Taking selfies has become a common method among apps for verifying a user’s identity, from dating apps like Tinder to banking apps like CIMB Bank. Selfie verification is even part of the Philippine SIM card registration process. Security experts, however, are warning the potential risks and abuse associated with this approach.
In a conversation with The Register, security experts and market analysts such as Akif Khan from the US tech research firm Gartner and Katie Mitchell of wealth consultancy firm New World Advisors identified some major issues with selfie authentication. These include inconsistent know-your-customer and anti-money-laundering processes, improper image data handling, and the threat of data breaches.
While obtaining a selfie for KYC purposes is legitimate, different countries have varying and frequently updated regulations on the process and therefore create global inconsistencies. In some cases, the lack of regulation is also a problem. Also, many organizations outsource identity verification to third parties, who may mishandle sensitive data or fail to dispose of images properly after verification.
See also: Why you should consider using password managers
Selfie data can be a lucrative undertaking for cybercriminals when they sell the data on the dark web or use it for phishing and identity theft attacks. To combat this, many organizations implement liveness checks. A good example is requiring customers to provide a video with different facial expressions or head movements. Advanced checks can even detect signs of blood flow under the skin.
The experts believe selfie-based verification will evolve to a point where static image-based tricks found on the dark web will become ineffective. Still, they warn that nothing is foolproof.