Identity verification using facial recognition is widely adopted in China, as the technology has become an integral part of apps from mobile payments and travel to retail, as well as surveillance systems and online platforms for government services.
That development, however, has made cybersecurity a major issue in the world’s second-largest economy, where a group of tax scammers has been caught hacking a government-run facial recognition system to fake tax invoices and make millions of yuan in the process, according to a report by the Xinhua Daily Telegraph.
Invoices issued by the State Taxation Administration are used to track payments and help crack down on tax evasion.
Prosecutors in Shanghai said a criminal group duped that platform’s identity verification system by using manipulated personal information and high-definition photographs, which were bought from an online black market, so its registered shell company can issue fake tax invoices to clients, according to the report published on Tuesday.
The Shanghai People’s Procuratorate in the city’s Hongkou District indicated that the fake tax invoices issued by the criminal group were valued at 500 million yuan (S$102.6 million), the report said.
A notice posted on the Shanghai prosecutors’ official WeChat account from January this year said that a duo surnamed Wu and Zhou were prosecuted for the crime. It said the duo had been operating since 2018.
The suspects duped the government-run platform’s facial recognition system by manipulating the illegally obtained high-definition photos with an app to create a video, making it seem like the faces were nodding, shaking, blinking and opening their mouths.
“After obtaining the videos, we used a special mobile phone to hijack its camera,” an unnamed suspect was quoted saying in the report. “During the facial authentication process, the mobile camera would not start and the system would receive the pre-made video. The system accepted that I was in front of the camera, so I passed the certification.”
The case reflects how China continues to grapple with data privacy concerns amid a thriving underground trade of personal information .
Without a law dedicated to protecting personal information and the lack of clear guidelines, China’s enforcement agencies have struggled to keep up with an increasingly skilled industrial chain of insiders and data brokers .
The Xinhua Daily Telegraph investigation found that the cost of hacking facial recognition systems for illegal gain is low. Image-manipulation apps – including Huo Zhaopian, Fangsong Huanlian and Ni Wo Dang Nian, also known as Remini Photo Enhancer – are readily available for download, while the special mobile phones used to hijack cameras can be bought for 1,650 yuan.
Online services to crack facial recognition are also available, with prices ranging from 30 to 250 yuan. These services can tackle facial recognitions systems – biometric computer applications that identify a person based on a database of digital images – used on a range of apps and government platforms.
The situation reinforces China’s reputation as one of the worst countries at protecting biometric data . Many of China’s 1.4 billion population are already online, but the country is known for lax controls over the collection, storage and use of individual digital data.
In response to privacy concerns, Beijing has stepped up to rein in the collection and use of personal data by mobile apps. A new regulation on necessary personal information for common types of mobile internet applications will take effect on May 1.
It also covers the basic functions and services for 39 app categories, including messaging, online shopping, payments, ride hailing, short video, live stream and mobile games.
Regulators are also sharpening their focus on the use of deepfake technology. Deepfakes refer to manipulated videos, or other digital representations produced by sophisticated artificial intelligence, that yield fabricated images and audio that appear to be real.
The government has also issued a draft legislation, the Personal Information Protection Law, aimed at preventing private data leaks and abuses. It proposes to impose fines of up to 50 million yuan, or 5 per cent of a company’s annual revenue, for such offences.
This article was first published in South China Morning Post.