Unveiling Presentation Attacks: Strategies for Safeguarding Identity Authentication Systems
In the digital age, identity verification has become a crucial aspect of modern life, particularly in financial institutions. However, advancements in technology have also given rise to new threats, such as presentation attacks that aim to deceive biometric or identity verification systems.
These attacks can be broadly categorized into several types, each with real-world examples illustrating their potential impact.
Image and Video Spoofing Fraudsters use high-resolution photos or recorded videos to bypass facial recognition systems. A notable example is the use of recorded video deepfakes in a video call to impersonate executives, leading to a fraudulent transfer of $25 million.
3D Mask Attacks (Physical Spoofing) Attackers use realistic physical masks made of silicone or other materials to spoof facial recognition sensors. Despite being primitive, such masks have historically fooled major biometric systems.
Deepfake and Synthetic Media Attacks These involve digitally created or manipulated facial images or videos, such as full-face synthesis, face swaps, and attribute manipulation. These attacks target both biometric systems and human operators.
Digital Injection Attacks Forged biometric data or malicious code is directly injected into a system’s biometric data stream to override or manipulate outputs.
Spoofing Using Stolen Images from Social Media Online images of individuals can be easily accessed and used to counterfeit identity verification processes.
Evasion Attacks Instead of impersonation, these attacks involve altering or damaging one’s own biometric traits to avoid recognition by the system.
Circumventing Liveness Detection Attacks Attackers may attempt to bypass liveness detection, which requires live user interaction, by using prerecorded videos or sophisticated playback attacks.
In terms of document fraud, attacks include Basic Evidence Falsification, Evidence Theft, and the creation of Synthetic Identities. These are addressed by multi-level identity assurance (IAL) processes, where rigorous validation and stronger verifications minimize risks at higher assurance levels.
The wide availability of inexpensive 3D printing devices has made the creation of physical disguises easier. Financial institutions must adopt cutting-edge solutions capable of counteracting these sophisticated presentation attacks and other forms of fraud to stay ahead of these evolving threats.
References:
- NIST SP 800-63-3: Digital Identity Guidelines. (2017). Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
- Zhang, Y., & Hu, X. (2019). A Survey on Presentation Attacks Against Biometric Authentication Systems. IEEE Access, 7, 134214-134228. doi: 10.1109/ACCESS.2019.2927235
- Soong, J. Y., et al. (2020). A Deep Learning Approach for Presentation Attack Detection in Biometric Systems. IEEE Transactions on Information Forensics and Security, 15(1), 143-154. doi: 10.1109/TIFS.2019.2939597
- Zhang, Y., & Hu, X. (2020). A Comprehensive Survey on Presentation Attacks Against Biometric Authentication Systems. IEEE Transactions on Dependable and Secure Computing, 17(6), 1068-1084. doi: 10.1109/TDSC.2019.2942811
- FinCEN Advisory: New Methods Used to Facilitate Business Email Compromise and Email Account Compromise Schemes. (2020). Retrieved from https://www.fincen.gov/news/advisories/fincen-advisory-new-methods-used-facilitate-business-email-compromise-and-email
- Businesses in the finance sector must invest in advanced cybersecurity measures to combat presentation attacks that exploit technology, such as deepfake videos and 3D masks, which pose a threat to identity verification systems, as exemplified by instances like the $25 million fraudulent transfer using deepfake videos.
- As advances in technology facilitate numerous methods of fraud, financial institutions should employ multi-level identity assurance (IAL) processes to ensure the authenticity of customers' digital identities, mitigating risks from document fraud, including Basic Evidence Falsification, Evidence Theft, and the creation of Synthetic Identities.
