How to combat biometric spoofing attacks

When identifying or authenticating a person, reliability is essential. Biometrics helps establish people based on who they are rather than what they know, making it one of the safest methods. However, fraudsters never sleep and can find ways to impersonate.

What is biometric spoofing?

From accessing a computer network to border control, biometric technology is widely used across industries. Spoofing is an attempt to circumvent the security of a biometric system. A fraudster can spoof using different materials and methods like 3D masks, fake fingerprints, or photos. The earliest biometric devices were easy to mock with a high-quality image.

Presentation attack

Imposters use artefacts to mimic a person enrolled in the biometric system. With assistance, it can be simple to obtain biometric characteristics, depending on the modality being used.

Masks

Identity manipulation, a presentation attack, requires the illegitimate traveller to wear a 3D mask or other means to deceive the automated face recognition system.

Fake fingerprints

Imitation fingers can be made from silicone or latex and usually has a fingerprint extracted from a database. The moulded print is presented to a reader to attempt access.

Morphing

According to the National Institute of Standards and Technology (NIST), face morphing is an image manipulation technique in which two or more subjects’ faces are morphed or blended to form a single face in a photograph. New morphing techniques constantly battle with new detection methods. 

Fraudsters attempt to trick facial recognition systems by presenting a merged image from two or more individuals. Because of the software’s complexity, morphing is more complicated to detect than live presentation attacks. 

Speaker recognition systems can be manipulated by playing a recording of an authorised individual. However, it is not that simple as speaker recognition combines physical and behavioural components. Voice morphing software creates a transcription or tunes a human’s voice to make it sound exactly like the person approved by the system. 

Passport hinge manipulation

Passport data pages include name, passport number, nationality, date and place of birth, sex, and the passport’s date of issue and expiry. The data page hinge ensures the integrity of the passport by attaching the bio page to the rest of the booklet. Criminals could insert a fake bio page or modify the existing one by manipulating the hinge. To counter this, most passports are polycarbonate. This fused material creates a solid page with information stored in each layer, making it harder to separate. The hinge attaches to the data page with pins or using thermal welding. Tamper-evident technology like embossing, engraving or UV-prints makes any manipulation attempt visible to authorities.

Database and digital risks

The security of biometric data is vital. Biometric databases can be subject to intervention, or the underlying IT systems suffer attacks. Governments and companies should prevent privacy breaches or exposure of biometric data while implementing identification or authentication technology.

Digital insider attacks

Biometric security systems can be vulnerable if a trusted administrator attacks this system. Biometric databases store significant volumes of Personally identifiable information (PII), and insider attacks could lead to a data breach or other criminal offence. 

Enrolment spoofing

Criminals could have their eye on biometric data in transmission during the enrolment process to include certain features of an imposter. If the falsified characteristics are stored on a passport or ID card, the attacker could travel under a false identity.

How to beat spoofing attacks

Biometrics has become more advanced and crafting fake fingerprints has become considerably more difficult. Biometric technology is evolving, but so is the sophistication of spoofing methods. Field-proven techniques such as liveness detection make biometric systems more resilient. 

Spoofing detection

Presentation Attack Detection (PAD) is the method by which a biometric spoof can be detected.  
Implementing PAD provides a high level of security but can be costly and complex. The ISO/IEC 30107-1 framework provides categories of attacks and explains whether PAD should be used.

Liveness detection

Advanced anti-spoofing methods such as facial liveness detection are necessary to differentiate simulated from real. The technology determines whether the person in front of the camera is present or if a printed or digital image is shown. After collection, algorithms analyse data to verify if the source is fake or real. 

Detecting liveness in a presentation is performed through dynamic and passive methods. Active refers to the action taken by the user to confirm they are a real person. For example, tilt the head, nod or blink. Fraudsters can spoof the active method in a presentation attack. 

Skin distortion analysis differentiates a real finger from a fake one. The skin turns pale when pressed against a surface. During the investigation, the user might be asked to move the finger on the scanner to amplify the distortion. 

Static methods detect unnatural features or lack of details in fake fingerprints. Natural skin has pores and is uneven. Verifying online users can be performed through an image checked on multiple characteristics. Ticking the liveness boxes results in access or action. 

AI technology

Artificial Intelligence (AI) make biometric systems resilient. AI models can be trained to detect fake from real and help liveness detection algorithms more accurately recognise forged materials. 
According to research, humans have far more difficulty identifying biometric spoofing attacks. ID R&D’s study quizzed people and machines by presenting falsified printed photos, videos, digital images, and 3D masks. Computers were more accurate and faster in identifying mimicking attempts. Humans classified 18 per cent of real faces as spoofs, while the AI system incorrectly classified only 1 per cent.

Multimodal biometrics

When identifying or authenticating a person, reliability is essential. In biometrics, false positives and negatives are unavoidable. Biometric systems are based on algorithms. No measurement can be a hundred per cent accurate, primarily when used on its own. Combining several biometric identifiers adds another layer of security and granularity. Multimodal biometric systems usually require two biometric credentials, such as iris scans and fingerprints. It is difficult to spoof a fingerprint but falsifying fingerprints and iris in the same attempt is nearly impossible. Adding this additional layer of security requires multiple steps from the user to get authenticated but shouldn’t cause inconvenience. Looking into a camera and placing a finger on a scanner can be performed simultaneously.

Biometric Two-Factor Authentication

Two-Factor Authentication (2FA) is one of the most used methods to prevent online fraud. The user verifies their identity by an additional method, usually very different to the primary one. The combination of a password and biometric characteristics like facial or gesture recognition ensures the user is granted access to the system.

Our secure solutions

All biometric systems are vulnerable. Security is always at the forefront of our solutions. We continuously assess the capabilities of our products and analyse the motivations of potential attackers and risks. However, fraud detection must not compromise the user experience. We and our strategic partners continuously assess this fine balance, who have digital security as their main priority.