Is the two-pot retirement system safe from rising cyber threats?

Posted on

The implementation of the two-pot retirement system has sparked both excitement and concern as it grants broader access to retirement funds for millions of citizens. However, this shift raises a critical question: is the system secure enough to protect against large-scale identity theft and fraudulent manipulation?

In a pre-recorded presentation for the 2024 EBnet Evolutionaries Conference, Murray Collyer, the chief operating officer of iiDENTIFii, emphasised the need for experts, policymakers, and the general public to collaborate on measures that safeguard this new access and prevent potential exploitation.

iiDENTIFii, which specialises in biometric authentication, provides enterprise-grade identity verification software used by 60% of the top five banks in South Africa. During his talk, “Innovation at the speed of fraud”, Collyer highlighted the alarming pace at which fraudsters are evolving, and the global implications of such rapid innovation.

To illustrate how quickly things can go wrong, Collyer referenced the “Golden Laundromat” syndicate uncovered in neighbouring Zimbabwe in 2023. This sophisticated money-laundering operation moved millions of dollars out of the country through shell companies and illicit transactions. The syndicate exploited Zimbabwe’s financial systems, using the black-market exchange rate to convert legal funds into illegal ones. It involved local and international actors across sectors such as banking, real estate, and business.

“This was exposed by the Al Jazeera Investigation Unit, and it went into just how quickly opportunity in a poorest country could lead to criminal syndicates and criminality exposing it, laundering and moving money across multiple countries and continents. And the big challenge here is less than 1% of this money is recovered now,” Collyer said.

He added that South Africa must be vigilant to prevent similar syndicates from targeting the two-pot retirement system.

“What we need to do is make sure that we are staying ahead of the game when it comes to technology and security, to ensure that you and only you have access to sensitive areas of your life.”

Threats on a global stage

Collyer also discussed the evolving threats in a biometric landscape, where biometric data such as faces and fingerprints are used to securely authenticate individuals.

He noted that threats do not stay in one place but migrate globally. “What starts in North America will find its way to Europe and down to South Africa, and vice versa. So, we need to understand that we’re competing against threats on a global stage, and we need to stay one step ahead,” he said. “Criminalities move fast, and innovation is the biggest threat to any form of technology.”

In the biometric sphere, when considering one’s face, there are three forms or groups of attacks: presentation attacks, digital injection attacks, and AI. Presentation attacks involve print, screen, or 3D objects – “the old way of doing things”.

“So that’s like a mask [you] put over your face or a screen. They are very basic forms. In this world, we’ve got a lot of data, we’ve got a lot of research, and most biometric solutions, which we colloquially term liveness solutions – because it proves that you are alive, and you are who you are at that point in time – can defend against those.”

He says the real challenging ones are the latter two.

Collyer explains that in a digital injection attack, a would-be criminal would gain access to your smartphone or computer, which would have malware waiting for you to transact.

“When it identifies a secure, high kind of risk transaction, aka, you’re opening your banking app, you’re logging into your pension fund, it will start a process of creating a virtual camera. It will start recording what you are doing, and it will sit there waiting to gain information that it can use and present back at a later stage.”

It will then take the recording of you, passing your liveness check and your biometric validation. It will store that, and it will do this at scale across many individuals, and at a later stage it will present that information back to the system, pretending to be you.

“Ultimately, this is what’s very worrying, because a single person can create a grand attack across thousands of individuals, and in South Africa, if just 10 000 accounts across the two-pot system are compromised and the maximum withdrawal limit taken out of R30 000, that means a R300 million payday is waiting, and this money might not even be noticed that it’s gone.”

Generative AI involves creating a synthesized identity, such as a deepfake or a fabricated face, used to overlay onto a real face. This technique allows an attacker to superimpose their own or another individual’s face with the target’s face and present the altered output to a system. A hacker with malicious intent could use their live image, combine it with a target’s face, and potentially gain unauthorised access to their financial resources – be it in a bank account, a retirement fund, or any other secure platform.

According to Collyer, face swap attacks are the fastest-growing method of attack. This growth in attack vector has seen a 704% growth over H1 versus H2 in 2023.

“That is significant, considering that this is such a simple attack to do. Software is available. You can throw in swap face into Google today, and you can see paid-for software that’s available in the public domain.”

Biometric protection against rising cyber threats

Collyer highlights the critical need for South Africans to adopt secure identity protection methods to safeguard sensitive aspects of their lives, including bank accounts, retirement funds, and credit card or digital profile transactions.

“What South Africans need to do is they need to start demanding that they use a secure means,” Collyer states. “Because in today’s age with the prevalence of phishing and vishing attacks, we know that the only thing that is secure is your identity. And if you start requesting that institutes make use of your identity to ensure that you and only you, can access said secure app, then you can start forcing protection.”

He points out that if every individual demands these measures, it will secure the entire market, with biometric providers collectively enhancing protection. However, it is equally crucial to ensure the technology deployed is robust enough to combat emerging security threats.

“The role of identity is simple,” Collyer explains. “If we can protect ourselves at that moment, then we can also help protect South Africa. Because if every individual is protected and every individual is known, then we know that criminalities can’t operate in South Africa, and those criminal syndicates will move on elsewhere.”

He warns of potential risks to systems like the two-pot system, noting, “We do not want them to try and target our two-pot system, because I am certain they already tried phish and vish you. They’ve already got your PIN, your password, and your email address, and they’re already going to start impersonating.”

Collyer underscores the importance of appropriate liveness detection and tailored biometric security solutions. “If we can protect the entire ecosystem, we will ultimately benefit individually, because with less risk, things will become cheaper and more efficient. And ultimately, we want to protect our livelihoods and that of our fellow South Africans.”

For long-term security, he advocates for a comprehensive online authentication method that integrates safety, speed, convenience, and trust in a user-friendly and robust process.

“And once we crack that code, South Africa will be a significantly stronger place. Would-be criminals will be less eager to transact in South Africa, and ultimately, we will all benefit significantly.”