Economic Observer Network reporter Hu Qun "encountered 'I want to transfer money to your card, you then help to send it to my friends, I WeChat restricted the transfer' situation, and the other party video verification found that it is me, still have to be cautious and cautious again." On February 17, a teacher at a beijing university said in the circle of friends. In the early morning of the same day, a friend of hers asked her for help with the transfer through WeChat, and she opened the Other Party's WeChat video for verification, and saw familiar faces in the video, but the other party did not speak and hurriedly closed the video call.
Video verification is a familiar face, why are you still being scammed?
"Identity verification security risks have brought uncertainty to the assets of the financial industry, and the increasing diversity of attack behaviors and counterfeiting cases has brought great challenges to the security of AI technology, such as hollow photo digging, 3D masks, deep forgery, speech synthesis, voice splicing, etc., and effective anti-counterfeiting capabilities are urgently needed for different attack behaviors." Feng Yue, director of the Zhongguancun Kejin AI Security Offensive and Defense Laboratory, said in an interview with the Economic Observer Network that due to the development of deep learning and the emergence of Deep Fake (a controversial face-changing technology software), the production threshold of "fake face" has been greatly reduced, and ordinary people can make a face that may not exist or swap faces, and the single frame picture formed can be very realistic. Under normal circumstances, the black industry will use the dynamic processing software to complete the action of making the characters in the photo open their mouths, turn their heads, etc., and then use other software to deceive the system, by modifying the relevant data and settings, import the dynamic face video into the App in advance, complete the authentication, and then complete the entire fraud process.
How much is your face "worth"?
Mobile payment has become a mainstream payment method. According to the "Statistical Report on the Development of China's Internet Network" released by the China Internet Network Information Center (CNNIC) in September 2021, the number of online payment users in mainland China reached 872 million, accounting for 86.3% of the total internet users.
The current normalization of epidemic prevention and control has led to a surge in the demand for identity recognition such as contactless authentication and non-sensor authentication, and face recognition technology plays an important role in the financial field with its convenient and easy-to-use characteristics, and many financial Apps can pay, transfer and other services through face recognition. Fingerprint, brush face and other biometrics have become a commonly used mobile payment verification method, and its usage rate has exceeded the digital password verification method.
On January 25, China UnionPay released the "2021 Mobile Payment Security Survey And Research Report", showing that among the mobile payment verification methods, fingerprints, face brushing and other biometric methods have the highest recognition, and their use rate has exceeded the digital password verification method. From the perspective of age, people over the age of 45 prefer password payment methods, and people under 45 years old prefer fingerprints, face brushing and other biometric methods, especially 75% of young people aged 18-24 use biometric verification methods, 9 percentage points higher than the average. About 30% of the respondents used dynamic verification codes to verify identities, of which 35% were 46-55 years old, 6 percentage points higher than the average.
While technology brings convenience, it will also be used by some criminals, and the protection of personal information brought about by face recognition technology is becoming increasingly prominent, causing general concern and concern among the public. Feng Yue said that in the conventional face recognition technology, the system will only do the basic quality detection and verification of the collected video or picture, however, this basic verification technology can not effectively identify the true and false face, with the evolution of the forged attack tool, the effectiveness will be sharply reduced, common, black production with photos or video remakes can achieve the effect of fish eyes mixed beads. This raises a range of security concerns.
Under normal circumstances, the black industry will use the dynamic processing software to complete the action of making the characters in the photo open their mouths, turn their heads, etc., and then use other software to deceive the system, when the App needs to verify the face through the camera, start the "plug-in", by modifying the relevant data and settings, the dynamic face video that is done in advance is imported into the App, and the authentication is completed.
In June 2021, the National Internet Emergency Response Center described the risk of face recognition identity authentication vulnerabilities: some apps have security flaws in the design process, resulting in attackers using publicly obtained user photos to replace photos collected by live detection, thereby destroying the face recognition identity authentication mechanism, logging into user accounts and stealing user sensitive information.
If the fraud techniques of the above-mentioned black industry practitioners are relatively rudimentary, the scams have now escalated.
"The attack and defense game between the security industry and the black industry in the field of face recognition has undergone many iterations, from the early image level to the medium-term application level, and then to the later algorithm level, the financial industry and security companies have effectively protected the attack methods of the black industry through a series of means, but the confrontation has not stopped, and the face attack and defense have further penetrated into the mobile operating system, bringing new challenges to enterprise protection." On February 14, the "2021 Network Finance Black Industry Research Report" released by the Financial Technology Research Institute of the Industrial and Commercial Bank of China shows that with the continuous development of face recognition attack and defense technology and repeated games, face recognition application scenarios have become the main battlefield of black industry confrontation, in addition to the well-known photo activation attack, in 2021, there are new attack methods, black industry carefully designed face fraud scenes and used new attack technologies, so that "brush face" once again faced new challenges.
"Answer video calls carefully, and face theft needs to be prevented." The "2021 Online Finance Black Industry Research Report" pointed out that black industry practitioners stole victims' face information through video calls. Black industry practitioners generally impersonate public prosecutorial and legal organs or bank staff, intimidate victims into cases such as "money laundering", "drug possession", and "loan arrears", and require victims to verify their identity through video calls. During the video call, the black industry practitioner requires the victim to complete the designated face action, and at the same time open the screen recording function to obtain the victim's face information. Compared with the synthetic video generated by the activation software, the face video obtained through the video call is a face recognition action completed by the victim himself, and there are no synthetic and forged features, which is difficult to be recognized by the face algorithm. Considering that the face features are unique, once they are stolen by black industry, it will directly lead to the invalidation of face authentication, resulting in capital and property losses. Therefore, before answering a video call, be sure to verify the identity information of the other party.
Online black production is rampant
In the whole year of 2021, Xiaodun Security detected a total of 9381 black-industry gangs committing crimes, with an average number of individual gang accounts of about 500, generally in a professional studio model, using its own group control equipment or renting cloud control services, and cooperating with machine modification tools, simulators, IP agents, code receiving platforms, code coding platforms, etc. to complete batch cheating.
The "2021 Mobile Payment Security Survey And Research Report" shows that the proportion of people who have suffered losses from online fraud is higher than in 2020, and the proportion of people who have suffered online fraud and have lost in 2021 has increased by 6% compared with last year, reaching 14%, and the average amount of damage is 1650 yuan, which is 272 yuan lower than in 2020. From the perspective of age, the post-00s are a high-risk group of mobile payment risks, the proportion of bank card lending is high, and the proportion of economic losses caused by online fraud ranks first. Middle-aged and elderly people are also the main group of victims of fraud, mainly concentrated in fourth-tier and fifth-tier cities and various townships, towns and villages, generally have a low degree of popular science, with online live broadcast fraud as the main channel, and usually a huge amount. Career-wise, college students are at higher risk of online fraud, with nearly half having a habit of using third-party credit loan accounts. In addition, online shop owners and independent entrepreneurs are also people who suffer more from online fraud.
"Under the age of 40 is the main victim group, and fraud among the elderly is relatively rare." According to the "Telecom Network Fraud Governance Research Report 2021" released by Tencent, from the perspective of the age composition of the victims, the proportion of young people under the age of 40 is as high as 79%, and the proportion of victims over 50 years old is only 8%, but with the deepening of the aging of the mainland society and the acceleration of the process, the elderly will become an important part of China's netizens that cannot be ignored, and the network security problems of the silver-haired group also need to be paid attention to.
"The entire black industry chain has a long history, and since the Internet era, we have divided the evolution of black industry into 4 stages." The "2021 Annual Business Risk Control Insight Report" released by Xiaodun Security said that it was the barbaric era, the barbaric growth period, the initial scale period, and the black output sea period.
Before 2010, in the barbaric era of black production, the Internet era represented by PCs, the main way for black production to make money was to control personal computers as "broiler chickens" through DDoS attacks, advertising, and installation of rogue software. The number of "broilers" mastered in this cycle determines the upper limit of the profit scale.
Around 2013, with the rise of O2O, with the influx of a large amount of capital, the expansion of black industry is used for users to pull new, account value is highlighted, it is also in this period, the black industry around the "account system" of the industrial chain gradually formed, including number merchants, code platforms, code platforms, group control, etc., thus entering the barbaric growth period.
Around 2015, the online lending industry entered a period of prosperity, this stage is also a period of risk concentration and outbreak, because its pan-financial attributes require more stringent KYC certification, that is, at this stage, the entire industrial chain around the "KYC suite" is gradually formed, including: two elements, three elements, faces, live bodies, etc., and the black industry has begun to see the scale.
Since 2019, going to sea has become the choice of many domestic enterprises, whether it is e-commerce, social or pan-entertainment companies have joined the army of going to sea. At that time, the domestic regulatory policy became stricter, and the domestic black industry also began to sail out to sea. Based on years of domestic technology accumulation, the development of black production enterprises overseas is more rampant.
According to Tencent, there are currently three main ways for fraudsters to illegally obtain citizens' personal information. Illegally obtain citizens' information through "rogue software", phishing websites, system vulnerabilities, "dragging libraries" and other means; purchase illegally obtained citizens' personal information from others through illegal channels such as the dark web; and "crawl" citizens' personal information from public channels such as enterprise industrial and commercial information inquiry websites, enterprise official websites, and government unit websites.
On February 18, the Ministry of Industry and Information Technology notified the first batch of apps that infringed on the rights and interests of users in 2022. "In accordance with the Personal Information Protection Law, the Cybersecurity Law, the Telecommunications Regulations, the Provisions on the Protection of Personal Information of Telecommunications and Internet Users and other laws and regulations, our ministry recently organized a third-party testing agency to inspect mobile Internet applications (APP), and as of now, 107 APP applications have not been rectified." The Information and Communications Administration of the Ministry of Industry and Information Technology said that during the inspection process, it was found that 13 embedded third-party software development kits (SDKs) had illegal collection of user device information.
How to win the "protracted war" with the black industry?
In view of the severe trend of the development of black industry, on the one hand, the government has introduced policies and taken a series of measures to crack down on it, and technology companies are also playing an increasingly important role.
The public security organs have cracked down on black production through a series of means such as "card breaking" operations and national anti-fraud apps, effectively reducing the number of black cards and blocking the source of black industry activities. Under the heavy blows of the state, it has played an effective deterrent effect on black industry practitioners, and black industry has further shifted to concealment and random grouping.
Since the launch of the "broken card" operation in October 2020, all localities and departments have concentrated on cracking down on criminal gangs, cleaning up telephone cards and bank cards, effectively curbing the rapid rise of telecommunications network fraud cases from the root causes, and the incidence of telecommunications network fraud crimes nationwide has decreased year-on-year for four consecutive months from June to September 2021. With the in-depth advancement of the "broken card" action, the delivery and trafficking channels for telecommunications network fraud gangs to obtain "two cards" have been blocked, the "two cards" used for crimes in fraud dens have been seriously insufficient, a large number of funds involved in the case have been frozen, and some fraudsters have even directly used their own bank accounts to transfer money to launder money, and the cost of committing crimes by criminal gangs has increased significantly, and the telecommunications fraud activities have been seriously damaged.
In September 2021, the General Office of the Banking and Insurance Regulatory Commission issued a notice on strengthening the safety management of the application of face recognition technology, requiring institutions to comprehensively sort out the business scenarios and application systems involving face recognition, carry out risk investigation and rectification, such as finding that there are security vulnerabilities in the face recognition technology being used as soon as possible to upgrade or repair, and implement security reinforcement or transformation of application systems with hidden risks as soon as possible.
On January 18, 2022, the first "Face Information Compliance Operation Guide" led by the Institute of Cloud Computing and Big Data of the Chinese Academy of Information and Communications Technology pointed out that the mainland has initially built a legal normative system for face information protection. The Criminal Law and the Interpretation of Several Issues Concerning the Application of Law in handling Criminal Cases of Infringement of Citizens' Personal Information clearly stipulate criminal acts such as illegal trading of face information, and the Civil Code, the Personal Information Protection Law, and the Provisions on Several Issues Applicable to law in the Trial of Civil Cases Related to the Use of Face Recognition Technology to Handle Personal Information provide a solid basis for regulating face information processing activities, and relevant laws, regulations and standards are continuously updated and improved.
In November 2021, the China Academy of Information and Communications Technology announced the first round of results of "Trusted AI: Face Recognition Assessment", and 7 well-known enterprises such as Zhongguancun Kejin, Tencent Cloud, Baidu, JD.com, and Ant Financial successfully passed the assessment and the system security protection capabilities reached the excellent level. According to public information, the multi-modal anti-counterfeiting and security platform of Zhongguancun Kejin currently supports 11 types of anti-counterfeiting capability detection, of which the single-frame silent error acceptance rate of presentation-type live attack is as low as 0.5%,00%, the error acceptance rate of deep forgery single-frame detection is as low as 0%,, and the accuracy rate of single-frame detection of ID card forgery is as high as 99.2%.
Feng Yue said that by 2023, the product will have more than 30 types of anti-counterfeiting, and the average anti-counterfeiting accuracy will generally exceed 95%, which is expected to serve more than 300 enterprises. Up to now, the multi-modal bio-counterfeiting and security platform has been applied in multiple business scenarios of financial institutions. For example, at present, there are "black and gray intermediaries" for the purpose of profit, inducing consumers to entrust their agents to protect their rights, so that financial institutions are overwhelmed, the product can be used to identify agent rights protection agencies, through voiceprint recognition and voice forgery detection, to clarify whether the user is himself.
Tencent Defender is a public welfare comprehensive security service platform integrating "user reporting, illegal crackdown, and user education", and since its establishment, it has served 150 million users, accepted nearly 60 million effective reports, and cracked down on more than 10 million illegal accounts.
"In the era of industrial digital interconnection, black industry protection and digitalization are two sides of the same coin, with the expansion and growth of business boundaries, the characteristics of black industry concealment, technology and industrialization are becoming more and more prominent, and relying on a single enterprise to fight alone and build a car behind closed doors will inevitably be unable to cope with the ever-changing black industry form in the future." It is necessary to strengthen the resistance of the black industry through the joint construction of multiple levels of the state, industry and institutions. "2021 Network Finance Black Industry Research Report" said.
![In addition to online loans and games, another "trap" is hollowing out the Chinese people? 888 million people participated[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)