Biometric fraud: A new generation of hacker
15 May, 2013
The use of biometrics as a secure factor in authentication is no longer science fiction. Widespread adoption of iris, fingerprint, finger vein, voice recognition and voiceprint have given rise to a new generation of authentication. However, it has also created a new brand of fraud.
As these solutions have increased in popularity and grown into maturity, industry experts are begging the question; how can we be sure that today’s biometric systems can be trusted? Moreover, what happens when that trust is misplaced?
As detailed by ComputerWorld UK, an Accenture report reveals that none of the major biometric modalities are truly impenetrable. The report suggests that susceptibility to fraud is increasing as hackers and pirates prey on new, large-scale biometric systems. “Biometric fraudsters,” as they are referred to in the report, have two main types of attack in their arsenal, impersonation and obfuscation.
Impersonation sees the imposter attempt to be incorrectly recognized as a different, legitimate user. Obfuscation, on the other hand, is a method of fraud that sees the fraudulent user manipulate their biometric traits to avoid recognition altogether.
Accenture examined all major, state-of-the-art biometric modalities and discovered that they can all be deceived. Among the most commonly targeted modalities are fingerprint, face and voice recognition systems, likely due to their higher implementation rates. Believed to be more robust solutions, iris, vein and even DNA-based biometric solutions also proved susceptible to fraudulent activity.
The concern, then, is how to create a robust, trustworthy biometric solution that can effectively deter fraud.
Accenture reveals that the standard approach is to implement multi-modal biometric solutions, that is, systems that use multiple biometric traits to confirm a single identity. Though a positive and advisable first step, recent studies have proven that even multi-modal biometric systems can be hacked.
Hacking these multi-modal systems is often accomplished by spoofing the modality that is considered the most reliable, or has the highest premium in the matching calculation. Fooling the most robust modality can render the other, comparably weaker modalities powerless against attack.
Accenture prescribes a practical, two-pronged approach to deterring biometric fraud.
First, organizations must consider the system they are trying to safeguard. Depending on the purpose of the system and its exposure to the outside world, the biometric modality may require significant fraud detection capabilities. Important to note here is that as anti-fraud measures increase, convenience of its users decreases. For this reason, higher measures of fraud detection should only be applied when high levels of security are a necessity.
Second, it is important to remember that there is no “silver bullet” solution to stamping out biometric fraud. Multi-modal solutions are a start, but it isn’t a sufficient standalone countermeasure.
The number of stakeholders in the biometric authentication and security market is growing by the day with governments, public safety agencies, private business, biometric system vendors and the general public all interacting with the technology on a daily basis. As biometric systems see increased adoption and are incorporated into many of our fundamental services, fraud detection and prevention will very soon be an urgent concern.
See Accenture’s “Beating the Biometric Fraudsters” report here.