Exponential hacking of biometric authentication reveals some defenses already overwhelmed

“Motion-based is completely broken,” says Andrew Bud, founder and CEO, iProov, of biometric identity authentication where users are asked to perform actions to guarantee liveness for accessing services. His firm’s global monitoring center finds that attacks involving mobile phone emulators on desktops rose 149 percent and digital injection face swap attacks are up 295 percent. Those figures are for the second half of 2022 compared to the first half.

iProov’s Security Observation Centre (iSOC) is detected up to 200 injection attacks per day. But the evolution of digital injection attacks, where criminals feed images into an authentication process rather than attempt to trick the system by doing something in front of a camera, is proving even more concerning. iProov is detecting three cases a week where simultaneous attacks are launched on a global scale.

“We saw within 24-48 hours an Eastern European attacker invent a new attack method aimed mainly at motion-based liveness and just blitz the entire industry worldwide looking for any kind of system that would show vulnerability,” said Budd speaking at a Westminster eForum.

“And when they found systems that would show vulnerability, they would attack it.”

The digital injection attacks are no longer desktop web browser only, but happening on mobiles.

Also in 2022, iProov, which supplies biometric authentication to large-scale public services worldwide such as the NHS app for the UK public health service, detected a marked improvement in criminals’ ability to spoof metadata and in the quality of images used in attacks. Emulator use is rising in mobile web – across both Android and iOS.

The rise in face swap attacks show how the technology has become simple enough for lower-skilled criminals to use, who acquire tool kits on the dark web.

iProov’s iSOC observes what is happening with biometrics worldwide, says Budd. “Every single time a biometric authentication is made, it is triaged and searched for evidence of fraud,” says the CEO of the system whose process are subject to eIDAS audit.

Article Topics

biometric authentication  |  biometric liveness detection  |  biometrics  |  face biometrics  |  face swap  |  injection attacks  |  iProov  |  research and development  |  spoof detection