FB pixel

CLR Labs compares biometric spoof evaluations, urges attention to injection attacks

CLR Labs compares biometric spoof evaluations, urges attention to injection attacks
 

Biometric data injection attacks are increasingly associated with deepfakes, as attackers use camera emulators to spoof remote identity proofing systems with fake selfies. The problem goes beyond deepfakes, however, CLR Labs argues in a new white paper.

Independent laboratory CLR Labs, which has locations in France and Belgium, points out that injection attacks can also be used to mount attacks based on digital falsified ID documents, and urges the industry to seriously consider the full scope of the attack type.

“Digital Identities, Digital Wallets, Remote Identity Proofing. A not yet well understood vulnerability: Biometric Data Injection Attack” is a seven-page white paper by CLR Labs. It begins by reviewing the increased use of biometric for remote KYC checks for a range of important and sensitive services. Regulators have responded with new anti-money laundering and other rules. Governments have accelerated their work on digital wallets in part to make remote services easier to access, but this also gives attackers another way to carry out identity fraud.

Fraud attacks have already been carried out with Louisiana’s mobile driver’s license.

While presentation attacks are the most well-known type of attack against a biometric system, IBM identified nine different attack paths that could be used against biometric systems all the way back in 2001, CLR Labs point out. This is why, despite the wide recognition of the importance of presentation attack detection, ANSSI has noted PAD alone is not enough to ensure the required level of security.

The paper continues with an explanation of injection attacks, and the ways they use attack instruments other than deepfakes.

A chart is provided that compares the testing regimes of the FIDO Alliance, international payment schemes, ANSSI’s PVID certification and other biometrics evaluation labs, as well as CLRs own services. The PVID referential evaluation includes testing for falsified ID document detection, unlike the others, and only that and CLR Labs testing includes injection attack detection testing, according to the chart.

CLR Labs touts its testing to the ETSI TS 119 461 technical specification. ETSI TS 119 461 was established in 2021 to set the rules for identity proofing to trust services and qualified electronic signatures.

“The next challenge,” the white paper says, “will be to find a legal framework to authorize independent laboratories to test the security of the ID document authenticity check components of remote identity verification solutions.”

Article Topics

 |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Passkey adoption by Australian govt, banks drives wider passwordless authentication

It’s high noon for passwords. Across the Authentication Corral, an inscrutable stranger saunters up and puts their hand on the…

 

‘New era in travel’: airports, airlines continue to be sweet spot for biometrics

A fascinating experiment in biometrics would be to find a privacy conscious person who would generally avoid facial recognition, put…

 

OpenID, BIO-key, RSA, SecureAuth showcase at Gartner IAM Summit

The 2024 Gartner Identity & Access Management Summit, running from December 9-11 in Grapevine, Texas, is playing host to names…

 

Aboriginal digital ID offers Indigenous Australians pathway to essential services

There are more than 200,000 Aboriginal and Torres Strait Islanders in Australia who lack a birth certificate. Without this vital…

 

Australia piloting myGov app and Trust Exchange for sharing medical data

The Australian government has launched a pilot of its myGov public services app and Services Australia’s Trust Exchange (TEx) proof-of-concept…

 

Sierra Leone consults to amend civil registration legislation

The National Civil Registration Authority of Sierra Leone (NCRA) is reviewing its current civil registration law to identify gaps that…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events