Social media

Can videos uploaded to social networks allow hackers to steal your biometric data?

A makeup tutorial, an honest product review, a clip showing off your latest dream vacation: it’s the kind of content that appears daily on our social media feeds and profiles, to the point that we often skim through with no interest or even interest. .

But other ill-intentioned people might pay more attention to how our faces appear on social media.

A recent report by Trend Micro, a cybersecurity company, has found that there is a significant risk that videos posted on social media expose sensitive biometric data that could potentially be hacked by malicious actors, especially when these clips are of very high quality and centered on our eyes.

On TikTok alone, nearly 10 million posts use the #EyeMakeup hashtag, providing invaluable resources for those looking to learn how to improve their makeup skills.

But Trend Micro researchers warn that those same videos expose users’ face, retina and iris patterns – valuable information for accessing our data and devices.

“By publicly sharing certain types of content on social media, we give malicious actors the ability to obtain our biometric data,” the report said.

“By posting our voice messages, we are exposing voice patterns. By posting photo and video content, we expose our faces, our retinas, our irises, the shapes of our ears, and in some cases, our palms and fingerprints.

“Since this data could be publicly available, we have limited control over its distribution,” he adds. “We therefore do not know who has already accessed the data, or how long the data will be retained, or for what purposes.”

How does biometric technology work?

“Biometric technology automates the recognition of individuals based on their physical or behavioral traits”, Luca Rognoni, director of security and co-founder YEO messagingtold Euronews Next.

“These traits can include fingerprints, facial features, iris patterns, or voice. Biometric systems use sensors to capture this information and algorithms to convert it into a digital pattern called biometric data. The data biometrics are then stored and used in a comparison type process to recognize the individual”.

Biometric systems are generally considered more secure than traditional password-based systems because they are much harder to impersonate or hack.

“However, no system is perfect, and there have been high-profile cases of biometric data compromise,” Rognoni said.

If you think biometric systems are just a matter of Apple’s Face ID, think twice: biometric technologies are used to pass automated border controls, unlock bank accounts and withdraw money. cash at ATMs, and pay for all kinds of goods.

Are videos posted on social networks a risk?

“The simple answer is, yes, there is a risk of biometric data being stolen from videos posted on social media,” Rognoni said.

“Anything is possible in the world of cybersecurity. Can I get a high resolution of a person’s face or a close-up shot of their iris from an online video? Yes, it is very likely if the quality of the video was good enough”, Keiron Shepherd, security solutions architect for Northern and Western Europe at a cybersecurity company F5told Euronews Next.

“There has been evidence in the past of high-resolution photographs being used to create dummy eyes or even 3D printing faces to successfully circumvent biometric testing,” Shepherd said.

“These can work on simple systems, but the data needed to bypass biometric systems is getting smarter. For example, face scanning will also look for human movements, depth, shadows and skin tones, and other data points will be used in conjunction with biometrics.”

The biggest problem with biometrics, Shepherd added, is that if that data is hacked, there’s no way to replace it with more secure data, like you would with a traditional password.

“We see billions of user login details and password combinations leaked each year. The main difference here is that if you detect that your email address and/or password has been hacked, you you then have the option to reset your password, preventing hackers from using your exposed data to authenticate to other websites you are registered on.With biometric authentication methods, these are more hard to reset,” he said.

Morgan Wright, chief security adviser at a cybersecurity firm SentinelOnetold Euronews Next that he thinks the risk to the general user community is relative but could increase in the future as the cameras in our devices continue to improve.

“At this time, I would consider there to be a low risk of compromising iris biometrics based on the steps required to capture the data. However, this is based on today. As cameras become more advanced and algorithms are sophisticated, it would be possible to capture enough data to replicate a human iris,” he said.

Facial recognition and its use to create deepfakes, on the other hand, is already a significant risk, according to Wright.

“It’s much harder to prevent,” he said, “more and more resources are available to create authentic photographs that fool facial recognition countermeasures.”

Although it is possible for hackers to use a captured image or video of a subject’s face or a copied and replicated fingerprint to gain access to their accounts, “biometric systems today implement defenses against attacks that involve algorithms and sensors capable of determining if a physical trait is captured on a living individual present at the point of capture,” Rognoni explained.

These types of solutions — called “presentation attack defenses” — “are evolving rapidly and have already achieved a high level of mitigation against several presentation attacks like the liveness attack,” Rognoni said.

How do cybersecurity experts repel attacks on biometric protections?

There are things cybersecurity experts can do to ward off attacks on biometric protections.

First, “they can track the latest security threats and develop countermeasures accordingly,” Rognoni said.

Second, “they can perform regular audits of biometric systems to ensure they are secure,” he added.

Finally, experts can implement appropriate security controls to securely manage users’ biometric data throughout the data lifecycle.

Having a double authentication system in place, in cases like this, is of extreme importance to prevent hackers from gaining access to your accounts.

“To maintain data security and privacy, organizations must increasingly adopt digital processes that require non-spoofing digital identities to defeat these sophisticated attacks,” David Mahdi, CSO & CISO Advisor at Sectigo told Euronews Next.

“While biometric data theft and deepfakes are very difficult things to combat, the proven best way to establish digital trust is a system that confirms the identity of participants using unbreakable cryptographic techniques,” said he declared.

“This is accomplished with digital certificates based on a public key infrastructure (PKI). PKI-centric digital identity policies provide a fundamentally more usable and secure model of authentication.”

Just because there is a potential risk of your biometrics being stolen doesn’t mean you should stop showing your face on social media. However, there are some basic steps you can take to ensure your identity is safe online.

“Be aware of your background before taking selfies: this includes computer screens that may display sensitive information,” Wright said.

“When doing video or public speaking, if you think you are a high profile target, be aware of anyone near advanced photographic equipment. Do not expose your fingers directly to the camera, as high resolution cameras may be able to capture their unique pattern.

While concerns about the theft of our biometric data might seem a little too paranoid given that the current risk of such a scenario occurring is relatively low, it is a real threat that is extremely likely to materialize. in the future.

“Whether that future is five or 20 years away, the data is available now. We owe it to our future selves to take precautions today to protect us in the world of tomorrow,” the Trend Micro report concludes.