How to combat biometric spoofing attacks
When identifying or authenticating a person, reliability is essential. Biometrics helps establish people based on who they are rather than what they know, making it one of the safest methods. However, fraudsters never sleep and spend their time finding ways to impersonate the identities of innocent victims.
What is biometric spoofing?
From accessing a computer network to border control, biometric technology is widely used across industries. Spoofing is an attempt to circumvent the security of a biometric system. A fraudster can spoof using different materials and methods like 3D masks, fake fingerprints, or photos. The earliest biometric devices were easy to fool with a high-quality image.
Imposters use copies of certain features to mimic a person enrolled in the biometric system. It can be easy for them to obtain biometric characteristics, depending on the modality being used.
Identity manipulation, a presentation attack, requires the illegitimate traveller to wear a 3D mask or other means to deceive the automated face recognition system.
Imitation fingers can be made from silicone or latex and usually has a fingerprint extracted from a database. The moulded print is presented to a reader to attempt access.
According to the National Institute of Standards and Technology (NIST), face morphing is an image manipulation technique in which two or more subjects’ faces are morphed or blended to form a single face in a photograph. New morphing techniques constantly battle with new detection methods.
Fraudsters attempt to trick facial recognition systems by presenting a merged image from two or more individuals. Because of the software’s complexity, morphing is more complicated to detect than live presentation attacks.
Speaker recognition systems can be manipulated by playing a recording of an authorised individual’s voice. However, it’s not that simple, as speaker recognition combines physical and behavioural components. Voice morphing software creates a transcription or tunes a human’s voice to make it sound exactly like the person approved by the system.
Passport hinge manipulation
Passport data pages include name, passport number, nationality, date and place of birth, sex, and the passport’s date of issue and expiry. The data page hinge ensures the integrity of the passport by attaching the bio page to the rest of the booklet.
Criminals can insert a fake bio page or modify the existing one by manipulating the hinge. To counter this, most passports are polycarbonate. This fused material creates a solid page with information stored in each layer, making it harder to separate. The hinge attaches to the data page with pins or using thermal welding. Tamper-evident technology like embossing, engraving or UV-prints makes any manipulation attempt visible to authorities.
Database and digital risks
The security of biometric data is vital. Biometric databases can be subject to intervention, or the underlying IT systems are attacked. Governments and companies should prevent privacy breaches or exposure of biometric data by implementing identification or authentication technology.
Digital insider attacks
Biometric security systems can be vulnerable if a trusted administrator manipulates this system. Biometric databases store significant volumes of Personally identifiable information (PII), and insider attacks could lead to a data breach or other criminal offense.
Criminals could have their eye on biometric data in transmission during the enrolment process, and include certain features of an imposter. If the falsified characteristics are stored on a passport or ID card, the fraudster could travel under a false identity.
How to beat spoofing attacks
Biometrics has become more advanced and crafting fake fingerprints has become alot more difficult. While biometric technology is constantly evolving, so is the sophistication of spoofing methods. Field-proven techniques such as liveness detection make biometric systems more resilient.
Presentation Attack Detection (PAD) is the method by which a biometric spoof can be detected. Implementing PAD provides a high level of security, but can be costly and complex. The ISO/IEC 30107-1 framework provides categories of attacks and explains whether PAD should be used.
Advanced anti-spoofing methods such as facial liveness detection are necessary to differentiate simulated from real. The technology determines whether the person in front of the camera is present or if a printed or digital image is shown. After collection, algorithms analyse data to verify if the source is fake or real.
Detecting liveness in a presentation is performed through dynamic and passive methods. Active refers to the action taken by the user to confirm they are a real person. For example, tilt the head, nod or blink. Fraudsters can spoof the active method in a presentation attack.
Skin distortion analysis differentiates a real finger from a fake one. The skin turns pale when pressed against a surface. During the investigation, the user might be asked to move the finger on the scanner to amplify the distortion.
Static methods detect unnatural features or lack of details in fake fingerprints. Natural skin has pores and is uneven. Verifying online users can be performed through an image checked on multiple characteristics. Ticking the liveness boxes results in access or action.
Artificial Intelligence (AI) make biometric systems resilient. AI models can be trained to detect fake from real and help liveness detection algorithms more accurately recognise forged materials.
According to research, humans have far more difficulty identifying biometric spoofing attacks. ID R&D’s study quizzed people and machines by presenting falsified printed photos, videos, digital images, and 3D masks. Computers were more accurate and faster in identifying mimicking attempts. Humans classified 18 per cent of real faces as spoofs, while the AI system incorrectly classified only 1 per cent.
When identifying or authenticating a person, reliability is essential. In biometrics, false positives and negatives are unavoidable. Biometric systems are based on algorithms. No measurement can be a hundred per cent accurate, primarily when used on its own. Combining several biometric identifiers adds another layer of security and granularity. Multimodal biometric systems usually require two biometric credentials, such as iris scans and fingerprints. It is difficult to spoof a fingerprint but falsifying fingerprints and iris in the same attempt is nearly impossible. Adding this additional layer of security requires multiple steps from the user to get authenticated but shouldn’t cause inconvenience. Looking into a camera and placing a finger on a scanner can be performed simultaneously.
Biometric Two-Factor Authentication
Two-Factor Authentication (2FA) is one of the most used methods to prevent online fraud. The user verifies their identity by an additional method, usually very different to the primary one. The combination of a password and biometric characteristics like facial or gesture recognition ensures the user is granted access to the system.
Our secure solutions
All biometric systems are vulnerable to some degree. Security is always at the forefront of our solutions. We continuously assess the capabilities of our products, analysing risks and the motivations of potential attackers. However, fraud detection must not compromise the user experience. Organisations that have digital security as their main priority should continuously assess this fine balance.