Masks, Animated Pictures, Deepfakes…—Learn How Fraudsters Can Bypass Your Facial Biometrics

The highlights

1. The two methods of fooling face verification: spoofing and bypassing
2. Method 1: Spoofing
3. Method 2: Bypassing
4. Tips on choosing hacker-resistant liveness

From phishing to deepfakes, identity theft is threatening businesses like never before. In 2019, one US company reportedly lost 10 million dollars after scammers made an audio deepfake of the CEO requesting a money transfer.

One of the latest trends in identity fraud prevention is called ‘liveness,’ also known as ‘facial biometrics identification.’ It allows businesses to ensure that the real holder of a document is present during verification. Many companies are switching from ID and selfie checks to liveness detection in pursuit of more reliable onboarding processes.

However, different liveness solutions provide varying levels of security. Some of them only protect against simple kinds of fraud, like tricksters wearing paper masks; while others can handle cunning hacks such as man-in-the-middle attacks.

At Sumsub, we’ve spent years testing out the various liveness technologies on the market. Today, we want to share with you how tricksters bypass liveness and provide insights into choosing the best identity fraud protection.

The two methods of fooling face verification: spoofing and bypassing

When it comes to fooling facial biometrics, the oldest trick in the book is to wear a mask. Indeed, fraudsters use silicone masks, printed photographs of other people, or even life-size mannequins to get onboarded or hack into accounts. This kind of fraud is known as ‘face spoofing.’

The second method of tricking liveness is a bit more advanced. It involves fraudsters hacking into cameras and injecting pre-recorded videos or hacking the server itself and editing uploaded biometric data. This method is referred to as bypassing.

See Sumsub’s liveness detection in action. Get a demo today.

Method 1: Spoofing

Chinese scholars recently discovered that Face ID, Apple’s facial verification system, can be easily hacked by placing glasses—with two black dots taped in the middle—on the face of a sleeping device owner. Such a trick unlocks Apple devices since Face ID cannot thoroughly scan the eyes of a person wearing glasses. This is one of the simplest spoofing techniques out there. Now let’s take a look at some more complex methods.

How fraudsters use pictures to spoof liveness

In the era of social media, fraudsters can obtain almost anyone’s picture and use it to fool face verification. Therefore, if a liveness technology does not analyze the depth of an image, fraudsters can simply use social media images to hack devices and accounts.

This is indeed the case with the Samsung Galaxy S10’s face recognition system—which can be easily tricked by using someone’s photo on a screen.

Fraudsters can also use a similar method to gain access to people’s bank accounts, among other sensitive information.

Using video to fool liveness

In our industry, conventional wisdom states that if a liveness system asks users to make movements like winking or blinking, it becomes impossible to trick the system.

Unfortunately, these movements can be recorded in advance, and some liveness systems fail to recognize these pre-recorded videos, as is the case with the USAA Bank.

Face spoofing with masks

Fraudsters can spoof liveness systems by using a wide range of props, from paper masks to life-size mannequins.

There are silicone masks so realistic that it is impossible to detect when a fraudster wears one. Criminals in fact used this loophole to impersonate the French Defense Minister and were able to steal $90 million. They did this by phoning heads-of-states, wealthy businessmen and large charities via Skype and claiming that they needed money to save people kidnapped by terrorists.

Silicone masks can work if liveness technologies do not scan skin texture, blood flow, and the other characteristics of a real face.

Suggested video: ‘Human face or hyper-realistic mask? Can you tell the difference?’ by the University of York

Using deepfakes to trick liveness

In 2018, a video in which Barack Obama called Donald Trump certain names went viral. The video was so realistic that many actually believed it. However, in reality, this was a deepfake.

Deepfakes are videos or audios that have been created using artificial intelligence. If initially deepfakes were used to cause harm to famous persons or just have a laugh with a friend, the evolution of this technology has led to companies being frightened that deepfakes could threaten their businesses.

Suggested video: Deepfakes: Is This Video Even Real? | NYT Opinion

Fraudsters are increasingly using deepfake technology to impersonate CEOs and steal money from corporations. In 2019, the Wall Street Journal reported that criminals had used AI-based software to deepfake the voice of a UK CEO and stole $243,000 USD.

Deepfake technology can also be used to spoof or bypass liveness. Since everyone can create a deepfake at little to no cost, as there are many free deepfake generators, fraudsters can easily face-swap with the individual they want to hack and gain access to their account.

Method 2: Bypassing

Bypassing liveness does not involve impersonation. Instead, fraudsters hack the liveness system itself by swapping-in or editing biometric data.

Every liveness technology contains three weak points that hackers can target:

Fraudsters can take over a phone camera and inject a pre-recorded video or deepfake. Data transmitted over the internet can also be intercepted if it is not encrypted properly, and a server can be hacked.

Let’s see how we can protect ourselves from spoofing and bypassing.

Want to implement face verification that provides the best security? Try out Sumsub’s liveness detection solution.

Tips on choosing hacker-resistant liveness

When selecting a liveness solution, businesses should ensure that it protects against both spoofing and bypassing. Based on our experience of testing liveness solutions, we’ve gained insights into choosing the most secure option.

Above all, liveness solutions should differentiate between real faces and artificial objects, like a mask or a screen. To do so, the solution must analyze parameters such as:

• Image depth;
• Eye reflections;
• Skin texture;
• Blood flow.

But how can you tell if a solution actually has the technology to examine these parameters? The only way to find out is by testing the solution. Here is how:

• Present a static image to the system;
• Try to pass the verification with your eyes closed;
• Use a face-spoofing prop, such as a mask, a deepfake, or a video.

A reliable technology should detect any of these fraudulent attempts.

It is also vital to ask the liveness solution provider about the data encryption mechanisms that they employ. Their solution must provide state-of-the-art encryption that withstands invasions like replay or man-in-the-middle attacks.

In essence, testing out a liveness technology by employing various spoofing and bypassing methods will ensure that you choose the most reliable option.

Looking for liveness detection and identity verification solutions? ‘Prooface’ keeps the perfect balance between maintaining high conversion rates and preventing fraud. Test it as many times as you like and see for yourself.