Biometric Authentication: Still Not Ready For Prime Time

To combat widespread financial fraud, the Bank of Thailand announced a policy change in March 2023 that all Thai financial institutions must forgo email and SMS verification and instead use facial recognition for any major actions from customers, such as opening a new account, adjusting a daily transfer limit, or initiating a transaction of more than 50,000 baht.

The intent was to safeguard customer accounts against cybercriminals.

However, just three months after it began, even this increased security measure was jeopardized.

A new malware, "GoldPickaxe," was developed by a large (but unidentified) Chinese-language group, and was soon seen on iOS and Android devices, masquerading as a government service app. The app is used to introduce a sophisticated banking Trojan for tricking people into giving up their personal IDs, phone numbers, and face scans, which it steals to later log into those victims' bank accounts. The Trojan has so far targeted elderly victims into scanning their faces into the app, which then uses deepfake technology to bypass the Bank of Thailand's cutting-edge biometric security checks.

The malicious app seems to be highly effective for two reasons: deepfake technology has caught up with biometric authentication mechanisms and most users have not realized that yet. Nate Nelson, "iOS, Android Malware Steals Faces to Defeat Biometrics With AI Swaps" (Feb. 15, 2023).




Given the increasingly quick response from cybercriminals to new defense strategies, relying on one exclusive system or technique to defend an organization's network should be reconsidered.

For many years, a multi-layered approach was considered critical to secure a network. That approach may still be the best, even as individual elements of that multi-layered approach become more sophisticated and challenging.

Biometrics will be important, but they are not fool-proof as the above account makes clear. If a person is social-engineered to give up their biometrics, that will place their accounts at risk.

Using two-factor authentication methods, whether a phone authentication app, a text message, a physical security key, or by using Bluetooth, USB, or NFC devices to authenticate a login remains the best practice.


Finally, your opinion is important to us. Please complete the opinion survey: