Irreversible steps

The fight against fraud and impersonation will become increasingly challenging in the future. Every time attackers overcome a level of protection, we are forced to use a new weapon to stop them. And this time, we have to delve into our "biometric" arsenal.

The essence of the fight against fraud and counterfeiting is that when we draw a sword, the attacker cannot neutralize it. Immediate effectiveness is certainly possible, but maintaining long-term effectiveness requires a careful strategy.

Online scams are becoming increasingly sophisticated. The addition of biometric protection is a sign that the battle will be tough. The biometric database has multiple levels, and each time a higher level is required, it represents an "irreversible" step. And if the level continues to escalate, eventually requiring the use of genetic data, that will be the final step, leaving no other weapons behind if the scam fails.

Now, we have to use real, real-time images to verify transactions. Of course, this will require massive data repositories to store images and biometric data for matching and authentication. Naturally, these real images will be transmitted through various communication channels. What happens when these data repositories are attacked, or when transmission lines or end devices are accessed? Malicious actors will again have access to all user data. And with increasingly powerful AI tools, what will ensure that malicious actors cannot bypass this new authentication barrier?

We are collecting more and more personal data. While we are still unable to protect existing data repositories, what guarantees that we will be able to protect the massive new data repositories that have been and will be collected? More dangerously, if malicious actors access image and biometric data repositories, they could impersonate us not only for banking verification but also for many other purposes unrelated to banking. They could create a false persona about us that we cannot control and cannot prove is being impersonated.

The prerequisite is that citizens need to be aware of the need to demand protection for themselves, and the authorities have a responsibility to protect biometric data from falling into the wrong hands.

When banks take an irreversible step, accountability and laws are needed to protect citizens. The root cause lies in the ineffective technical measures to protect personal data, and the superficial policies for assigning responsibility for data leaks. As a result, malicious actors can easily bypass these protections and gradually neutralize the system's control.

To ensure truly effective protection, before collecting personal data, the state and banks need to make commitments and clarify the following:

- If biometric data is leaked, what is the bank's responsibility? Who, or which specific entity, will be held responsible, and what are the penalties?

- What security measures does the system have to prevent each link from accessing confidential data? The technical system needs to ensure that even if bank employees (including leaders) are manipulated, they cannot access and sell personal data.

Data security is a huge and complex issue; even the most skilled IT professionals cannot foresee every vulnerability. Imposing a July 1st deadline for implementation could force banks to use weak, untested systems, making them vulnerable to intrusion, with potentially devastating consequences. We need to be extremely cautious and conduct phased, limited testing, only widely adopting new methods when maximum security is achieved.

We also need to learn from the world, regarding data security; we can immediately see the experience of China. After a period of rampant data collection, they understood the seriousness of exposing personal data and have implemented clear laws to severely punish any entity that leaks data. The more important the data, the greater the responsibility. When responsibility is pushed to such a high level, no one can afford to disregard it.

All entities possessing personal data will have to seriously implement the highest level of technical protection measures. From this need, companies specializing in security assessment and implementation have developed rapidly, with many "unicorn" companies emerging, fostering a dynamic digital security economy of very high quality according to security standards carefully considered by the government.

A well-functioning system is one that provides maximum protection for citizens' personal data while collecting only the minimum amount of personal data from them.