Digital injection 6x more frequent than biometric presentation attacks
Biometrics can help secure ID checks for remote environments, but only if injection attacks can be mitigated, according to iProov CEO Andrew Bud, who spoke Friday at the Trust Services Forum/CA Day in Berlin, Germany.
Bud highlighted that the European Union’s digital wallet must be user-centric because security and ease of enrollment are critical for the adoption and use of wallet services.
“The old concept of a trade-off doesn’t work anymore,” Bud says, “and we can see the tremendous economic benefits to be gained if we do this right.”
To deliver the best security for digital identities, he says, biometrics should be considered a top priority. These technologies can defend against three threats.
The first is that the person is not who they claim to be. This can be solved using mobile face-matching algorithms, which Bud claims are now “orders of magnitude more effective than necessary in these sorts of environments.”
Second, he says, are presentation attacks, particularly those relying on rubber masks crafted ad-hoc to spoof face biometric systems. The third threat is digital injection attacks such as deepfakes.
“Only if these three threats are mitigated can one reliably use automated biometric verification as part of a [digital] identification process.”
Bud adds that on-device verification, as opposed to using a matching algorithm in the cloud, invites attackers to conceal their identity as well as the method of their attack, as shown by threat intelligence information gathered by the company using its Security Operations Center.
Once these methods are compromised, it is impossible to know how and when they’ve been compromised. Furthermore, once attackers find an effective method of breaking such biometric systems, they often sell it on the dark web, making the whole infrastructure relying on that system a security risk.
“The whole self-reliance on the whole digital identity community and the eIDAS community on online video identification today represents a real and present hazard, a threat to the security of the [community].”
Bud says his company has noticed a sharp increase in digital injection attacks, which are now six times the number of presentation attacks against biometric systems.
To protect against these dangers, Bud recommends not relying on users’ devices for security, using inaccessible processing to prevent reverse engineering attacks, and securing non-biometric enrollment options, among others.
The seminar comes days after iProov partnered with Microblink to develop a selfie biometric and ID document check-based identity verification solution. Also last week, fintech veteran Lou Anne Alexander was added to the company’s corporate board as a non-executive member.
iProov’s Ajay Amlani was warning about the scalability of injection attacks at Authenticate 2022.