The worldwide spread of the COVID-19 virus has caused a dramatic change in patterns of consumer behavior. In the context of growing panic and prescriptions to maintain social distance, the share of those consumers who knowingly or involuntarily refuse physical contact with the seller is growing.
This stimulates the development of distance services and services, such as online ordering of products, contactless courier delivery of consumer goods, drawing up contracts for banking and insurance services, opening deposits, receiving remote medical and legal assistance. More actively there is a substitution of cash turnover in trading various instruments of contactless and distance payments.
On the part of the service and product provider, such a change in consumer behavior requires the restructuring of their own marketing and distribution policies, which imply a more active implementation of information technologies and, in particular, systems for remote customer identification and verification. The provision of remote services where the use of sensitive information related to personal data is required sets special requirements for ensuring information security. This is especially true of banking services, insurance services, rental real estate, medical services.
For example, in conditions of forced quarantine during remote medical consultations, accurate verification of the user’s identity seems to be a key requirement, since not only the data of user identification documents can be included in the information exchange, but also the medical history, analysis results, etc. Implementation of identification tools for identification documents here clearly not enough. It is necessary to build integrated systems that would allow not only to recognize a user’s document behind a computer monitor in a remote mode, to compare a user’s photo with a photo on a document, but also to identify signs of a fake document, as well as a possible attempt to bypass facial identification using technical means.
A typical example of an insufficient level of security of the introduced system of remote recognition of documents can be the experience of financial organizations that issued loans to fraudsters remotely from copies of compromised documents. The reason is the insufficiently perfect system of remote user verification, which makes it possible to take a loan from the passport image purchased on the darknet.
There is never much security
For a long time, both service providers and customers have understood that in the development of information technologies, one-factor user authentication based on the “login-password” link is clearly not enough. Likewise, authentication is not sufficient solely on the basis of certification documents or their images.
The leak of the “login-password” link has become a familiar case in the field of information security violations. The same common occurrence is the leakage of identity card data or its image in the form of a scan or photo. That is why their use in services as the only way to verify their identity is practically not used today, as it poses a real threat to fairly easy unauthorized access not only to the user’s personal data, but also by gaining control of his account.
One of the solutions in this situation is the simultaneous use of face recognition and document recognition technologies with the document checked for signs of falsification of both the face and the document. The process here consists of two mandatory actions that the system user must take in order to be verified.
First, with the help of technical means, the document fields with the necessary data are recognized, the presence or absence of signs of falsification is detected, highlighting, among other elements, that machine vision will find on the page, user photos (as a rule, all identification documents in most countries today contain a photo of the owner) .
The second necessary action is the recognition of the user’s face from the photo, due to which the full correspondence (identity) of the face on the photo in the passport or ID card, and the photo taken on the phone is established. Given the spread of such a phenomenon as deepfake, both the developers of document recognition systems and the developers of face recognition systems have increased requirements in terms of recognition of signs of fake.
Smartphone in the pocket against the camera on the pillar
Please note that we are talking exclusively about active face recognition technology, which is carried out on the basis of the voluntary “presentation” of the user’s own face in the camera of the scanning device. In our case, this is the end user device – a smartphone or webcam.
When using passive face recognition used on the streets and in public places, the user often does not know at what point his face was recognized and for what purpose it was done. Yes, of course, it is declared that passive face recognition is necessary to ensure public safety and the rule of law. But at the same time, this procedure in explicit form is a restriction of freedom.
It is completely obvious to us that any technology that is being developed today, in the conditions of accelerated technological development, should be applied exclusively with the consent of a person, to serve for the development and support of his rights and freedoms. Especially when it comes to the collection, accumulation, systematization and transfer of personal data. The decision on how to carry out their identification should be made by the user, moreover, with the possibility of informed choice and the use of alternative methods.
Active face recognition, as well as document recognition, are purely voluntary acts, which, given the tightening of security requirements for remote identification and verification, are a step towards the realization of rights and freedoms. Please note that by facilitating remote access to their services in isolation, companies make it literally safer by demonstrating customer care, his time, health and comfort. At the same time, the freedom of action and the right to choose are retained for the end user.
We note that in both cases – both when identifying identity cards and when recognizing faces – we are dealing with extremely sensitive data that all participants in the process would be better to protect from prying eyes.
On the part of customers, ensuring the security of their personal data is quite simple: the key rule is do not upload images of your own document and your own face when registering on unknown pages and in unknown services. On the part of customers, this responsibility lies in the selection of contractors in the development of programs and their integration into their own information systems, ensuring the safety of storage and transmission of user data received.
For system integrators, an absolute requirement is to avoid constructing a design in which recognition occurs on third-party uncontrolled servers, and data is transmitted in an unprotected form through unstable or weakly protected channels.
The same requirement is imposed on the developers: the document recognition procedure should not allow the transfer to third-party resources that are outside the control of the party receiving user data.
The safest solution today is an interaction scheme in which the recognition of documents is performed completely autonomously on the user’s end device without saving and transferring document images to third-party services. Such a scheme minimizes the risks of leaks and prevents fraudsters from stealing images of documents, selling them or using them for various illegal actions.
Thus, it turns out that in the case of a competent construction of an automation system for interacting with customers with their remote verification, face recognition and document recognition do not act as antagonists or mutually replacing processes, but as a necessary addition, due to which the application functionality is revealed most fully.
Step to freedom or digital slavery?
In today’s case of pandemics, when countries are moving to compulsory quarantine, which applies to up to 90% of the active population, reliable and secure recognition systems, on the one hand, allow businesses to maintain interaction with their own customers and not go on total vacations, and on the other, do not infringe on the freedoms of ordinary citizens already suffering from forced retreat. It is important that such systems, unlike universal control systems, the prototype of which was described in George Orwell’s famous dystopia, do not monitor citizens (both in a pandemic and outside it), do not collect data and do not transmit them without encryption over open networks.
Recognition technologies today require public readiness to use them. The introduction of illiterate solutions and the irrational use of existing recognition capabilities threatens a real digital dictatorship. There is a huge risk, instead of improving the quality of life and creating positive changes in socio-economic life, to get the completely opposite effect, in which technology works for the prosperity of fraudsters and keeps ordinary citizens at bay.