Biometric Spoofing Attacks and Modern Preventative Measures

As the world moves on from conventional methods of identity verification and authentication like passwords and PIN codes and comes towards biometric security mechanisms, attempts to trick them using what is known as biometric spoofing have also accelerated.

Unfortunately, most people are not even aware of how these threats to their everyday digital existence work, and how they can work to prevent them. Protecting yourself effectively from these tools and their malicious use ensures a safe online experience.

What does Biometric Spoofing Look Like?

A spoofing attack is when a malicious individual pretends to be or imitates someone who is authorized to access an account or system, with the goal of tricking it into allowing them access. 

For a biometric security system, which is protected using biometric markers like the individual’s face, fingerprint, and so on, the malicious individual would use some synthetic recreation of an authorized person’s biometric data to trick the system into believing that person is trying to gain access.

Different Types of Biometric Spoofing Attacks

You might be surprised at the number of different techniques that exist to counter biometric identity verification systems. Here are some of the more common ones:

Presentation Attacks

The most common form of attack made in an attempt to trick a system is what is known as a presentation attack. In this kind of attack, the attacker ‘presents’ a fake biometric sample in front of a sensor or camera to trick it. These attacks use some digitally or synthetically generated form of input, called the spoofing tool or device, as the main tool to trick the system. This synthetic input can take a few forms:

• 2D Images: A 2D image of the person’s face is the most basic form of spoofing tool that can be used. It is usually either a physical print-out of a high-quality image of the person’s face, facing front like they would be looking at the sensor or a digital image in a phone.
• Fake Fingerprints: For fingerprint scans, this can take the form of a fake fingerprint that is made using some material like silicone, gelatin, or a similar material. The fingerprint is taken from some object that the victim has used recently, like a glass or mug for example.
• 3D Masks: The more advanced form of presentation attack is using what are 3D masks of the face of the intended victim, also made using silicone or gelatin. This is the most dangerous form of presentation attack that currently exists.

Prevention

The most effective method to prevent all kinds of presentation attacks is liveness detection. This is a sophisticated piece of software that can analyze and detect whether an input presented to a camera is from a live individual present in the room or a synthetic or fake recreation.

Replay Attacks

A replay attack is where an attacker simply captures and replays what is a recording of legitimate biometric data in front of the authentication system, to get it to allow them access. With modern high-quality recording devices widely available to all individuals, this can be a surprisingly sophisticated form of attack. A replay attack usually comes in one of two different forms:

• Voice Recording: In this kind of attack, a high-quality sample of the victim’s voice is either recorded or taken from online platforms, and then replayed in front of a voice recognition-based authentication system.
• Video Recording: High-quality video footage of the person’s face is acquired or captured and then presented to a facial recognition-based biometric authentication system to make it think the person is there. The added naturality that comes with an actual recording of the person makes this a very sophisticated form of attack.

Prevention

Replay attacks can usually be stopped using challenge-response mechanisms, in which the system prompts the user to perform a specific, randomized action that they likely will not be able to have a recording of.

Database Attacks

A database attack can occur when a highly sophisticated hacking attempt is made to gain access to a database that contains the biometric records of individuals, which can be taken advantage of and used for malicious purposes. These attacks usually have one of two goals:

• Data Manipulation: A hacker hacks into the database with individuals’s biometric information and modifies or alters the existing stored biometric templates to something that the attacker can easily recreate and gain access to.
• Data Extraction: The hacker simply steals the biometric data/templates so that he can use them directly to trick a system to gain unauthorized access to it.

Prevention

The hacking of databases can be prevented using effective access control systems that restrict access and actively monitor them, as well as encryption of data both at rest and during transit.

Conclusion

Biometric spoofing attacks that attempt to trick systems during physical and online biometric verification procedures are more complex than the average user might think. But, for each kind of attack, there does exist an effective method of preventing it.