Tag

media

Browsing

Sharing high-resolution media online could inadvertently expose sensitive biometric data, according to a report released by a cyber security company on Tuesday.

This can be especially dangerous, said a 75-page report by Trend Micro, because people do not know they are exposing the information.

In the report, for example, the #EyeMakeup hashtag on Instagram, which has nearly 10 million posts, and the #EyeChallenge with more than two billion views, is enough to pass an iris scanner to uncover iris patterns.

“By publicly sharing certain types of content on social media, we give malicious actors the opportunity to source our biometrics,” the report states. “By posting our voice messages, we uncover voice patterns. By posting photo and video content, we highlight our face, retina, iris, ear-shaped patterns and, in some cases, palms and fingerprints. ,

“Since such data may be publicly available, we have limited control over its distribution,” it added. “Therefore we do not know who has already accessed the data, nor do we know for how long or for what purposes the data will be kept.”

not a panacea

The report covers what types of biometric data can be exposed on social media and outlines more than two dozen attack scenarios.

“The report suggests that biometric identification is not a panacea,” said Will Duffield, a policy analyst at the Cato Institute, a Washington, DC-based think tank.

“As we design detection systems, we need to be aware of technologies going down the pike and potential abuse in the real world,” he told TechNewsWorld.

“Trend Micro raises some valid concerns, but these concerns are not new to biometrics professionals,” Sami Alini, a biometrics specialist with Contrast Security, a maker of self-protection software solutions in Los Altos, Calif., told TechNewsWorld.

He said there are several ways to attack a biometric system, including a “presentation” attack described by the report, which substitutes a photo or other object for the biometric element.

To counter this, he continued, “viability” must be determined to ensure that the biometric presented is that of a living person and not a “replay” of a previously captured biometric.

Avi Turgman, CEO and co-founder of IronVest, an account and identity security company in New York City, agreed that “viability” is one key to thwarting attacks on biometric security.

“The Trend Micro report raises concerns about fraudulent biometrics created through social media content,” he told TechNewsWorld. “The real secret in fraud-proof biometrics is detecting liveliness, something that cannot be recreated through images and videos collected on social media.”

one factor not enough

Even when tested for liveability, biometrics can still be very easy to bypass, security awareness advocates at KnowBe4, a security awareness training provider in Clearwater, Fla., maintained.

“Holding the phone in front of a person’s face while sleeping can unlock the device, especially when they use it with the default settings, and collecting fingerprints is not a difficult task,” he told TechNewsWorld.

“What is even more worrying is that once the biometric factor is compromised, it cannot be changed like a password,” he said. “You can’t change your fingerprints or facial structure for a long time if you violate it.”

If the Trend Micro report shows anything, it’s that multi-factor authentication is a necessity, even if one of those factors is biometric.

“When used as a single factor for authentication, it is important to note that biometrics may be subject to failure or manipulation by a malicious user, particularly when that biometric data is publicly available on social media, Darren Guccione, CEO of Keeper Security, a password management and online storage company based in Chicago.

“As the capabilities of malicious actors using voice or facial biometric authentication continue to grow, it is imperative that all users implement multiple factors of authentication and use strong, unique passwords in their accounts to limit the blast radius. Apply if an authentication method is violated,” he told TechNewsWorld.

metaverse problems

“I don’t like to put all my eggs in one basket,” said Bill Malik, Trend Micro Vice President of Infrastructure Strategies. “Biometric is nice and useful, but having an additional factor of authentication gives me more confidence.”

“For most applications, a biometric and a PIN are fine,” he told TechNewsWorld. “When a biometric is used alone, it’s really easy to create.”

He stressed that the collection of biometric data will become an even greater problem when the metaverse becomes more popular.

“When you get into the metaverse, it’s going to get worse,” he said. “You’re putting on these $1,500 glasses that are designed to not only give you a realistic view of the world, but to find out what you like and don’t like about the world you see.” We are constantly monitoring your subtle expressions to find out.

However, he is not concerned that additional biometric data is being used by Digital Desperado to create deepfake clones. “Hackers are lazy, and they get everything they need with simple phishing attacks,” he declared. “So they’re not going to spend a lot of money for a supercomputer so they can clone someone.”

Device tied biometrics

Another way to secure biometric authentication is to tie it to a piece of hardware. With a biometric enrolled on a specific device, it can only be used to authenticate the user with that device.

Reed McGinley-Stempel, co-founder and CEO of Stitch, a passwordless authentication company in San Francisco, said, “This is the way Apple and Google’s biometric products work today — it’s not just the biometrics that you get when you use Face ID. Let’s check the time.”

“When you actually do a Face ID check on your iPhone, it checks that the current biometric check matches the biometric enrollment that’s stored in your device’s secure enclave,” he told TechNewsWorld.

“In this model,” he continued, “the threat of someone accessing your photos or fingerprinting yours doesn’t help them unless they have control over your physical device, which is something for attackers to climb into.” There is a very steep hill for the remote nature in which the cyber attackers operate.”

losing control of our data

The Trend Micro report states that as users, we are losing control over our data and its future uses, and the common user may not be well aware of the risks posed by the platforms we use every day. Is.

Data from social media networks is already being used by governments and even startups to extract biometrics and create identity models for surveillance cameras, it continued.

The fact that our biometric data cannot be changed means that in the future, such a wealth of data will be increasingly useful to criminals, it added.

Whether that future is five or 20 years ahead, the data is available now, it said. We are indebted to our future selves for taking precautions today to protect ourselves in tomorrow’s world.


trend micro report, Leaked Today, Exploited for Life: How social media biometric patterns affect your futureAvailable here in PDF format. No form is required to be filled at the time of this publication.

Fake social media accounts are usually associated with bot networks, but some research released Tuesday showed that many social media users are creating fake accounts of their own for a variety of reasons.

According to a survey of 1,500 US social media users conducted by USCasinos.com, one in three US social media users have multiple accounts on the social media platforms they use. About half (48%) of people with multiple accounts have two or more additional accounts.

Reasons for creating additional accounts vary, but the most commonly cited are “sharing my thoughts without judgment” (41%) and “spying someone else’s profile” (38%).

Other motives behind creating fake accounts include “increasing my chances of winning an online contest” (13%), “increasing likes, followers and other metrics on my real account” (5%), fooling others (2.6%) Are included. and for scamming others (0.4%).

When asked where they were creating their fake accounts, respondents most often named Twitter (41%), followed by Facebook (31%) and Instagram (28%). “That’s because Twitter is pretty much open by default,” said Will Duffield, a policy analyst at the Cato Institute, a Washington, DC think tank.

“Twitter power users will often have multiple accounts — one for a mass audience, other for smaller groups, one that is open by default, one that is private,” he told TechNewsWorld.

Infographic explains where US residents create fake social media accounts

Infographic Credit: USCasinos.com


Twitter prompted the research by the online casino directory site, noted study co-author Ines Ferreira. “We started this study primarily because of discussions about Elon Musk and the Twitter deal,” she told TechNewsWorld.

That deal is currently tied up in the courts and hinges on a dispute between Musk and the Twitter board over the number of fake accounts on the platform.

sex changing detective

The types of fake accounts in the study, however, differ from the ones that confused Musk. “The survey tackles two completely different issues,” Duffield said.

“On the one hand, you have automated accounts – things operated by machines and often used for spamming. This is the kind of fake account that Elon Musk alleges Twitter has too much,” he told TechNewsWorld. There are pseudonymous accounts, which are being surveyed here. They are operated by users who do not wish to use their real names.”

The survey also found that most users retained their same gender (80.9%) when creating fake accounts. The main exception to that practice, the survey noted, is when users want to spy on other accounts. Then they are in favor of creating a fake account of the opposite sex. In general, one in 10 (13.1%) of those surveyed said they used the opposite sex when creating fake accounts.

Infographic reveals how many fake social media accounts owners own

Infographic Credit: USCasinos.com


“There are a number of reasons why we don’t want everything we do online to be associated with our real name,” Duffield said. “And it doesn’t necessarily have to be cancel culture or anything like that.”

“One of the great things about the Internet is that it allows us to divulge identities without committing ourselves or trying on new individuals so that we can showcase one aspect of ourselves at a time,” he said. Explained.

“It is absolutely normal for people to use pseudonyms online. If anything, using real names is a more contemporary expectation,” he said.

Accounts created with impunity

The study also found that most fake account creators (53.3%) prefer to keep the practice a secret from their inner circle of acquaintances. When they mentioned their fake accounts, they were most likely to mention them, followed by friends (29.9%), family (9.9%) and partners (7.7%).

The researchers also found that more than half of the owners of fake accounts (53.3%) were millennials, while Gen X had an average of three fake accounts and Gen Z had an average of two.

According to the study, the creators of fake accounts do this. When asked whether their fake accounts were reported on the platforms on which they were created, 94% of the participants responded negatively.

Infographic describing platforms where fake social media accounts have been reported

Infographic Credit: USCasinos.com


“Every time these platforms release new algorithms to report these accounts, most of them never report them,” Ferreira said. “There are so many fake accounts, and you can create them so easily, it’s really hard to identify them all.”

“After Elon Musk’s deal with Twitter, these platforms are going to be thinking a little bit more about how they’re going to do it,” she said.

However, Duffield downplayed the need for users to police fake accounts. “Creating these accounts is not against the platform rules, so there is no reason for the platform to consider them a problem,” he said.

“Since these accounts are operated by real people, even though they do not have real names, they act like real people,” he continued. “They’re messaging one person at a time. They’re taking the time to type things out. They have a typical day/night cycle. They’re sending messages to 100 different people at once at all hours of the day. Not sending thousand messages.

harmless fake?

Duffield stressed that unlike fake accounts created by bots, fake accounts created by users are less harmful to the platforms hosting them.

“There is a theory that people abuse more often when they are using a pseudonymous account or one that is not tied to their real identity, but from a sobriety perspective, banning a pseudonymous account is a real person.” No different from banning,” he observed.

“Facebook has had a real-name policy, although it has received a lot of criticism over the years,” he said. “I’d say it’s under-applied intentionally at this point.”

“As long as the pseudonymous account is complying with the rules, this is not a problem for the platforms,” he said.

While bot accounts do not contribute to the social media platform’s business model, fake user accounts do.

Duffield explained, “If the pseudonymous account is being used by a real human being, they are still seeing the ad.” “It’s not like a bot clicking on things without a human being involved. Regardless of the name on the account, if they’re seeing contextual ads and they’re being shown, from a platform standpoint, it’s not really a problem. Is.”

“Activity is reflected in monthly active user statistics, which is what the platform, advertisers and potential buyers care about,” he continued. “The total number of accounts is a useless statistic because people constantly drop accounts.”

Still, Ferreira argued that any form of fake account undermines the credibility of social media platforms. “At some point,” she said, “there are going to be more fake users than real users, so they need to do something about that now.”