A high-profile tax fraud scheme has raised more concerns about China’s lax data security practices, especially as it relates to the country’s widespread use of facial recognition. In the scheme, a pair of fraudsters used facial images purchased on the black market to create synthetic identities and set up a shell company that issued fake tax invoices worth as much as 500 million yuan (approximately $76.2 million USD).
The fraudsters (surnames Wu and Zhou) started their operation in 2018, and have since been captured and prosecuted in Shanghai. However, the incident still highlights the many gaps in China’s facial recognition system. The technology is used throughout the country in numerous commercial and surveillance applications, but China’s data protection laws have lagged far behind the pace of technological innovation. Some databases do not have any form of encryption, and those that do are often not strong enough to prevent data breaches.
The result is that high-quality facial images are readily available to cybercriminals. In this particular case, the fraudsters used a basic app to manipulate the images and create deepfake videos that made it seem as if the faces were blinking, nodding, or opening their mouths. They then used a special phone (available for only 1,650 yuan) to hijack the mobile camera typically used to perform facial recognition checks. In doing so, they tricked the tax invoice system into accepting the premade deepfake videos, which were good enough to beat the liveness detection check even though no one was standing in front of the camera.
Having said that, the Chinese government is aware of the problem, and is starting to take steps to create a stronger data security environment. In December, legislators released a draft version of a new Personal Information Protection Law that would introduce much stronger fines for violators. Those fines could be as high as 50 million yuan, or up to five percent of a company’s annual revenue.
A separate law that limits the amount of personal information that mobile apps are allowed to collect will also go into effect on May 1. The legislation is at least partially a response to the growing resistance to facial recognition amongst some members of the Chinese public.
Source: South China Morning Post
April 1, 2021 – by Eric Weiss