01 Mar Biometric Spoofing and Liveness Detection
Biometric systems are used more widely now than ever before. If you’re not familiar with what a biometric security system is, then it is a method of security authentication that uses the unique characteristics of a person, such as fingerprint patterns, voice patterns, facial recognition, or the iris or retina pattern of the eye.
There are a countless number of day-to-day situations in which you might be likely to encounter such a system, from entering premises and accessing computer networks to unlocking your mobile phone and even during border and immigration service checks. The most commonly used biometric system mode is fingerprint scanning. This is because it is an incredibly secure, accurate, convenient and cost effective security system that the majority of users will be familiar with.
However, just like any technological system, biometric systems can become susceptible to attacks and breaches if the appropriate security measures aren’t put in place. We are highlighting some of the various ways biometric spoofs can be carried out to trick unsophisticated biometric readers, along with the anti-spoofing solution that ievo systems carry in order to completely counteract these vulnerabilities.
Spoofing Methods
‘Spoofing’ refers to criminally presenting artificial replications of a piece of biometric data to the biometric system in order to try and gain access.
Biometric technology is so secure because it uses data that is unique and intricately linked to the individual, meaning that only individuals registered on a system will be recognised. However, in some cases, attackers will create a faux object (such as a silicone fingerprint replica, a voice recording, a mask, etc) and attempt to replicate a person’s data to ‘fool’ a system. There are various different methods fraudsters use based on the biometric system in use; such as facial recognition, fingerprint scanning or iris recognition.
Fake Fingerprints
‘Fake fingers’ can be created using various materials; gelatine, silicone, latex and even wood glue for instance, usually done by taking an original stored fingerprint and applying it to a ‘fake finger’. The original may have been given by an individual themselves or unknowingly taken from a print left on a glass surface via an extraction method. The print will then be molded into an object to present to a biometric reader using one of the aforementioned materials. A prohibited individual would then present the fake finger to the reader to attempt access.
Photographs and Masks
This method of deception involves photographs and masks being presented to a reader to imitate an individual whose biometric data is stored and recognised. This can be done whether it is palm, vein, facial or iris recognition. Much like the fake fingerprint method, this can be done whether the individual whose biometric data is stored consents to it or not. This method is slightly less advanced than other spoofing techniques, however some biometric facial recognition technologies are still susceptible to this.
Identity Manipulation
This method refers to an image stored by a biometric system being manipulated to match a prohibited individual’s facial characteristics, using facial morphing software. Previously this kind of deception was commonplace because premises were typically manned (with access granted by a receptionist or security guard), and the human brain isn’t able to recognise features as thoroughly as a biometric system can. Today this is a highly-sophisticated spoofing method when it comes to ‘tricking’ technological systems. This can be done by either manipulating the stored image or by using professional special effects makeup to make a prohibited individual’s face look similar to that of a face that is stored within the system.
Identical Twins
Interestingly, identical twins can serve as spoofs for one another. In some cases, a facial recognition system isn’t able to distinguish between the faces of identical twins, meaning, in theory, they could use these systems interchangeably. Where this may not always necessarily pose a threat, it does mean that in certain situations, one party is able to benefit from gaining access to things they are perhaps unable to, but their twin is. Some fingerprint sensors, however, are able to discern the differences between a set of identical twins using advanced sensors to analyse the data.
Voice Playback
In voice recognition systems, a prohibited individual could simply use a recording of an authorised individual speaking. This could be done using a phone, or a laptop. Much like facial morphing software, a prohibited individual could use voice morphing software to create a transcription recognisable to the reader or retune another live human’s voice to sound like that of an individual who is recognised by the biometric system.
Anti-Spoofing Methods
As there are several methods of spoofing, there are also many methods of anti-spoofing to counteract these.
Liveness Detection
We utilise ‘liveness detection’ within our solutions as a direct anti-spoofing method. Liveness detection, also known as vitality detection on occasion, is the capability of a biometric system to be able to recognise whether the sample presented to a reader is in fact alive and legitimate. These methods not only detect whether the sample is living (i.e. real skin with blood flow), but also ensure that each reader only grants access to registered and authorised users. This means that should a spoof sample be presented to the reader, even if it is a highly accurate replica of the piece of data, access will not be granted. This level of security is heightened as each piece of fingerprint data is converted into an algorithm template and stored on our control boards, with the original piece of data (fingerprint pattern) discarded. This means that no sensitive, personal data is ever stored and would be of no use to any perpetrator if stolen.
Sophisticated Data Storage
ievo readers can accurately detect whether the sample presented is the exact, living piece of data as the data stored is a biometric algorithm of the original fingerprint, and not the print itself. This means that the stored data is simply a mathematical representation of the fingerprint and so it cannot be manipulated, replicated or stolen. Any replication of the actual fingerprint itself will not work with the reader, as the reader will only recognise the unique biometric template that is stored within the ievo Control Board. Our control boards are installed on the secure side of an entry point, so not data can be accessed outside of these premises. This means that no data is stored on the reader head itself, which adds additional security where it is needed most. Ultimately, this gives you complete peace of mind that no breach of data will result in any risk of unauthorised access.
Anti-Spoofing Challenges
Biometric technology is advancing at a very fast pace and so with it comes the heightened sophistication of spoofing methods. This means it is crucial to continually develop and deploy anti-spoofing methods. At ievo, we ensure that all of our biometric systems and readers feature the latest technology, integrating with the best software that is updated frequently to enhance security. This means that no matter what replication methods come into practice, we will always strive to counteract these immediately or even ahead of time, omitting risk from your biometric entry and authentication systems.