Security of Russia's biometric data system questioned

Security of Russia's biometric data system questioned
By bne IntelliNews September 22, 2021

Experts have questioned the security of Russia's united biometric system (UBS) that aims to become a major identification tool for banks and other financial institutions.

The system may not be able to protect users' personal data in light of the arrival of sophisticated tech for photo, video and voice faking, according to some participants of the International Bank Forum, which was recently held in Sochi.

In contrast with the Central Bank of Russia's (CBR) assurances of the system's security, experts say that hackers are likely to be able to steal anyone's identity within a year or two, regardless of the use of biometric ID systems.

UBS is a joint project by the CBR and major telco operator Rostelecom aimed at the collection of citizens' biometric data and using it for identification of financial services' users. As of 2021, all Russian banks were supposed to adopt UBS. In late May, the system had about 200,000 users, but it hasn't yet been actively used.

Speaking at the banking forum, Natalia Kasperskaya, chair of the board of the association of software developers Local Soft, said that the use of biometry could lead to security issues, as data could be leaked internally, even if it is protected from outside hacks.

According to Kasperskaya, Deepfake technologies are getting more and more sophisticated, enabling hackers to fake a person's photo, video and voice, and there is no protection from that. Therefore, she urged, authentication systems based on biometric data should be avoided.

Vadim Uvarov, head of the information security department at the CBR, insisted that so far, no major incidents involving Deepfake technology have been detected in UBS.

However, an anonymous source at a major Russian bank was quoted by Kommersant daily as saying that the system has hardly been used yet, as customers don't understand how to use it.

According to the Russian regulator, UBS is sufficiently protected from various possible threats, including Deepfake, and biometric data is stored separately from all other personal data, facilitating an extra level of protection.

But experts are still sceptical. Yevgeny Tsarev, head of RTM Group, told the Sochi banking forum that as soon as biometric data begins to be actively used, hackers will be able to find way to break into the system.

"Fakes of that kind could be used for blackmailing, attacks involving social engineering and other malicious goals," he said, adding that technology is developing rapidly, and hackers are likely to be able to create biometric samples identical to those stored in UBS in the nearest future. Tsarev predicted that within a year or two, hackers would be able to steal identities based on biometric data by running a transaction on a victim's part.

Other experts are less categorical, but they still warn against the use of biometric identification.

Alexander Bulatov, commercial director of uSIEM, said that to steal someone's identity, a hacker needs to get access to a potential victim's smartphone, which in ordinary situations wouldn't be worth the trouble. However, hackers could specifically target individuals who they know have large amounts of money in their bank accounts, and such customers should rather avoid using biometric identification.

Finally, regardless of the security of the biometric data system, there are other potential ways to attack banks and customers.

"A hacker could attack a bank's infrastructure and submit a fake invoice in the final stage of a payment's processing, when biometric identification has already been passed," says Dmitry Kuznetsov, methodology and standardisation director at Positive Technologies.

Or, he concludes, a fraudster could just call a customer, impersonating a bank's security officer and talking them to transfer funds to a "reserve" account.

Related Articles

Kazakhstan and Uzbekistan’s combined IT exports surpass $800mn

Kazakhstan and Uzbekistan’s combined IT exports surpassed $800mn in 2023. The Kazakh IT sector's export revenue jumped from $50mn in 2020 to over $500mn last year. Astana Hub was a major ... more

Uzbekistan introduces national programme for digitalisation of agriculture

Uzbekistan has introduced the National Programme of Action for the Digitalisation of Agriculture. Aimed at modernising the country's agrifood system, the programme is the culmination of a ... more

Russian banking TCS Group suspends MOEX trading for conversion

Russian banking TCS Group Holding, which operates the country’s only pure online bank Tinkoff, has suspended the trading of its depository receipts on the Moscow Exchange (MOEX) from February 20, ... more

Dismiss