Bypassing biometric authentication, transferring over 10 million VND using still photos

From July 1, online money transfers of VND10 million or more or over VND20 million per day must apply biometric authentication. This is to limit the risk of users losing a lot of money if their accounts fall into the hands of others.

To test the effectiveness, some people tried taking a portrait photo and scanning it with banking and e-wallet applications instead of scanning their faces directly. "I used 3 bank accounts and 2 e-wallets to test. Two wallets immediately reported an error, not accepting the photo when authenticating my face. Meanwhile, with three banking applications, only one detected the problem, the other two applications were fooled by the photo, allowing normal transfers of over 10 million VND," said Binh Minh, a technical staff at a company in Ho Chi Minh City.

According to Mr. Minh, the photo scanning process was very fast, while when he authenticated with his real face, the system reported an error and had to try 3-4 times to succeed.

A representative of an e-wallet said that before the State Bank's regulation took effect, the platform had invested resources to calculate the case of being "overtaken", including photos. "The distinction must be based on complex machine learning and AI, not simply comparing similarities between two images," this person said.

A source from a biometric solutions provider for banks said that in the early stages, the large traffic overloaded the image database, causing some banking applications to have problems when making large-value money transfers or encounter errors in detecting photo fraud.

After receiving feedback, the banks that were "tricked" by the photos said they quickly updated and by this afternoon did not accept data from the photos.

A bank executive said their facial authentication system was built according to international standards such as ISO 27000. The increased traffic to collect faces in recent days led to a temporary impact on authentication. The unit has handled the problem, ensuring that all transactions are biometrically authenticated using customers' faces.

According to Mr. Huynh Tuan Kiet, CTO of a financial startup in Ho Chi Minh City, many banks have to use biometric solutions from third parties. Authentication is divided into many levels, from comparing photos from the database and photos of people when making transactions to determining whether the image has been impersonated or not. Meanwhile, complex solutions such as detecting still images, animated images, living entities, and deepfake images take a lot of resources and time.

"In the early stages, the number of transactions may have been too high, leading to overload. The bank's system had to balance the smoothness of the transaction with security efficiency. Some technologies such as static, dynamic or Active image verification, or Liveness Detection were temporarily disabled. After receiving feedback, the feature was re-enabled. That's why in the morning, using photos to trick the authentication system was successful, but in the afternoon, it was disabled," Mr. Kiet explained.