Why fingerprint and facial biometrics are easy targets for fraudsters
This is a guest post by André Ferraz, founder and CEO of Incognia.
When Apple introduced TouchID fingerprint recognition on the iPhone back in 2013, followed by the addition of FaceID facial recognition in 2017, it was the first time these biometric technologies became mainstream. While fingerprint and facial recognition technology had been around long before these product introductions, this was the first time they were made accessible for everyday use.
Fast forward to 2020, barely seven years after that initial launch. The use of biometrics has almost become commonplace, and likewise, the limitations and vulnerabilities of these technologies are coming to the forefront.
Even in the movies when biometrics are used for secure access to a vault or building, they are routinely shown to be compromised, whereas the villain applies a fake fingerprint, mask or contact lens to fool the biometric system. The reality is that while fingerprints, faces and handprints can uniquely identify us, we only have one set of these biometrics, so once copied or stolen they are no longer a unique identifier. In 2019, more than 27 million biometric records stored in the BioStar2 platform were exposed. Similar to other stolen credentials, biometric information finds its way onto the Dark Web where it is put up for sale to fraudsters and cyber criminals. Unlike passwords and email addresses that can be changed if compromised, stolen biometric data cannot be changed by the individual.
It is the static nature of biometric information that is its biggest weakness and makes it a ripe target for fraudsters. Facial recognition systems have incorporated liveness detectors in an attempt to prevent people from using stolen images for authentication. Unfortunately, deepfake technology has now been shown to successfully create dynamic video images that easily fool facial recognition systems. A study by Switzerland’s Idiap Research Institute showed that 95% of deepfakes remained undetected by facial recognition technology.
The reality that fingerprint and facial recognition systems are vulnerable to stolen or faked biometric information has led to a growing interest in the use of behavioral biometrics. The dynamic nature of behavioral biometrics offers the opportunity to stay one step ahead of the fraudster.
Behavioral biometrics track the unique behavior of users. On the web, these behaviors include typing speed and mouse movements, whereas on mobile there are additional signals, such as gait and the unique way each of us moves, and location, the strongest behavior signal of all on mobile. The unique location behavior for each user is extremely difficult to predict, mimic or forge. While GPS has previously been used to assess approximate location behavior, today’s location technologies make use of a combination of network signals and on-device sensors to more precisely identify location points. Location behavioral biometrics can pinpoint a user’s location to within seven feet inside or outside a building. With this level of precision, it is possible to create a unique, dynamic location fingerprint for each user that can be used to silently in the background, identify fraudulent behavior.
The value of location behavioral biometrics begins at new account creation. Typically, for financial or mobile commerce applications, it is necessary to provide your home address among other key pieces of information. Location behavioral biometrics can determine whether the user is currently at the stated home address or whether the user has previously visited this address to evaluate whether the user’s behavior remains consistent. Whenever a user needs to authenticate using location behavioral biometrics, it is possible to verify whether the current location matches with the user’s location behavior history. Based on the results, a risk score is provided that can either streamline the UX for trusted users or result in additional authentication steps required for users whose behavior is anomalous.
Behavioral biometrics is not the friend of fraudsters since it is extremely difficult to mimic or fake a user’s behavior. Particularly in terms of location, the fraudster would have to be in the same physical location as the user at all times of the day, and the user would surely notice the extra person sitting in their living room.
The idea of using the unique characteristics, such as the biometrics of each person for authentication is compelling, in that the user simply needs to behave as themselves. While fingerprints, faces, and hand prints are easy targets for fraudsters, behavioral biometrics goes a step beyond traditional biometrics by being not only unique to each user. Behavioral biometrics is, more importantly, dynamic and constantly changing.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
behavioral biometrics | biometric liveness detection | biometrics | continuous authentication | deepfakes | facial recognition | fingerprint biometrics | fraud prevention | identity verification | Incognia