Users of popular applications in Russia will be able to improve the security of their accounts using biometric data. This is provided for by a new bill aimed at combating telephone and Internet fraudsters, which was submitted to the State Duma in February of this year. However, according to experts, these changes may be associated with certain risks, including the possibility of leakage of personal information.
Why Biometric Identification Is Needed in Applications
The need to use biometric authentication in applications is due to the increasing number of cases of Internet fraud, when attackers use other people's credentials to access important services, such as "Gosuslugi", online banks and other resources containing confidential information. This was announced by Konstantin Gorbunov, a leading expert on network threats and web developer at Code of Security.
In response to the introduction of two-factor authentication, fraudsters are actively coming up with new schemes and, under various pretexts, find out one-time codes from users: some through phishing in messengers, some through spam calls, some through mailings. However, in the case of biometrics, the user must be directly in front of the screen for authorization.
Evgeny Yanov, head of the audit and consulting department at F6, notes that biometric data cannot be lost, like a password or PIN code, and cannot be forgotten, like a device with two-factor authentication. This makes the interaction process more convenient and potentially reduces administrative costs for verifying user information.
Experience of Implementing Biometrics in Applications Abroad
There are already many examples of the use of biometric identification in various applications around the world. One such example is the Aadhaar system in India. It uses biometric data to interact with the tax system and banks, as well as to issue SIM cards.
Another example is the e-ID system in Estonia. It is used to access most government services, such as healthcare, banks, voting and taxes. Similar systems also exist in the UAE, Brazil and other countries.
Cybersecurity expert from Angara Security, Nikolai Dolgov, notes that the most common methods of biometric identification are face, fingerprint and voice recognition. It is important to note that in most cases the technology is used voluntarily, which minimizes the risk of data leakage and better protects the rights of users.
Sergey Polunin, head of the infrastructure IT solutions protection group at Gazinformservice, added that the experience of using biometrics in various fields is ambiguous. For example, there have been cases of hacking of the state register of biometric data in India more than once. In 2024, data from the country's police service, including fingerprints, signatures and face scans, was leaked to the network.
On the other hand, European countries are actively introducing electronic voting in elections, where biometrics is the main way to confirm identity, the expert emphasizes.
Is Biometrics Effective
Contact information and personal data, including full name, are stored separately from encrypted biometric information, which reduces the likelihood of their leakage, according to Vitaly Fomin, head of the information security specialists group at the Digital Economy League. Even if the data ends up in the hands of attackers, they will not be able to use it.
Physiological and behavioral characteristics of a person are difficult to fake, so with the correct implementation of biometric technologies, a high level of protection can be achieved. However, it is more effective to combine this method with other identification options to ensure complete security.
At the same time, according to Vitaly Fomin, residents of Russia are wary of innovations and are in no hurry to provide biometric data, as they are aware of cases of fraud with their use. In particular, deepfake technologies are currently actively developing, which makes it difficult for ordinary users to recognize fake images and audio messages when logging in by face or voice.
Evgeny Yanov, a specialist in the field of biometric identification, explains that there are several methods that can be used to implement this technology in applications. Among them are face scanning, fingerprinting, authentication by iris and by voice.
The most common methods are face and fingerprint recognition. However, there are other options that can be used. The main thing is to ensure reliable protection against forgery and take into account the availability of devices with the necessary method for users.
Whether biometrics will effectively protect users will directly depend on the implementation and the protection measures taken. The Estonian system, for example, is built on the basis of blockchain, and biometric data is stored on smart cards. The system in India uses a centralized storage with multi-layered encryption.
Some other systems use SSI — a storage model to ensure decentralization. At the same time, most of them do not store biometric data directly, but use tokenization. It is also important to ensure the security of data transmission in the system and follow the principle of "zero trust" when developing its architecture.
Risks from Biometric Identification
It is important that this initiative is implemented taking into account the interests and rights of citizens, as well as to protect their privacy and identity, said Maxim Buzinov, head of the R&D laboratory of the Cyber Security Technology Center of Solar Group. According to him, machine learning algorithms will be used to collect and process data, which are able to recognize voices and faces. It is important to ensure the security of both the database itself and the accuracy of recognition, which is achieved thanks to these algorithms.
It is necessary to ensure regular updating and updating of such a database, to ensure work to correct false positives. And, of course, it is worth considering the risks of attacks that use digital twins, completely generated by artificial intelligence (AI).
At the same time, Evgeny Yanov believes that there is a possibility that fraudsters may move from attempts to steal data to forcing people to commit actions aimed at illegally collecting biometric data. In the event of compromise of biometric data, it will be impossible to change it, unlike a password.
In our time, neural networks are able to create quite realistic images of people. And for fingerprints, a spoofing attack can be used, when one person or program successfully masquerades as another. To protect against such an attack, it is necessary not only to check the correspondence of the pattern of papillary lines, but also to reliably determine that the applied finger is real. This complicates the verification process.
In order to draw more accurate conclusions about the reliability of the source of information when trying to authenticate, it is necessary to take into account not only technical characteristics, but also the user's behavior. In addition, the use of biometric authentication methods requires the availability of appropriate equipment, such as a face or fingerprint scanner. This may be a problem for older people.
Earlier, Russians were warned that fraudsters began to use video calls to collect biometric data, including voice and facial images, in order to subsequently debit funds from bank accounts. Attackers may pose as mobile operators, offer services, conduct surveys or test the quality of communication.
Read materials on the topic:
CB: Fraudsters began to use virtual images of bank cards of their victims
Recognize by voice: Russia proposed to create a database of biometric data of telephone fraudsters