Injection attack detection critical to digital security yet often misunderstood

The most influential factor in the tech market is pace. When a new technology appears, it inevitably kicks off a race to capture market share: OpenAI introduces ChatGPT into the world, and the Claudes, Geminis and other AI chatbots quickly follow, hustling for dominance. On the flip side, new technologies present new attack surfaces and new paths of attack for fraudsters. Suddenly, what was an adequate security system is an anachronism, and a liability. 

In response to the rise of deepfake media created using generative AI tools, organizations have widely adopted biometric liveness detection. In the language of ISO/IEC standards, this refers to presentation attack detection: the ability to tell if a face being presented to a camera – be it a photo, mask or doctored video – is fraudulent. 

But as liveness checks have become table stakes, they have also been relied on as a solution for detecting deepfake attacks. While liveness plays a role in defending against synthetic media and presentation attacks, liveness detection and deepfake detection are not the same thing. 

As the ecosystem evolves, “deepfake detection” must be defined and understood as the ability to spot fake faces – but that cannot constitute a comprehensive system for detecting fraudulent media. The pace of innovation on the fraud side has exchanged presentation attacks for a threat that does not rely on cameras and faces, but on hacking into the digital infrastructure of an organization to manipulate communications – “injecting” media into an exchange. 

Injection attacks: the feed is coming from inside the pipeline

Fraudsters can now deploy virtual cameras, emulator stacks, manipulated SDK calls, and API-level video injection techniques to hijack media feeds on the software level. In an injection attack, it doesn’t matter if the face in front of the camera is real, because somewhere between input and output the signal has been replaced with pre-rendered deepfake frames, or an external live feed. 

Understanding what distinguishes the various categories of detection is becoming increasingly important in the effort to build layered, secure defenses against generative-AI assisted fraud. 

As one might expect, presentation attack detection (PAD) traditionally protects against attacks that “present” a false biometric or spoof, such as a 3D silicon mask, or photos, videos and other fake artifacts. It is a primarily visual analysis. Liveness detection takes the concept further in its attempt to verify humanness, and may involve analyzing factors like blood flow or the cadence of speech. It is PAD for the smartphone age, aiming to ensure that a person on camera is alive, rather than digitally generated.  

Deepfake detection looks at media content. It can analyze image or video frames for signs that the content might be products of face-swapping apps or other generative AI: subtle clues in pixel structure and lighting, or discrepancies between lip movement and mouth shape. This kind of analysis is becoming increasingly difficult, as deepfake tech is refined to create ever more realistic images: the human eye is no longer a reliable gauge. 

But the ability to “spot” deepfake content is increasingly insufficient as an overall defense, because the recorded or streamed media on-screen may have been plugged in after the camera-based authentication process – an injection attack.  

If PAD and liveness defends the camera, and deepfake detection defends the image, injection attack detection (IAD) defends the authentication pipeline – the digital conduits that carry the information we rely on. It is focused on protecting the integrity of biometric capture and authentication pipelines from injected or tampered inputs. It interrogates media sources, to determine if an emulator stack is being used to present a synthetic device with a synthetic camera. It monitors SDK calls that may be intercepted and replayed with substituted video. 

In cinematic terms, IAD makes sure that no one has switched the briefcase before making the exchange, replaced the will with a fake one, or seized control of the projection booth like a bunch of Gremlins. 

What to ask when buying a deepfake detection product

An analysis in Finextra by Victor Mendez, CMO of Verifyo, argues that the current landscape demands a reorientation of the procurement process. “NISA reports that injection-attack incidents surged in 2022, occurring roughly five times more frequently than presentation attacks and in more sophisticated form, and ranks deepfake presentation and injection attacks among the two attack types hardest to mitigate,” he writes. 

Yet, “most procurement scorecards ask ‘do you have liveness?’ and never ask ‘do you detect a virtual camera?’. The question is not on the form, so the answer is not in the contract.” Instead of a feature list, he says, customers should ask for an evidence package, with “clear benchmarking and transparency on virtual-camera detection coverage, environment-integrity signals, fusion strategy across algorithms, and more. 

Ultimately, Mendez believes that deepfake fraud strategies have out-paced deepfake detection as a comprehensive solution to biometric fraud. And he thinks the solution to the injection attack problem is to stop relying on the camera path as the evidence, in favor of cryptographically signed identity data – “issuer-signed credentials a verifier can validate independently of the channel.” 

“The verifier checks a signature, not a face on a screen, and the frame the attacker spent compute on never enters the decision. The deepfake question becomes irrelevant when the unit of evidence is a signature over an issuer-attested attribute, not a frame of video.”

Layered security addresses branching fraud tree

The takeaway is that deepfake detection, liveness detection and injection attack detection are not equivalent. Deepfakes can be deployed in injection attacks as part of an injected media feed, but detecting them is not the same process as IAD, which monitors the integrity of the camera feed and signal.

Ultimately, however, the distinctions between these categories matter less in isolation than how effectively they work together within a unified trust and fraud defense stack. 

As Mendez puts it, “defend the camera with PAD. Defend the pipeline with IAD. Defend the document with cryptographic chip checks. Defend the decision with verifier-side signals and a reviewable evidence package. Where possible, replace the camera as the unit of evidence with an issuer-signed attestation.”

In the never-ending game of whac-a-mole that is modern fraud prevention, the solution is not to make one hammer bigger, but to use more hammers to contend with newly-emergent moles – and to make sure the machine itself isn’t fixed to favor the house.  

Article Topics

AI fraud  |  biometric liveness detection  |  biometrics  |  deepfake detection  |  fraud prevention  |  injection attack detection  |  presentation attack detection  |  spoofing