Almost Human https://www.jiqizhixin.com/articles/2020-03-13-11
Recently, the network announced the judgment document with "hacker" invasion of Xiamen Bank Mobile Banking App, using the case of a false identity to open an account. Two criminals, were field century after 00 and 95 after Tommy male, which was born in 2000, Henan Vocational College drop out of the boy broke the Xiamen Bank App face recognition system, and then use false identity information from multiple accounts and reselling profit.
Tian Century packet capture technology to break through the Xiamen Bank App face recognition system, using false identity information registered more than one account and profiteers, jailed for three years. Tommy is one male buyers fields century, cheap to buy Tian century of false identity cheating bank accounts, plus selling price, and sell other people means to obtain bank accounts under false identities, profit from.
"After 00" break the bank a face recognition system
According to the verdict, the defendant Tian century was born in January 2000, junior high school education, unemployed, domicile Henan Xiayi.
Between January 5, 2019 to the date of 15, Tian century through packet capture software, identity cards and other illegal means PS, using false identity information registered bank Ⅱ, Ⅲ class account in Xiamen Bank Mobile Banking APP, Xiamen Bank successfully registered Class Ⅱ account 76, and through the sale of the network to earn 22,010 yuan.
Bank Ⅱ, Ⅲ type different from the account class Ⅰ account, which account is fully functional, the former as a virtual electronic account in the account based on the class Ⅰ decreasing function.
According to defense lawyer Tian century, said Tian century earlier in the QQ group saw an exploit for bank Ⅱ, Ⅲ class account of the situation, the number of commercial banks App download to try and go through the twenty-three Xiamen through its own real information Bank ⅱ, ⅲ class accounts familiar with the process, after learning through the network packet capture principle, accidentally discovered a vulnerability in Xiamen Bank App, you can open an account by way of replacement information.
Specifically, when, in the course of a century Tian App bank accounts registered in their identity information to enter, be face recognition step, using software capture technology will be issued by the banking system, face recognition authentication packet interception and save.
Then open the card when you enter the password step, Tian App century will return to the first step, upload photo ID card, input fake identity information, and to re-enter face recognition step.
At this point, upload it had intercepted contain their own identity information packet, the system mistaken identity than their own, then use their own face than face recognition through the banking system, the successful use of a false identity information registered bank account.
By the above method, Xiamen Tian century successfully registered bank accounts Ⅱ 76, and through the sale of the network to earn 22,010 yuan. Behavior leads to Xiamen Tian Century Bank from January 18, 2019 has been closed class mobile banking App in Ⅱ, Ⅲ class account opening link function.
Tommy is one male buyers fields century, cheap to buy Tian century of false identity cheating bank accounts, plus selling price, and sell other people means to obtain bank accounts under false identities, profit from.
Subsequently, Xiamen Bank from January 18, 2019 has been off the phone banks Ⅱ class App, class Ⅲ account opening link function. Tian century because of the crime of illegal access to computer information systems, was sentenced to three years imprisonment and fined $ 10,000. Tommy men have confessed lighter punishment, has been sentenced to seven months of believers and fined $ 5,000.
"After 00" break the bank in XiamenFace RecognitionSystem, forged 76 fake accounts, how to do?
According to it, it does not stop the invasion of Xiamen Bank. February 2019, Tommy male capture software technology to learn from others, try to register Ⅱ, Ⅲ class accounts in several banks, has tried Construction Bank App, Xiamen Bank App, Shanghai Pudong Development Bank to open an account web speed, and to hire others to take advantage of 1888 yuan capture technique described above, in the construction of the banking system 12 successfully registered ⅱ, ⅲ accounts.
The event can be summarized together as "hackers" break the Xiamen Bank App Face Recognition system events. In fact, according to the verdict shows that the use of field-century capture technology is not unusual, it is not really "high tech." Ethereal is transmitted over the network to send and receive data packets intercepted retransmission, edit, dump and other operations, is also used to check the network security. It is often used to capture data interception.
Two "capture" to bypass the banking system security audit doubtful
As a "packet capture technology" is not new technology, just above cases capture technology in face recognition scene.
Less difficulty compared to the 3D face dynamic map technology, packet capture technology, the key is to cut the angle. In the above case, the bank on the internal management processes, test and verification aspects of the delivery of the products still needed to improve.
The reason, according to financial reports the new analysis, the above cases that do not verify the identity of the human face and identity information submitted. Security personnel will default information submitted by the client under normal circumstances is the need to strictly check, well-tested, but testing is relatively complex project, the above-mentioned cases, the bank may not take into account the problem of packet capture path replacement.
Called "financial technology people" micro-channel public number, said the use of the process by Replay above hackers, if the associated field is a variation of the value of name and identity card number, then just fit the use of the process of hacking, hackers can replace this related fields, with forged identity + hacker face to achieve false information to open an account.
Called "a data player's self-cultivation" micro-channel public number comes up three vulnerabilities exist in the entire trading process validation: the transaction process design flaws, whether five-factor authentication, failed to prevent replay attacks.
He said that in the transaction process, recognition should normally be placed in the last step, because this step is the most expensive, highest failure rate, the worst customer experience, and recognition in the future as well as enter transaction password in this case.
In addition, the central bank No. 302 files opened against Ⅱ / Ⅲ class accounts, changes and revocation of such links has been clearly stated.
1) Opening Ⅱ class households through electronic channels, must be bound own class Ⅰ household or credit card account. Requires certification that the five elements: name, ID number, phone number, account number and account binding binding account whether the user class Ⅰ or credit card account.
2) open Ⅲ class households through electronic channels, to bind account to be certification that the four elements: name, ID number, phone number and account number binding.
In this case, if the five-factor authentication, you must open a class I card identity of the victim, and the victim herself reservation phone number, then attack the cost will increase.
Finally, the bank also failed to effectively prevent replay attacks. The so-called replay attacks, when an attacker sends a destination host has received over the packet to achieve the purpose of deceiving the system, mainly used for identity authentication process, undermine the validity of certification.
In this case, the use of field-century modus operandi is not like ordinary criminals break as 3D face recognition system using technical means, but with his own face recognition authentication packets to replace a false identity recognition authentication data package, and then I use face recognition to complete the comparison. In a "back door" way to bypass the system audit.
In recent years, face recognition authentication application on a large scale application and promotion in the Internet market, in addition to the mobile banking application case in question, the market most of the payment application class, social class, marriage etc. applications requirements for face recognition biometric authentication to enhance the security level of the account.
But currently the privacy issues involved in face recognition, lack of attention to technical problems related to the lack of rigor in the application of functional design, verification, but also easy to "abused" people an opportunity to leave.
