Whether biometric data such as fingerprints or faces are leaked, the consequences are unimaginable. After all, behind every biometric feature is the confirmation of a person’s actual identity.
Editor’s note: This article is from WeChat public account “CV Intelligence” (ID: CVAI2019), author Han Jinglian, Editor Zhang Lijuan.
Recently, a domestic company announced a live video of Li Jiaqi’s shipment at the Hangzhou Creation Festival. However, this live broadcast was not made by Li Jiaqi himself but AI. The AI technology was used to synthesize Li Jiaqi’s image and matched with its daily famous sayings. A live broadcast of eye drops and instant noodles was performed live.
Although the official emphasizes that this synthetic video has been authorized by Li Jiaqi, and this technology is not for the public, but with the increasing variety of AI and synthetic products of various faces and even the whole person, people are leaking personal privacy. The panic is slowly emerging.
A few days ago, Zhang Wei, deputy director of the Shanghai Information Security Industry Association, reminded the public of the risk of fingerprints leaking fingerprint information at the National Cyber Security Publicity Week Full Experience Day in 2019, prompting heated discussion among netizens.
He said that the photo of the scissors hand taken within 1.5 meters can basically restore the fingerprint of the subject 100%; photos taken within a distance of 1.5 meters – 3 meters can restore 50% of the fingerprint.
Some netizens even bluntly said, “People’s fingerprints will not change throughout their lives. Once they are leaked, they will be leaked forever. Therefore, I don’t dare to use digital products with fingerprint security flags on the market.”
Is it true that the scissors hand photo has been fingerprinted? Is biometrics really a panic-stricken area of privacy leaks? Behind the netizens’ hot debate is the contradiction between people’s transfer of security or the transfer of privacy.
It’s theoretically feasible, it’s hard to do it
In this regard, Liu Zheng, the chairman and founder of Tuzheng Technology, explained the CV intelligence. It is theoretically feasible to take photos of the fingerprints of the scissors, but it is difficult to operate.
One of the reasons why it is hard to do is: the technical threshold.
He pointed out that there is a problem of proportional change in the current fingerprint identification, which means that the fingerprints taken from the scene must be copied in a 1:1 ratio, which requires professional extraction technology, extraction equipment and copying equipment. Wait, and if the scissors hand photo is processed, consider the deformation problem.
A biometrics expert is blunt about CV intellectuals. Such high-threshold criminal activities are generally aimed at higher-value targets, and the chances of ordinary people being stolen will be smaller.
But the technical threshold is not meant to be absolutely safe.
“When you design these fingerprint identification product systems, you only need to design it in a secure dimension, so that the attack time cost and attack difficulty of the criminals can be attacked to a certain extent. Security is A question without boundaries.”
Zheng Jianhua, an academician of the Chinese Academy of Sciences, told the media that the current fingerprint identification security chain is not complete enough.
Last year, an article and video on the Internet, “A piece of orange peel can open your mobile phone fingerprint lock, and you can transfer money” has attracted the attention of netizens.
A user has cracked the fingerprint touch button because the phone has fallen to the ground. After that, other people can use their fingerprints to unlock his mobile phone. Anything can be paid by the mobile phone.
After a test by a technician from a technology company in Suzhou, the key to cracking fingerprint verification lies in the pattern on the fingerprint touch key. In fact, the information received by the fingerprint sensor contains the conductive coating on the fingerprint, not the fingerprint of the owner’s finger. When performing fingerprint comparison, as long as some of the information is the same, it can be verified.
As long as the pattern on the fingerprint touch key is in front of the finger, the software system will receive a picture of the composition of these patterns. “It receives this picture, the authentication is also a picture”, and the crack itself will be in the sensor. Some patterns are formed on the screen, and the user can cover the crack and successfully unlock the boot several times, and then others can boot at will.
A technician of a fingerprint identification company told CV that using software vulnerabilities on fingerprint identification systems to attack is a more effective way to identify fingerprints.
Liu Jun pointed out that there are two ways to improve biometric security in the industry. One is to increase the difficulty of obtaining biometric information, such as the development of bone recognition, vein recognition and other products. These biometric information are not on the surface, through normal Taking a photo, cup residue, etc. is not available; the other is to increase the difficulty of forgery, such as adding live fingerprint detection technology or increasing the difficulty of 3D face recognition.
In addition to the increased security of the product design itself, how do people avoid privacy breaches?
In addition to not providing his own fingerprints to strangers, not entering his own fingerprints on untrusted devices, and not sending photos with his own fingerprint information on the Internet, Liu Jun also made a suggestion to use fingerprint locks. Or after the phone, wipe the surface of the sensor with your hand. Through this action, the fingerprint image will beCompletely blurred, there is no extraction value.
Not only scissors hands
This is not the first time biometrics have been questioned by security.
With the development of technologies such as computer, optics, acoustics, biosensors, and biostatistics, use the inherent physiological characteristics of the human body, such as fingerprints, faces, irises, and behavioral features such as handwriting, sound, and gait Waiting for personal identification is becoming more common.
The most widely used ones are fingerprint recognition and face recognition.
Fingerprint recognition is not new. Fingerprint recognition was applied in attendance, access control, safe cabinets and other fields many years ago. With the launch of iPhone5s, fingerprint recognition has ushered in a period of leaping development.
The original mobile security lock solution is to set the power-on password, which is usually a 4-digit or a 6-digit password. After that, the popular pattern is unlocked. Compared with the power-on password, the probability of pattern unlocking is higher. After the iPhone 5s, fingerprint unlocking has gradually become the standard for all types of mobile phones.
The fingerprint identification scene is further explored and has been widely used in various identification channels, such as fingerprint payment and fingerprint lock.
But in May 2019, when the China Consumers Association conducted a comparative test on 29 mainstream smart door lock products, it was found that 48.3% of the sample passwords had security risks, and 50% of the sample fingerprints had security risks. 85.7% of the sample information identification card is open to safety risks.
Starting in 2017, the wind vane of biometrics turned to face recognition: mobile phone face unlocking, brush face payment; train station, airport face check ticket; bank identification needs face recognition confirmation, now more and more entertainment Development, such as the face-changing APP-ZAO before the screen.
“ZAO” requires the user’s face photo “completely free, irrevocable, permanent, transferable and re-licensable” in the App Agreement, which means that the user uploads photos to ZAO, ZAOIn addition to freely using and modifying your portraits, you can arbitrarily authorize it to a third party you want to authorize, sell it as information, and it is permanent and irrevocable.
If this data is used by people who are ill-intentioned, it is very likely to become a new criminal tool. Especially for the elderly who have poor recognition ability, it is easy for the “children” and “relatives” disguised by criminals to defraud money. .
At present, many colleges and universities promote the “brushing era”: access control card, canteen brush face, face recognition attendance, etc. have also been questioned. Some time ago, a video surveillance image with the “MEGVII contempt” icon for the students’ learning status on campus was also heated up on the Internet. The online criticism of the students in the classroom through face recognition monitoring was very high.
This is similar to ZAO’s controversy: technology brings efficiency and brings more entertainment, but the premise is that what data needs to be defined is privacy? What data is open?
Every time a biometric data such as a fingerprint or a face is leaked, the consequences are unimaginable. After all, behind every biometric feature is the confirmation of a person’s actual identity.
Future: Technology Convergence, Legislation Fast
Privacy issues do not mean that people are still a safe lock because of the squandering of food, but how will the lock develop in the future?
“Convergence” is the most widely heard program of CV Intelligence in the process of communicating with industry professionals.
For example, when the user returns home and walks two meters away from the door, the face recognition system starts. After the face recognition is successful, the fingerprint recognition sensor lights up, and the user directly presses the fingerprint to unlock, although the whole process is simple. There is no difference in fingerprint identification, but multiple authentications have been made in the process.
The current mobile payment system that is extremely relevant to everyone’s property security requires multi-factor authentication. It does not simply identify people based on fingerprints or passwords.
But Liu Jun also said that in the years before biometrics, security and convenience have always been contradictory. After the emergence of biometrics, the core solves the problem of convenience and takes into account safety behavior. Now everyone is pursuing how to become lazy rather than more complicated, so after solving more problems in the security chain, a single biometric technology will still be the mainstream.
It may also lead to more novel biometrics, such as using each person’s unique eye movements for identification; based on the ear recognition mobile app, the user can identify the phone by attaching it to the ear and cheeks; Nymi wristband with heartbeat recognition technology…
In addition to technology, product design, and user self-defense, legislation is another protective measure.
For example, Illinois and Texas passed biometrics.Laws, companies and individuals that require the collection and use of face recognition must follow a basic set of privacy agreements. This includes obtaining informed consent before collection, specifying data protection obligations and limiting retention positions, and prohibiting profit from biometric data.
China has also begun to explore data-related legislation. The National Internet Information Office issued the “Data Security Management Measures (Draft for Comment)” issued in May this year: “If the collection and use rules are included in the privacy policy, they should be relatively concentrated, obviously prompting for easy reading. Another user only Network operators can collect personal information after they have learned to use the rules and expressly agree.”
This still has a long way to go.