In recent years, Kazakhstan has undertaken substantial measures to confront cyber fraud and bolster security through the implementation of precise biometric identification for its citizens. Familiarity with face recognition technology on the eGov website and various fintech applications has become a norm among the population, playing a pivotal role in driving the country's high level of digitalization.
Starting January 1, 2024, the government is poised to take a significant stride in fortifying security by mandating dactyloscopy registration at the issuance of ID documents. This proactive measure seeks to eradicate instances of unlawful documentation, streamline document processing timelines, facilitate smoother international border crossings, and provide critical assistance in the event of lost documents abroad.
In a conversation with QazMonitor, Adlet Mukashov, Co-founder, and Andrey Shadrikov, R&D Leader at Verigram, share why governments around the world seek the adoption of new biometric verification methods. The experts discussed the biggest problems in the area and explained how such pivotal changes influence user protection and fortify the ongoing fight against fraudulent activities.
Some people consider biometric verification to be a kind of invasion of privacy. How justified is this skepticism?
Andrey: Skepticism about it is mostly justified by the fact that the data collected by companies and governments may end up in the wrong hands. So, we have stories of the database leaks and so on. Still, we must realize that there is no such thing as perfect protection, but people would like to know where this data is stored, who is responsible for it, how we will be informed about possible data leaks, and what we would do if they occurred.
At the same time, people are already actively using this technology, say, to unlock the home screen on their smartphones. For instance, the iPhone has FaceID and people generally trust Apple to store this data on devices or in the cloud.
So, it's mostly a question of how much people trust vendors. It's a matter of a company’s credibility and transparency when it comes to data security, meaning how ready the company is to talk about such issues.
Adlet: I’d like to add why the face has become the most popular verification method. It's a hardware-related issue because there's a big shift going on right now. All businesses and services are going digital. People may not always have laptops and other devices, but the phone is always there. When businesses select what biometric verification method to implement, facial recognition has taken the lead because not all phones have fingerprint scanners; face has become a common standard from the convenience point as well. I agree with Andrey, there is already a question of maintaining trust in vendors and companies that provide. They need to build trust and reinforce security.
What do you think about the mandatory collection of fingerprints, which is planned to be introduced in Kazakhstan in 2024?
Andrey: When you have mass data collection, the question arises, how is it supposed to be used? That is, you can collect anything, but then what will people get in return for this collection? It could be, for example, some kind of convenience for citizens to integrate with state-provided services. Although in Kazakhstan logging in by face recognition is already there.
When it comes to fingerprints, there’s an issue of false matches and technology. Our hands are very susceptible to mechanical damage, it’s much more frequent than on our faces. It would seem that a person's face changes over time, and fingerprints should not, right? But in fact, they can change so much more, especially in the case of manual laborers who use their hands a lot. Speaking of age-related changes in face recognition tech, it is a known issue - and there are known methods of verification; for fingerprints, there hasn’t been much research yet, since the issue is not linked to aging.
Is this why more information is collected when fingerprints are taken? A scan of every finger, all four fingers, in some cases the writer's edge....
Andrey: Yes, they try to use as much information as possible to reduce the false match rate. Using more data is a universal issue, even the big foreign players like Visa and MasterCard think that they need to complicate the old format of authorization, i.e. identity confirmation in the form of SMS, or email codes. All international agencies consider such methods outdated and vulnerable, and they all recommend evolving towards multi-factor authentications.
What other trends and problems can we observe globally in that regard?
Adlet: One of the big problems when introducing biometric identification as proof of identity is that you need a reference data set. For instance, at the state level, most often citizens have portrait photos taken for passports, but data such as iris, and fingerprints are not collected in all states. From our experience, when we entered the markets of Southeast Asia, we faced the problem that these states did not even have a full-fledged centralized database. That's one of the big problems and therefore one of the big limitations - irises, palms, and other things - lack of centralized information and benchmarks.
Biometric data collection is one of the latest trends at the state level. So Face IDs have been a must-have for some time, and now fingerprints are mandatory, some countries scan the iris, and someone uses voice recognition.
For example, in India, there has been a big project called Adhaar, where fingerprints, photos and iris scans are recorded. In the future, they consider adding voice and other things. We are now seeing new standards for ID documents, where many countries have started to print out and embed a fingerprint in the document itself. So, the trend is going towards maximizing the variation of biometric data.
Does having such a centralized base allow us to ensure better user protection?
Adlet: Yes, it's a matter of infrastructure. I mean, the governments of different countries are preparing the future infrastructure. And they are trying to collect as much as possible.
What about trends in personal data leaks and fraud?
Andrey. On the security side, the biggest problem when fraudsters try to hack into systems is not how easy it is to get a face or fingerprints, but how hard it is for them to get all the other data. When you sign up on some websites, they don't just ask for a face, a fingerprint, or a last name, quite often they ask for much more user data. And that's what most of the fraud is about: if your data is leaked, most often it is leaked as a full package in the form of a database.
In addition, unfortunately, family fraud is not a rare case at all. That is when people apply for a loan on behalf of their relatives. Such fraud by people who have access to these personal data by default — there is no need for a database, as fraudsters have direct access to the person in real life, who can be asked to undergo biometrics under some pretext.
In turn, adding additional modalities is a security issue to eliminate false matches. For example, this is how they try to solve the problem of genetically similar people, such as father and son or ‘the evil twin’ problem. Speaking of the latter, it may seem that this problem is not that big but even on the scale of the population of Kazakhstan, we are talking about thousands of people. [QM - according to the National Bureau of Statistics, 8,268 twins and 151 triplets were born in Kazakhstan in 2022 alone.]
To summarize, what measures can be introduced to further secure the user? Has the biometric authentication brought any improvements in Kazakhstan?
Andrey: For example, the service provider could show on the screen what the biometrics are exactly taken for, like a message that ‘you are now undergoing biometrics for such and such a service’. Then a fraudster who has direct access to the victim will have to explain why this message appears, hence making the fraudster's life more difficult.
Adlet: Speaking of improvements, fraud existed even before biometrics, even if loans were issued ‘offline’, at the bank. There used to be a lot of stories when fraudsters found some user data and made arrangements with fraudulent bank employees. The client found out about the loan only after the fact.
In the online loan industry, after the introduction of biometric identification projects in Kazakhstan, the level of fraud in the online loan segment has decreased by seven times since 2019.
