Biometric Security Hacks
Biometric security may not be the bulletproof security system that it appears to be. The theory is that information such as fingerprints or facial images are unique and cannot be copied.
Hacks based on cloned fingerprints or using images of faces have been around for some time. In 2021 Kraken reported how a photograph of a fingerprint could be transferred to a gel with wood glue and used to access a laptop. In 2023 a Brazilian man was arrested for allegedly accessing on-line bank accounts by taping life size photographs of his victims onto dummies and accessing their on-line facial recognition systems. A more elaborate trick involved using a silicon mask to impersonate the French defence minister Jean-Yves Le Drian in 2019 when £70m was scammed from wealthy victims. It is almost certain that current video face swap technology could make a better match; hopefully targets are also now more aware of fake video images.
With the prevalence of high resolution 3D-printing, AI and deep fake computer systems the ability to spoof an face, iris or fingerprint has become considerably easier. The reaction of biometric systems is ‘liveness detection’ looking for live data; some degree of depth or movement that proves the information is from life not simply an image. The approach will either be active; requiring some user input such as blinking or passive looking for depth of image, changes in lighting or background features. Although the active method appears more robust it could discriminate against some users who are not able to perform the actions required for verification.
A more sophisticated attack than imitating the image presented is to perform the hack at the recognition stage. A computer cannot store all aspects of a face or fingerprint but must create a digital recreation of that form and present that for verification. If the initial input from the camera or scanner is bypassed then a ‘known good’ file can be used and passed by the machine. This is the approach that has been used on IOS and Android devices to access personal banking accounts in Vietnam and Thailand. These attacks required the user to download compromised Apps that in turn harvested local data including facial scan details. These were then used to gain access to the victim’s bank accounts. In Thailand the scams were made easier by an initiative requiring all banking Apps to include facial recognition from July 2023. Users would be unfamiliar with the new procedures and easy marks for suspect software. Android attacks are more likely as the Google Play store or other legitimate repositories are relatively easy to impersonate. IOS controls were bypassed through convincing targets to download from Apple test portal TestFlight. The likelihood of getting these approaches to work depends heavily on the targets’ susceptibility to social manipulation and the degree of prior information available to the attacker that can influence that susceptibility. Their degree of financial success is unclear but they demonstrate that usurping biometric recognition systems is moving from theory into the real world.
There is an inherent vulnerability in the use of biometric data to authenticate transactions. It should only be classified as an identifier; like a user name not as a password. In some cases the biometric data is now acting as identifier as well as authenticator. At least if a password is compromised it can be changed. If biometric data is stolen the original owner may have difficulty proving that they not a fraudster but the genuine account holder.