CLR Labs compares biometric spoof evaluations, urges attention to injection attacks
Biometric data injection attacks are increasingly associated with deepfakes, as attackers use camera emulators to spoof remote identity proofing systems with fake selfies. The problem goes beyond deepfakes, however, CLR Labs argues in a new white paper.
Independent laboratory CLR Labs, which has locations in France and Belgium, points out that injection attacks can also be used to mount attacks based on digital falsified ID documents, and urges the industry to seriously consider the full scope of the attack type.
“Digital Identities, Digital Wallets, Remote Identity Proofing. A not yet well understood vulnerability: Biometric Data Injection Attack” is a seven-page white paper by CLR Labs. It begins by reviewing the increased use of biometric for remote KYC checks for a range of important and sensitive services. Regulators have responded with new anti-money laundering and other rules. Governments have accelerated their work on digital wallets in part to make remote services easier to access, but this also gives attackers another way to carry out identity fraud.
Fraud attacks have already been carried out with Louisiana’s mobile driver’s license.
While presentation attacks are the most well-known type of attack against a biometric system, IBM identified nine different attack paths that could be used against biometric systems all the way back in 2001, CLR Labs point out. This is why, despite the wide recognition of the importance of presentation attack detection, ANSSI has noted PAD alone is not enough to ensure the required level of security.
The paper continues with an explanation of injection attacks, and the ways they use attack instruments other than deepfakes.
A chart is provided that compares the testing regimes of the FIDO Alliance, international payment schemes, ANSSI’s PVID certification and other biometrics evaluation labs, as well as CLRs own services. The PVID referential evaluation includes testing for falsified ID document detection, unlike the others, and only that and CLR Labs testing includes injection attack detection testing, according to the chart.
CLR Labs touts its testing to the ETSI TS 119 461 technical specification. ETSI TS 119 461 was established in 2021 to set the rules for identity proofing to trust services and qualified electronic signatures.
“The next challenge,” the white paper says, “will be to find a legal framework to authorize independent laboratories to test the security of the ID document authenticity check components of remote identity verification solutions.”