Facial Recognition Fraud in China
In January 2021, the Shanghai People’s Procuratorate charged two Chinese citizens with facial recognition fraud. Wu and Zhou have been defrauding the tax authority’s identity verification system since 2018 and falsifying invoices, according to the South China Morning Post.
Method of the Fraudsters
To bypass the system, the fraudsters purchased high-quality photos and fake identities on an “online black market” common in China. The cost for such fake identities ranges from 30 to 250 yuan ($5-38), according to an investigation by The Xinhua Daily Telegraph. Additionally, hacking services are available that can bypass both public and private systems that collect this data.
Wu and Zhou processed their photos using deepfake apps, which can “animate” the uploaded image and turn it into a video. This makes it appear as if the faces are nodding, blinking, moving, and opening their mouths. Such applications are often available for free download.
Special Equipment
For the next phase of their plan, the fraudsters purchased specially configured smartphones. In these devices, the front camera does not activate during facial recognition; instead, the system receives a pre-recorded video that is recognized as a live image. These modified phones cost about $250.
With this setup, the fraudsters registered a shell company that could issue false tax invoices to customers. In just two years, they earned a staggering $76.2 million.
Data Protection in China
Biometrics are widely used in China for confirming payments, verifying identities when applying for government services, and more. However, with the development of this technology, data protection has become one of the major concerns in the country, according to the SCMP.
Law enforcement agencies struggle to deal with insiders and intermediaries who collect and sell data.
Starting May 1, 2024, a new law will take effect in China that limits the “excessive” collection of personal data. Authorities have drawn up a list of minimum required data for 39 categories of applications. For online shops and product deliveries, for instance, only a phone number, recipient’s name, address, and payment information are needed. Additionally, the government has prepared a bill imposing fines of up to 50 million yuan or 5 percent of a company’s annual revenue for data leaks or unlawful collection of personal information.
Biometrics in Identity Verification
In the digital age, there are strict measures for protecting personal data, but potential risks remain significant. Despite the implementation of security measures such as storing personal information on separate servers and encrypting data, no solution is completely secure. The danger is real, especially when one individual or a small group can access millions of accounts.
Biometrics undoubtedly offer convenience but cannot compete with a complex password. Strong passwords are often harder to crack than biometric data. Moreover, using two-factor authentication can significantly increase the level of protection, further enhancing the security of personal information.