Selfie-authentication for large transactions puts users at risk of fraud, experts say

(Image credit: Mateus Campos Felipe / Unsplash)

The trend of selfie verification has gained serious traction in recent years, however security experts have warned this method can easily be abused and service providers should be extra careful with it.

In the past half a decade, banks, fintech organizations, and similar, have increasingly started verifying people’s identities through selfie images. Customers are asked to take a selfie photo, sometimes holding an identification document in their hands. This method aims to mimic what customers would be asked to do at the counter.

Although it looks good on the surface, this approach is far from perfect and comes with risks that need to be addressed. Speaking to The Register, multiple security experts, and market analysts, discussed the practice and identified three major pain points - KYC and AML woes, securing and disposing of image data, and potential data breaches.

Liveness check

Oftentimes, different countries and jurisdictions will have different laws and regulations regarding Know Your Customer (KYC) and Anti-Money Laundering (AML) practices. This, together with the fact that such laws are frequently changed and updated, leads to a “gap in arbitrage”.

Furthermore, many organizations requiring their customers to verify their identities outsource the requirements to a third party. These partners sometimes don’t handle the sensitive data properly, and sometimes don’t even discard the images after the verification is complete. That leads to the third problem - data breaches.

Sensitive data, such as people’s selfies, is very attractive for cybercriminals. They can use it in various ways, from selling it on the dark web, to conducting advanced phishing and identity theft attacks themselves.

To tackle the threat, organizations have started asking customers to take selfies while holding a piece of paper with a unique message on it. While this helps, it is still not perfect, since the message on the paper can be edited.

An even better solution would be a “liveness check” - where customers are asked to provide a video of their face, with different facial expressions, or a head turn. Some liveness checks even search for signs of blood flow underneath the skin.

More from TechRadar Pro

Establishing the pathway to an effective digital identity system
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.