Cybersecurity may be slipping through our fingers
A researcher displays a face-recognition system. [Photo provided to China Daily] |
Selfies
Despite the concerns voiced by security experts, the business of remote computer authentication is booming.
For example, HSBC, Bank of Scotland, MasterCard and other financial organizations allow customers to open new accounts simply by providing a selfie.
Now, under a guideline issued by the Ministry of Public Security, banks in China require their customers to open accounts in the presence of a bank employee.
The ministry has also developed the eID system, an encrypted framework for remote-identity authentication, which is used by banks, social security departments and online payment systems.
For example, anyone who tries to log onto their bank account through the system remotely has to type in a secret password generated by a USB key. The password, which changes every minute, links the bank to the client's personal information in the ministry's database.
"In this process, the message exchanged on the internet is just a random number sequence, which means hackers cannot intercept any useful information about clients, even if they break through the bank's security firewall," said Yan Zeming, who is charge of the eID project at the Third Research Institute.
According to Yan, the eID system has been tested by 60 million bank customers nationwide, and there are plans to expand its coverage via cooperation with social security departments and e-government service systems.
"Safe remote-identity authentication is a precondition of digitizing your life. Facial and fingerprint recognition may look cooler and more convenient, but security is definitely the main priority," he said.
Greater safety?
Biometric technology, which is new to the general public, is believed to be safer than traditional methods of authentication.
In a survey conducted this year by China UnionPay, an interbank transaction settlement system, 83 percent of respondents said they had used a mobile phone to make a payment in the past year, while 13 percent said they were willing to try biometric technology-based authentication methods.
"I think fingerprint authentication is safer than the one-time password sent to my cellphone, which used to be the most common authentication method. If you lose your phone and it's found by unscrupulous people, they can easily transfer your money to their account because they will have access to your short messages. With fingerprint-authentication technology, they can do nothing if you are not there," said Chen Meng, a 35-year-old Shanghai resident who regularly uses online payment systems.
However, in practice, fingerprints may not be as safe as was once believed. Last month, police in Changshu, a city in Jiangsu province, investigated a case in which the victim, a woman named Li, passed out after drinking a cup of water offered by an acquaintance. While Li was unconscious, the acquaintance used Li's fingerprint to unlock her phone and stole 10,000 yuan from her online payment account.
In another case, the owner of a hair salon in Shanghai loaned her phone to a client who then secretly uploaded her own fingerprint to the phone and repeatedly entered the victim's "wallets" on Alipay and WeChat-two of the most popular online payment systems in China-and stole 77,000 yuan.
Changing landscape
"The individual cases that have been reported are still causing limited damage because the suspects are stealing from people they know. If the criminals had been professional hackers, they would have better covered up their activity and caused inestimable losses," said Mei, from the Cyber Physical System R&D Center.
"The essence of the internet is changing because we are digitizing the physical world and putting it online," he added. "In the past, information was just information, and it was separate from real life. But now, part of real life has been digitized, so we need to rebalance entertainment, convenience and security to facilitate the secure exchange of online information."
Contact the writer at chengyingqi@chinadaily.com.cn