Alipay responds to mobile phone black market: facial recognition has not been broken

Recently, an article has attracted attention and heated discussion. The article was compiled by an information security expert based on his personal experience. The author of the article, Lao Luotuo, said that because a family member's mobile phone was stolen, he experienced a battle of wits and courage with a professional and sophisticated criminal gang that used stolen personal information to steal funds from other people's bank accounts. The article mentioned many companies, including China Telecom, Huawei, Alipay, Meituan, Suning Finance, etc., which aroused everyone's vigilance and discussion on property security.

In response, the relevant department of Alipay responded in the circle of friends that the students of Alipay's "Non-Attack" security laboratory contacted Lao Luotuo as soon as possible and learned about the relevant situation. The response pointed out that the black industry disclosed in the article did not get any money or information from Alipay; and Alipay promised to pay full compensation for stolen funds, including those caused by lost mobile phones.

In addition, personnel from the relevant department of Alipay mentioned in their response that the opponent in the hot article was indeed a high-level black industry, but the black industry was stopped by Alipay's risk control when changing the payment password. They could not check the bank card number or receive payments, so they registered a new account, but the new account could not use the money in the original account.

"However, his two inferences do not match the actual situation. In this case: 1. The black industry did not break through facial recognition: the ability to register a new account was achieved on common devices through identity information and SMS verification codes obtained through other channels. 2. The black industry did not obtain the bank card number by quickly binding the card, but by entering the user's bank card number + the SMS verification code of the reserved mobile phone to bind the card. The card number was obtained by the black industry through other channels."

The response also stated that this article not only reminded users, but also allowed Alipay's risk control to be further optimized. It also suggested that everyone set a password for the SIM card separately, which can prevent the black industry from receiving verification codes to a certain extent.

According to Lao Luotuo, after the incident, several payment companies involved in the incident actively contacted him, Meituan’s loan record was eliminated, and Suning Financial compensated the losses of several thousand.

Later, when referring to the bypass of Alipay’s facial recognition, the author said, “When designing its business, Alipay did not require facial verification for sub-accounts created and logged in on the original mobile phone when the various elements of identity information were matched during real-name authentication and verified by risk control rules to be consistent with the main account. This was also verified by several engineers in our office this afternoon when they conducted a technical review of my stolen credit card incident. The bypass of facial recognition did indeed wrongly blame them, which also explains why criminals need to unlock stolen phones to log in to Alipay, presumably to avoid triggering Alipay’s risk control rules.” (Xuemei)

The following is the original response from the Alipay team:

The students from Alipay's "Fei Gong" Security Laboratory contacted Lao Luotuo as soon as possible. Based on the account, we restored the Alipay-related situation and explained it to everyone.

Let me first state the conclusion:

1. The black industry did not get any money or information from Alipay;

2. Don’t worry, Alipay promises to pay full compensation for stolen funds, including those caused by lost mobile phones.

After reading the long article, I found that the opponent is indeed a high-level black industry. Lao Luotuo is also very good, and the analysis is very detailed. When the black industry changed the payment password, it was blocked by Alipay risk control. It could not check the bank card number, nor could it receive or pay, so it registered a new account, but the new account could not use the money in the original account.

However, he has two inferences that do not match the actual situation. In this case:

1. The black industry has not made a breakthrough in facial recognition: the ability to register a new account is achieved on common devices through identity information and SMS verification codes already obtained through other channels.

2. The black industry does not obtain the bank card number by quickly binding the card, but by entering the user's bank card number + the SMS verification code reserved on the mobile phone to bind the card. The card number is obtained by the black industry through other channels.

I am very grateful for Laoluotuo's record, which not only reminds users, but also allows us to further optimize our risk control. I hope that Laoluotuo's losses on other platforms can be recovered as soon as possible.

It is recommended that you set a password for the SIM card separately, which can prevent the black industry from receiving the verification code to a certain extent. In addition, if you have any problems using Alipay, you can call our customer service at 95188 at any time.