Security of Russia's biometric data system questioned

Security of Russia's biometric data system questioned
By bne IntelliNews September 22, 2021

Experts have questioned the security of Russia's united biometric system (UBS) that aims to become a major identification tool for banks and other financial institutions.

The system may not be able to protect users' personal data in light of the arrival of sophisticated tech for photo, video and voice faking, according to some participants of the International Bank Forum, which was recently held in Sochi.

In contrast with the Central Bank of Russia's (CBR) assurances of the system's security, experts say that hackers are likely to be able to steal anyone's identity within a year or two, regardless of the use of biometric ID systems.

UBS is a joint project by the CBR and major telco operator Rostelecom aimed at the collection of citizens' biometric data and using it for identification of financial services' users. As of 2021, all Russian banks were supposed to adopt UBS. In late May, the system had about 200,000 users, but it hasn't yet been actively used.

Speaking at the banking forum, Natalia Kasperskaya, chair of the board of the association of software developers Local Soft, said that the use of biometry could lead to security issues, as data could be leaked internally, even if it is protected from outside hacks.

According to Kasperskaya, Deepfake technologies are getting more and more sophisticated, enabling hackers to fake a person's photo, video and voice, and there is no protection from that. Therefore, she urged, authentication systems based on biometric data should be avoided.

Vadim Uvarov, head of the information security department at the CBR, insisted that so far, no major incidents involving Deepfake technology have been detected in UBS.

However, an anonymous source at a major Russian bank was quoted by Kommersant daily as saying that the system has hardly been used yet, as customers don't understand how to use it.

According to the Russian regulator, UBS is sufficiently protected from various possible threats, including Deepfake, and biometric data is stored separately from all other personal data, facilitating an extra level of protection.

But experts are still sceptical. Yevgeny Tsarev, head of RTM Group, told the Sochi banking forum that as soon as biometric data begins to be actively used, hackers will be able to find way to break into the system.

"Fakes of that kind could be used for blackmailing, attacks involving social engineering and other malicious goals," he said, adding that technology is developing rapidly, and hackers are likely to be able to create biometric samples identical to those stored in UBS in the nearest future. Tsarev predicted that within a year or two, hackers would be able to steal identities based on biometric data by running a transaction on a victim's part.

Other experts are less categorical, but they still warn against the use of biometric identification.

Alexander Bulatov, commercial director of uSIEM, said that to steal someone's identity, a hacker needs to get access to a potential victim's smartphone, which in ordinary situations wouldn't be worth the trouble. However, hackers could specifically target individuals who they know have large amounts of money in their bank accounts, and such customers should rather avoid using biometric identification.

Finally, regardless of the security of the biometric data system, there are other potential ways to attack banks and customers.

"A hacker could attack a bank's infrastructure and submit a fake invoice in the final stage of a payment's processing, when biometric identification has already been passed," says Dmitry Kuznetsov, methodology and standardisation director at Positive Technologies.

Or, he concludes, a fraudster could just call a customer, impersonating a bank's security officer and talking them to transfer funds to a "reserve" account.

Related Articles

Russian tycoon Usmanov exits VK internet major, Gazprom-related firms get 46%

USM Holdings of Russian tycoon Alisher Usmanov approved selling its 45% stake in MF Technologies, a structure controlling a 57.3% voting stake and a 4.8% economic stake in VK (former ... more

Global online exchange provider MultiBank Group challenges Von der Heydt Group, offers refund to noteholders

Global online exchange and cryptocurrency ecosystem provider MultiBank Group is appealing against a decision dismissing a case it brought against its former joint venture partner, German-based Von ... more

Russia works on a super app for government officials

Russia's Ministry for Digitalisation has announced a tender for a super app that government officials would use to "improve security and independence of sanctions." The winner of the tender will ... more