The fight against fraud and counterfeiting will only get tougher in the future. Every time an attacker breaches a level of protection, we are forced to use a new weapon to stop them. And this time we have to dig into our “biometric” arsenal.

The essence of the fight against fraud and counterfeiting is that when we draw a magic sword, the attacker must not be able to neutralize it. The immediate effect will certainly be effective, but to maintain the effect in the long term requires a careful strategy.

Online fraud is becoming more sophisticated. The step of adding biometrics to the protection is a sign that the battle will be fierce. There will be many levels in the biometric database, each time having to use a higher level is an “irreversible” step. And if the level is gradually escalated, then the step of using genetic data will be the final step, and if you lose, you will have no other weapons.

Now, we have to use real-time, real-time images to confirm transactions. Of course, there will need to be a huge database to store images and biometric data for comparison and authentication. Of course, real images will be transmitted through information channels. What will happen when these data stores are attacked, the transmission lines or terminals are accessed? The bad guys will have all the user data again. And with increasingly powerful AI tools, what will ensure that the bad guys cannot overcome the new authentication wall?

We are collecting more and more personal data. While we cannot protect our old data, how can we ensure that we can protect the new, massive data that has been and will be collected? Even more dangerous, if bad guys access our image and biometric data, they can impersonate us not only for bank authentication but also for many other purposes unrelated to banking. They can create a fake world of who we are that we cannot control and cannot prove that we are impersonated.

The first thing is that people need to be aware of demanding protection for themselves and that management agencies are responsible for protecting biometric data so that it does not fall into the wrong hands.

When banks take an irreversible step, there must be accountability and laws to protect people. The nature of this is due to the ineffective technical measures to protect personal data, and the policies to assign responsibility for data disclosure are too superficial. Therefore, bad guys can easily bypass the protection steps and gradually disable the system's control.

To truly protect, before collecting personal data, the state and banks need to commit and clarify:

- If biometric data is leaked, what is the bank's responsibility? Who or which specific unit will be responsible, and what are the sanctions?

- What security measures does the system have to ensure that each link cannot access confidential data? The technical system must ensure that even if bank employees (including managers) are manipulated, they still cannot access and sell personal data.

Data security is a huge and difficult issue, even the most talented IT people cannot foresee all the vulnerabilities. Imposing a deadline of July 1st could force banks to use weak, untested systems that are easily penetrated by bad guys, and the consequences would be dire. We need to be very careful and test the use of limited steps so that only when maximum security is achieved can new methods be widely applied.

We also need to learn from the world, in terms of data security, we can look at China's experience. After a period of widespread data collection, they have understood the seriousness of revealing personal data and have clear laws to deal with all units that reveal data extremely strictly. The more important the data, the higher the responsibility. When the responsibility is pushed to a very high level, no one can ignore it.

All entities that own personal data will have to seriously implement technical protection measures at the highest level. From that need, companies specializing in security assessment and security measures implementation have developed strongly, many "unicorn" companies have been opened, promoting a dynamic digital security economy, with very high quality according to security standards carefully considered by the state.

A well-functioning system is one that maximizes protection of people's personal data, while collecting only a minimum of people's personal data.