Blog: Close Your Eyes and I’ll Scan You: Chinese Face Payment System Vulnerabilities
In recent years mobile and app unlocking technologies have progressed from password and screen swipes to fingerprint and most recently face scans. Hackers have followed along, attempting to defeat each new security measure with often novel schemes. In 2017 a Vietnamese company cracked the Apple iPhone X’s Face ID using homemade masks constructed of 3D-printed plastic, silicone, makeup and cutouts; while identical twin siblings have also managed to dupe such facial recognition systems. These methods however lack practicality, as constructing the masks was complicated and not everyone has a twin brother or sister.
Everyone, however, sleeps. And Synced has found a simple way to challenge cutting-edge facial recognition security scans: just point a camera at the unaware subject while they are sleeping.
In an experiment conducted by Synced, 13 individuals and 12 flagship smartphones were tested to see whether mobile payment platforms WeChat and Alipay could be accessed by scanning users’ faces with their eyes closed.
Facial recognition technology is becoming mainstream in China, and has been widely adopted for mobile payment systems, where the country is a global leader. Synced’s aim was not to downgrade tech giants’ efforts with cutting-edge AI technologies, but to open a discussion on a potential vulnerability — accounts could be accessed by exploiting a user who is asleep, drunk, drugged, etc. — in order to help prevent potential abuse. We found:
- More than 33 percent of smartphones (four models) confirmed Alipay money transfers when the registered user had their eyes closed. Moreover, 17 percent passed the verification scan multiple times.
- WeChat does not provide face payments on smartphones without 3D cameras. But three of four 3D camera smartphones tested confirmed payments when users’ eyes were shut.
Although the number of samples measured in this experiment is small, Synced believes the results do indicate potential security concerns for mobile payment verification systems.
A facial recognition system can be defined as a technology for identifying registered users. Depending on the input, the facial recognition algorithm can be either 2D or 3D. The 2D algorithm extracts features such as eyes, eyebrows, nose, and mouth, but can be affected by large amounts of facial variations from head pose, lighting conditions and facial expressions. More advanced 3D scanning tech collects detailed shape and contour information by projecting a network of infrared dots onto the subject’s face.
3D smartphone cameras were introduced with the iPhone X and its biometric face scanning feature Face ID two years ago. These cameras provide superior sensing ability and enhanced picture quality. Many high-end flagship smartphones are now equipped with 3D cameras.
WeChat announced itsfirst facial recognition test integrations in October 2017. Ten months later, the company released an update enabling the face scan payment service for Android devices with 3D cameras. A typical payment workflow is shown below:
- The App first calls the function interface of the mobile phone’s operating system.
- It prompts the system to wake up the camera and collects face data, including 2D features and 3D shapes.
- The camera encrypts and injects the data into a Trusted Execution Environment (TEE), a secure area inside a main processor. The TEE decrypts and obtains raw face data information.
- The local processor with embedded facial recognition algorithms compares the new data with previously saved facial data for verification.
- The phone packs the result into a digital signature and send the signature back to WeChat’s backend system.
- WeChat determines the verification based on the signature.
The WeChat Pay security team told Synced that their mechanism for mobile phone face payment requires smartphone models to meet specific security standards, including 3D structured optical depth camera, comparison computation, and other operations in TEE.
The team also stressed that a series of rigorous testing mechanisms have been developed to ensure a secure payment experience, including effective distance & angle, screen recordings, 3D head models and others.
Alipay unveiled its face scan payment strategy in 2015 when Alibaba Founder Jack Ma demonstrated a payment system on a smartphone using facial recognition technology at the CeBit conference in Hanover, Germany. The company rapidly expanded its face scan payment system in China over the following two years.
To adapt to all smartphone units, particularly those without 3D cameras, Alipay developed distinct 2D and 3D face verification payment systems.
An Alipay cooperative application vendor told Synced that to ensure the accuracy of 2D facial recognition, Alipay also takes users’ financial behavior data, such as consumption habits, credit data, and buying power, into consideration.
Alipay initially integrated an AI technique it called “liveness detection” to detect and reject for example a photo or a mask of the user’s face being used to fool the system. Liveness detection had the app prompt users to node, shake their head, open their mouth, etc. as part of the scan and verify process. The additional step however was determined to compromise user experience — and Alipay later removed liveness detection.
In an emailed response to the experiment information provided by Synced, Alipay said it has added “gaze recognition,” which can effectively reject facial recognition when a subject’s eyes are closed.
As we move increasingly into biometric identity and access protocols for a wide variety of apps and digital services, an emerging challenge in the implementation of new AI technologies will be striking a balance between user experience and security.
Journalist: Tony Peng | Editor: Michael Sarazen