Yoti reveal new patent for tech that protects business and users against injection attacks during identity verification
New UK patent application counters potential security loopholes in browser injection attacks during identity verification
London, UK – 14th January 2022: Global digital identity provider Yoti has today announced a new patent application for a SICAP (Secure Image Capture) product, which prevents browser based injection attacks that can otherwise occur during the identity verification process on websites.
One of the most commonly carried out hacks on IT systems, an ‘injection attack’ is where a hacker injects their code into an IT system when it’s trying to send or receive data. This code may allow them to harvest users data or it may allow them to send incorrect data into the system. These types of attacks are a growing issue of concern and businesses need to have the best possible safeguards in place.
Affecting digital identity / identity verification
During the identification verification process companies can request Yoti conduct a face match, a process that matches the person uploading the document to the document itself. At this point a competent hacker could attempt to inject an alternative image to the one taken by the device’s camera and send that through to the business.
Paco Garcia, CTO at Yoti said: “Injection attacks are very difficult to detect or prevent and as a result no-one knows (or is willing to reveal) how much of an issue this is. What we do know is that it is for this very reason, some governments or regulators now insist on additional layers of remote verification in highly regulated environments.”
Avoiding injection attacks
Typically, businesses use obfuscation techniques to avoid injection attacks – a process by which they make the data incredibly hard to understand, either by encrypting the data or by removing revealing bits of metadata or by adding in a bit of meaningless code to ‘confuse’ the would be hacker. However, this is not fool proof and can be reverse engineered (unpicked) by the most determined of hackers. Obfuscation techniques simply buy extra time.
Yoti has developed a new way of adding additional security when sending images and other sensitive information to businesses using its services on web applications.
As well as obfuscating the code, Yoti adds a cryptographic signature key to the code. This means a would-be hacker needs to both reverse engineer the obfuscation as well as infer or guess the cryptographic signature key.
Furthermore, Yoti regularly change the obfuscation and the associated signature key. This means that if the hacker were to reverse engineer the obfuscated code, by the time they have done so, the signature key will have changed – and vice versa – making it almost impossible for the hacker to succeed.
Notes to Editors
- Yoti is a digital identity company that allows organisations to verify identities and trusted credentials online and in person.
Yoti’s products span identity verification, age verification, document eSigning, access management, and authentication.
- In the UK, Yoti is partnered with Post Office to accelerate digital identity adoption with a national footprint spanning 10,500 Post Office branches, online and more.
- Over 11 million people have downloaded the free Yoti app globally. Yoti is available in English, Spanish, French, German, Portuguese and Polish.
- Yoti is certified to ISO/IEC 27001:2013 for ID Verification Services, ISAE 3000 (SOC 2) Type 2 certified for its technical and organisational security processes.
For Yoti: email@example.com