realized that she was deceived and went to the police station to call the police. And contact the bank to report to the bank card.

The call recording issued by the bank showed that from 17:08 to 17:25 that day, the bank dialed the mobile phone number reserved by Li Hong three times. But later denied that he was Li Hong, saying that the customer service was "wrong."

Bank background records showed that the scammer's "fake face" 6 operations showed the success of the biopsy results. Photo/Interviewee provided

The strange "biopsy successful"

The police tracked that between June 19, 2021 between 13:51 and 14:42, the IP address of Li Hong's mobile banking login was in Taiwan. The device used was Motorola XT1686. At that time, Li Hong was in Beijing. The model is Xiaomi 8.

Bank background records show that Li Hong's debit card has 7 operations involving face recognition on June 19, all showing the successful recognition. Among them, one application for the debit card and once the login password is reset. 5 The second is a large amount of transfer. Except for the first time, the "biopsy results" were successful in the last 6 operations.

Li Hong did not operate himself. Why did the 6 "biopsy results" successful? Li Hong's husband Ma Yue (pseudonym) has worked in the financial system for many years, and he has become the agent of his wife sued the Bank of Communications. He told "China News Weekly" that the bank's "face recognition+SMS verification code" verification model set. The essence of its essence is to ensure that the user himself operates the transfer. From the account to money, banks shall bear the responsibility of inadequate protection.

"This is like this. I originally agreed that I needed to go to the bank to transfer money. Now that others are faked to the bank, the bank does not find it, so the loss caused should not be completely borne by me." He believes that the relationship between banks and store households should be It is a debt relationship, and the bank is deceived and should not be allowed to bear all responsibilities.

Li Hong asked the bank to compensate for the deposit loss after the "debit card dispute" as the case was prosecuted, but the Beijing Fengtai District People's Court rejected her appeal in the first instance.

The court believes that Li Hong was "obvious" during theft of 429,000 yuan. As a instruction payment party, the Bank of Communications has identified the identity of the user through multiple login passwords, verification codes, and face recognition. Error or fault. Ma Yue believes that Li Hong has just applied for a debit card in Beijing, and then the scammer of the IP address in Taiwan can log in with different devices and frequently operate a large amount of transfer. Such an unusual operation, the bank should have identified transfer transfer transfer transfer transfer Non -stored households themselves.

Li Hong's encounter is not alone. As early as October 2020, Ms. Zhao in Zhejiang encountered the same scam, and her experience was reported by local media in Hangzhou. Ms. Zhao told that when a criminal video with the fake police, the other party asked her to do "open mouth", "blink", "shake her head" and other actions, and suspected that she had cheated the bank's face recognition system through video.

After contacting Ms. Zhao, Ma Yue contacted 4 the same deception. Six of them encountered the same fraud routine, involving the amount of more than 2 million yuan.

These six victims are women, and the latest time of deception is October 2021. They all live in the metropolis and have a certain level of knowledge. Many people have graduate degree, and some are lawyers.

The Face recognition service provider of the Bank of Communications is Beijing Eye Eye Technology Co., Ltd. (hereinafter referred to as "Eye Technology Company"). Founded in June 2016, the company's founder, chairman and CEO Zhou Jun had publicly stated that the "biological password" he studied made "wherever the user goes" and "only available".

According to its official website, Eye Technology is an AI enterprise in the financial industry earlier in the industry who introduced biometric technology such as fingerprint recognition, face recognition, and iris recognition. , China Construction Bank, Bank of Communications, Postal Savings Bank, China Merchants Bank, Minsheng Bank and other nearly 150 banking institutions. The customer coverage rate reaches 80 %. Comprehensive coverage.

In September 2020, Eye Technology Company announced the winning identification project of the Bank of Communications, providing face recognition products to the Bank of Communications. "".

After Li Hong and other women were reported to the case in September 2021, the Bank of Communications announced the suspension of face recognition. Soon after, Ma Yue found that the Bank of Communications mobile banking system was upgraded and upgraded. However, in October of this year, a bank account of a victim was still broken by the fake face.

At present, in the Bank of Communications Mobile Banking User Agreement, Face recognition technology provider is still eye -catching technology company. The reporter contacted the company on the matter, but the other party did not give a reply.

Who should the board be hit?

The face recognition system is broken, is there any responsibility for banks? Guo Bing, an associate professor at the School of Law and Government of Zhejiang University of Technology, told China News Weekly that in the case of Li Hong, the focus was that the face recognition system was easily broken by the scammer.

Guo Bing has long paid attention to the safety of face recognition. He believes that Li Hong's face information may be imitated by the scammer. "The scammer has mastered her face information and can generate dynamic face information through technical means." He said that there is a human face activation software that can analyze the face information in the photos and videos, and generate a "false face" for people to control people to deceive the face recognition software.

"Our face recognition technology cannot be perfect." He proposed that with the development of artificial intelligence, face recognition software and cracking activation software are developing. We must beware of "one foot high one foot high."

In fact, face recognition technology that is widely used is sometimes unexpectedly difficult to crack. Guo Bing said that in 2019, several elementary school students in Zhejiang used photos to solve the courier cabinet of the residential community and easily remove the express delivery of others. In October 2021, the student team of Tsinghua University successfully unlocked 20 mobile phones with face photos alone.

"The photos of the face are too easy to get." Guo Bing said that if the face recognition system can be unlocked with photos, it may indicate huge hidden dangers at the moment of the camera.

"Now that telecommunications fraud is very rampant, the means of stealing face information is endless, and it has also brought challenges to the face recognition system of the bank." Guo Bing said that recently, the academic community has also started research on activating software. Essence

He is even more worried that with the development of technology, criminals may have mastered the photos, and they can "activate" the dynamic face and deceive the face recognition system.

The protection capacity of banks is related to the security of the depositors. Guo Bing believes that higher requirements should be made for the bank's face recognition system.

At the legislative level, the protection of face information is gradually strengthening. A few months after Li Hong was scammed, the "Personal Information Protection Law" officially took effect, which highlighted the special protection of biometric information as sensitive personal information. Risks, and individual consent should be obtained. "

According to Lao Dongyan, a professor at the School of Law of Tsinghua University, banks generally have the phenomenon of compulsion of the facial information of the store. She said, "At least for my personal experience, go to the bank to handle deposits and other businesses, face recognition is made under compulsory. Although the "Personal Information Protection Law" strengthened the protection of face information, this strengthening is actually only reflected in the links that solicit consent. There is almost no difference between other places and ordinary personal information. threshold.

Therefore, she insisted that the National People's Congress and its Standing Committee need to consider separate legislation on biometric information, and should not be protected on the framework of the Personal Information Protection Law.

She also mentioned that Li Hong's "Beijing Public Security Bureau's Prevention of Telecom Fraud Security Tips" prompts that the "Beijing Public Security Bureau's Prevention of Telecom Fraud" when he was required to sign a card. Essence

In her opinion, this prompts to prevent all kinds of fraud cannot play a substantial role. When the storage households are scammed, they may have the effect of letting banks pass on responsibility.

"Preventing and cracking down crimes should have been assumed by the state, banks and relevant units, and now they are increasingly passed on to the individual as a victim." She pointed out that "too much to let the weak bears risks is not fair." Essence

La Dongyan believes that to prevent such fragments, it is important to re -consider the issue of reasonable allocation of risks at the level of institutional framework. She said, "Risk is related to responsibility. In principle, the risk of manufacturing should bear it."

She pointed out that the promotion and risks of face recognition are actually manufactured by technology companies and banks. Among them, banks have gained more benefits brought by technology than storage households. "Who has benefited the greatest benefit? Who should bear the risk of proportional benefits. "

"In addition, it should also consider factors in preventive capabilities and prevention effects, and who is the best to hit the board on?" In her opinion, the bank's prevention capacity is much stronger than that of stores. The losses caused by the risk caused by the face recognition of the face or in proportion will help urge banks to carefully collect and protect the information of households, and strengthen the security technical guarantee of the face recognition system.

"The technical guarantee of the bank's face information requires more than the general criminal means. Otherwise, the bank should not collect and use the face information of the households." She said.

Send 2022.7.18 Total Issue 1052 "China News Weekly" magazine

Magazine title: When the banker's face recognition system is broken

Reporter: [email protected])

Capture: Wang Lin

- END -