Can videos uploaded on social media allow hackers to steal your biometric data?

A new report raises concerns over malicious actors stealing people's biometric data from their social media videos.
A new report raises concerns over malicious actors stealing people's biometric data from their social media videos.   -  Copyright  Canva
By Giulia Carbonaro

A make-up tutorial, an honest product review, a clip showing off your latest dream holiday: this is the kind of content that features daily on our social media feeds and profiles, to the point that we often scroll through with little to no interest.

But other, ill-intentioned people might be paying more attention to the way our faces are showing up on social media.

A recent report by Trend Micro, a cybersecurity firm, found that there’s a significant risk that videos published on social media might expose sensitive biometrics data which could be potentially hacked by malicious actors, especially when these clips are very high-quality and focused on our eyes.

On TikTok alone, there are nearly 10 million posts that use the hashtag #EyeMakeup, offering priceless resources to those willing to learn how to upgrade their makeup skills.

But Trend Micro researchers warn that these same videos are exposing the users’ face, retina, and iris patterns - precious information to access our data and devices.

“By publicly sharing certain kinds of content on social media, we give malicious actors the opportunity to source our biometrics,” the report reads.

“By posting our voice messages, we expose voice patterns. By posting photo and video content, we expose our faces, retina, iris, ear shape patterns, and in some cases, palms and fingerprints.

“Since such data could be publicly available, we have limited control over its distribution,” it adds. “We, therefore, don’t know who has already accessed the data, nor do we know for how long the data will be retained or for what purposes”.

How does biometrics technology work?

“Biometrics technology automates the recognition of individuals based on their physical or behavioural traits,” Luca Rognoni, Chief Security Officer & Co-Founder YEO Messaging, told Euronews Next.

“These traits can include fingerprints, facial features, iris patterns, or voice. Biometric systems use sensors to capture this information and algorithms to convert it into a digital template called biometric data. Biometric data is then stored and used in a compare-like process to recognise the individual”.

Biometric systems are generally considered more secure than traditional password-based systems, as they are much harder to spoof or hack.

“However, no system is perfect, and there have been some high-profile cases of biometric data being compromised,” said Rognoni.

If you think biometrics systems are only a matter of Apple’s Face ID, think twice: biometrics technologies are used for passing through automated border controls, unlocking bank accounts and withdrawing cash from ATMs, and paying for all kinds of goods.

Do videos posted on social media present a risk?

“The simple answer is, yes, there is a risk that biometric data could be stolen from videos posted on social media,” said Rognoni.

“Everything is possible in the world of cybersecurity. Could I obtain a high-resolution of a person’s face or a close-up picture of their iris from an online video? Yes, this is highly probable if the quality of the video was sufficient,” Keiron Shepherd, Security Solution Architect for North & West Europe at cybersecurity firm F5, told Euronews Next.

“There has been evidence in the past of high-resolution photographs being used to create dummy eyes or even 3D printing faces to successfully bypass biometric tests,” Shepherd said.

“These can work on simple systems, but the data needed to bypass biometric systems is getting smarter. For example, face scanning will also look for human motion, depth, shadowing, and skin tones, plus other data points will be used in conjunction with biometrics”.

The biggest problem with biometrics, Shepherd added, is that if this data is hacked, there is no way of replacing it with safer ones, as you would do with a traditional password.

“We see billions of user login details and password combinations leaked every year. The major difference here is that if you detect that your email and/or password has been breached, you then have the opportunity to reset your password, blocking hackers from making use of your exposed data to authenticate to other websites that you are registered with. With biometric authentication methods, these are more challenging to reset,” he said.

Morgan Wright, Chief security advisor at cybersecurity company SentinelOne, told Euronews Next that he thinks the risk to the general user community is relative but could increase in the future as the cameras on our devices continue to improve.

“Right now, I would estimate it is a low risk to compromise the iris biometric based on the steps necessary to capture the data. However, that is based on today. As cameras become more advanced and algorithms sophisticated, it would be possible to capture enough data to replicate a human iris,” he said.

Facial recognition and its use to create deepfakes, on the other hand, are already a significant risk, according to Wright.

“This is much harder to prevent,” he said, “more and more resources are available to create authentic photographs that fool facial recognition countermeasures”.

Though it’s possible for hackers to use a captured image or video of the face of a subject or a copied and reproduced fingerprint to access their accounts, “biometric systems today implement attack defences that involve algorithms and sensors capable of determining if a physical trait is being captured from a living individual present at the point of capture,” Rognoni explained.

These kinds of solutions - called “presentation attack defences” - are “rapidly evolving and have already reached a high level of mitigation against several presentation attacks like liveness attack,” said Rognoni.

How do cybersecurity experts fend off attacks on biometrics protections?

There are a few things cybersecurity experts can do to fend off attacks on biometrics protections.

First, “they can keep up with the latest security threats and develop countermeasures accordingly,” said Rognoni.

Second, “they can conduct regular audits of biometric systems to ensure they are secure,” he added.

Finally, experts can implement appropriate security controls to securely manage users' biometric data during the entire data life cycle.

Having a double-authentication system in place, in cases like this, is of extreme importance to prevent hackers from accessing your accounts.

“To maintain security and data privacy, organisations must increasingly adopt digital processes requiring unspoofable digital identities to defeat these sophisticated attacks,” David Mahdi, CSO & CISO Advisor at Sectigo told Euronews Next.

“While theft of biometrics and deepfakes are very difficult things to combat, the best, proven way to establish digital trust is a system that confirms the identities of participants using unbreakable cryptographic techniques,” he said.

“This is accomplished with public key infrastructure (PKI)-based digital certificates. Digital identity policies centred around PKI provide a fundamentally more usable and more secure authentication model”.

The fact that there’s a potential risk of your biometric data being stolen doesn’t mean you should stop showing your face on social media. There are some basic steps you can take, however, to make sure your identity is safe online.

“Be aware of your background before taking selfies: that includes computer screens that could be displaying sensitive information,” Wright said.

“When doing videos or public talks, if you believe you are a high profile target, be aware of anyone in close proximity with advanced photography equipment. Don’t expose your fingers directly towards the camera, as the high res cameras might be able to capture their unique pattern”.

Though concerns over the theft of our biometric data might seem a little too paranoid considering the current risk of such a scenario taking place is relatively low, this is an actual threat that is extremely likely to materialise in the future.

“Whether that future is five or 20 years ahead, the data is available now. We owe it to our future selves to take precautions today to protect ourselves in the world of tomorrow,” the Trend Micro report concluded.