Your “face” can be bought for 50 cents

“If you want, you can pack and take away 50 cents a piece, a total of 20,000 sets, no bargaining.” A seller told reporters using WeChat voice. He also sent two sets of screenshots of faces holding ID cards.

The reporter of “Xinhua Viewpoint” recently investigated and found that some cybercriminals use e-commerce platforms to sell illegally obtained personal faces and other identity information, as well as “photo activation” online tools and tutorials. Experts warn that these facial information may be used in illegal and criminal activities such as false registrations and telecommunications network fraud.

0.5 yuan for face data, 35 yuan for modification software

A reporter from “Xinhua Viewpoint” found that online trading platforms such as Taobao and Xianyu can find shops that specialize in facial data and “photo activation” tools by searching for specific keywords.

On Taobao, some sellers attract buyers with code words such as “faces can be made in all regions of the country, and credibility is the first”, “sell four-piece sets of faces, you can understand them”. The reporter randomly clicked into a shop selling “×× same city and face of major platforms” goods, and immediately jumped to the Xianyu interface. In the seller’s Xianyu homepage, the products sold are part of the platform that contains the information data of the user’s face.

On the Xianyu platform, many sellers openly sell face data. In order to ensure the “normal operation” of the store, sellers often encourage buyers to negotiate prices through WeChat or QQ. The reporter recently consulted one of the sellers randomly, and the other party replied by voice, “Let’s chat on WeChat, if you say too much, you will be blocked” and sent a WeChat account to the reporter.

In addition to selling face data, some “daring” idle fish sellers also sell a “photo activation” tool. With this tool, face photos can be modified to perform operations such as “blink, open mouth, and nod”. Face verification video.

“A set of (‘photo activation’) software plus tutorial is 35 yuan, you pay directly, and I will send you the link after confirming the receipt.” A Xianyu seller used voice to negotiate with reporters in the Xianyu dialog box. After the reporter completes the payment and confirms the receipt, the seller sends a “toolbox” with a file size of about 20GB to the reporter through Baidu.com. The “toolbox” contains a virtual video flashing package, virtual video simulator and face video modification Software and other tools, as well as operation tutorial files of related tools.

After adding a reporter’s QQ friend, another seller first sent some sample photos of a single person holding an ID card, and then showed the reporter a video of the effect of deceiving the face recognition mechanism of an online social platform after using tools to modify the photos.

At present, the reporter has transferred some clues found in the investigation to the relevant public security organs.

What is the scalping face data used for?

“If you are only collecting personal facial information, such as when you are photographed on the road, but you have not obtained your other identity information, the risk of privacy leakage is not great.” Deputy Director of the Evaluation Laboratory of the Trust Security Center of China Electronics Standardization Institute The host, Yanzhe, said that the problem is that the face information sold in the current online black market is not simply a “face photo”, but a series of sensitive data containing citizens’ personal identification information (including ID numbers, bank card numbers, mobile phone numbers, etc.) .

A seller who reselled the “face video toolbox” and claimed to be able to “pack the church” told reporters that as long as you learn to use the “toolbox” proficiently, you can not only use the facial data to help others unblock the frozen accounts of WeChat and Alipay, but also It can bypass the face recognition mechanism of well-known marriage and dating platforms and mobile phone card real-name authentication. The seller also sent to reporters screenshots of helping some “customers” successfully unblock frozen accounts.

“From a technical point of view, it is possible to use system vulnerabilities to’cheat’ the facial recognition mechanism of some platforms after associating facial information with identity information.” Facial recognition technology expert, Xiamen Ruiwei Information Technology Co., Ltd. Dr. Jia Baozhi, director of the research center, believes that although some financial platforms require multiple authentications when transferring large amounts of money, “the power is high and the magic is high”, and the cyber black production technology is constantly updated, and account security must not be ignored.

He Yanzhe gave an example to reporters: If facial information matches other identity information, it may be used by criminals to steal online social platform accounts or steal property in financial accounts; if facial information matches whereabouts information, it may be illegal The elements are used for precise fraud, extortion and other illegal and criminal activities.

Where do these data containing facial information and other identity information come from? Some sellers revealed to reporters that the facial information they sell comes from some online lending and recruitment platforms; as to how to obtain such information from these platforms, the other party did not answer.

Need to be alert to illegal and criminal activities using facial information

In recent years, face recognition technology has been used in many scenarios such as financial payments, community security, and government services, which not only improves convenience, but also enhances security to a certain extent through data interaction.

However, if face data is leaked or illegally obtained by criminals, it may be used for illegal and criminal activities, and you should be vigilant.

In August last year, the Shenzhen Longgang police discovered that the identity information of residents in the jurisdiction was fraudulently used, and that their driver’s license was fraudulently used by criminals through the network service platform to deduct points.

During the “Net Net 2020” operation, Longgang police found through multiple investigations that some criminals used AI face-changing technology to bypass the face authentication mechanism of multiple social service platforms or systems, and provided false registrations and scans for criminal groups. Black production services such as face payment. So far, Longgang police have arrested 13 suspects in Guangdong, Henan, Shandong and other places.

According to the police, in the above-mentioned cases, the criminal suspect used illegally obtained citizen photos for certain preprocessing, and then generated dynamic videos through “photo activation” software, deceiving the face verification mechanism. Afterwards, log in to various network service platforms to register members or perform real-name authentication through private social platform accounts purchased online.

Face information is related to the safety of everyone’s life and property. Industry experts believe that the black industry chain that resells facial information must be severely cracked down, and the legislature must take overall consideration of technological development and information security, and delineate the red line for the use of facial recognition technology; regulatory authorities should also maliciously disclose the face and identity of others Information violations shall be resolutely stopped.

The Civil Code, which will be implemented next year, specifically specifies the scope of personal information of natural persons, including biometric information. Zuo Xiaodong, vice president of the China Academy of Information Security, believes that in addition to the Civil Code, the Personal Information Protection Law and the Data Security Law that are being formulated should also make arrangements for the protection of biometric information such as human faces; legislation should give full consideration to the issue of human faces. The availability of special identification information should not allow the enacted law to become a mere formality due to difficulty in enforcement.

Wu Shenkuo, executive director of the International Center for Internet Rule of Law, Beijing Normal University, believes that online platforms are obliged to supervise transactions on the platform and should strictly review the qualifications of sellers, monitor and record the compliance status of operators on the platform, and should not allow publication Any items that infringe on the personal and property rights of others or prohibited by laws and regulations.

Jia Baozhi suggested that, in the process of formulating face recognition safety standards, relevant platforms should emphasize that “face data and other biometric information” and “other identity information” should be stored completely in isolation, so as to avoid associating face data with identity information. Mass leaks.

For users who have uploaded a clear hand-held ID photo or upload a face photo and fill in ID and bank card information at the same time, experts suggest that when face verification is turned on, multiple verification methods should be selected as much as possible to reduce the single face Verify the risk.