bne IntelliNews – Security of Russian biometric data system questioned

Experts have questioned the security of Russia’s United Biometric System (UBS) which aims to become a major identification tool for banks and other financial institutions.

The system may not be able to protect users’ personal data in light of the arrival of sophisticated technologies for photo, video and voice tampering, according to some participants at the International Banking Forum, which recently met. held in Sochi.

Contrary to assurances from the Central Bank of Russia (CBR) regarding the security of the system, experts say hackers are likely to steal anyone’s identity within a year or two, regardless of the use of computer systems. ‘biometric identification.

UBS is a joint project of CBR and leading telecommunications operator Rostelecom to collect citizens’ biometric data and use it for the identification of users of financial services. From 2021, all Russian banks were expected to adopt UBS. At the end of May, the system had around 200,000 users, but it has not yet been actively used.

Speaking at the banking forum, Natalia Kasperskaya, chairman of the board of directors of the association of software developers Local Soft, said the use of biometrics could lead to security concerns as data could be leaked internally, even if they are protected from external hacks.

According to Kasperskaya, Deepfake technologies are getting more and more sophisticated, allowing hackers to tamper with a person’s photo, video and voice, and there is no protection against this. Therefore, she urged, authentication systems based on biometric data should be avoided.

Vadim Uvarov, head of the information security department at CBR, insisted that to date, no major incidents involving Deepfake technology have been detected at UBS.

However, an anonymous source from a major Russian bank was cited by Kommersant every day saying that the system has not yet been used because customers do not understand how to use it.

According to the Russian regulator, UBS is sufficiently protected against various possible threats, including Deepfake, and biometric data is stored separately from all other personal data, which facilitates an additional level of protection.

But experts remain skeptical. Yevgeny Tsarev, head of the RTM group, told the Sochi banking forum that as soon as biometric data began to be actively used, hackers could find a way to break into the system.

“Forgeries like this could be used for blackmail, attacks involving social engineering and other malicious purposes,” he said, adding that the technology was developing rapidly and hackers would likely be able to create biometric samples identical to those stored in UBS in the near future. Tsarev predicted that within a year or two, hackers could steal identities based on biometric data by executing a transaction on behalf of a victim.

Other experts are less categorical, but still warn against the use of biometric identification.

Alexander Bulatov, commercial director of uSIEM, said that in order to steal someone’s identity, a hacker must have access to a potential victim’s smartphone, which in ordinary situations would not apply. worth it. However, hackers could specifically target people they know have large sums of money in their bank accounts, and those customers should instead avoid using biometric identification.

Finally, no matter how secure the biometric data system is, there are other potential ways to attack banks and customers.

“A hacker could attack the infrastructure of a bank and submit a false invoice during the last step of processing a payment, when the biometric identification has already been validated”, explains Dmitry Kuznetsov, director of methodology and standardization at Positive Technologies.

Or, he concludes, a fraudster could simply call a customer, posing as a bank security guard, and ask them to transfer funds to a “reserve” account.

Comments are closed.