In the words of the famous Wild West outlaw Doc Holliday, “Why should I obtain by force that which I can obtain by cheating?”
The use of biometrics to authenticate and verify identity is growing, and as the number of uses both personal and professional increases, so too do the number of biometric modalities.
While biometric technology promises to provide a more secure, robust means of authentication, it is by no means impenetrable and a new breed of criminal is already lurking in the shadows.
A recent Accenture report entitled “Beating the Biometric Fraudster” reveals that no biometric modality is immune to attack. Established technologies such as fingerprint, voice and face are all subject to assault. And newer modalities, yet to be battle tested, provide opportunities for the biometric fraudster to exploit chinks in the technology’s armor.
The report’s author Alastair Partington, Identity Domain lead at Accenture, reveals that spoofing – the fraudulent attempt to fool a biometric system with fake biometric data – is possible across the gamut of modalities.
“Accenture has reviewed state-of-the-art biometric modalities and discovered that they can all be spoofed to a certain extent,” says Partington. “While fingerprint, face and voice systems are most commonly spoofed; even iris, vein and DNA-based systems can be compromised with the right knowledge, techniques and tools.”
The goal of the biometric fraudster
Accenture focused its research on capture-time attacks. Also used by ATM skimmers, these attacks present specific challenges. “At capture-time, biometric fraudsters typically attempt two kinds of attacks – impersonation and obfuscation,” explains Partington.
The first method of biometric fraud, impersonation, sees the imposter attempt to be incorrectly recognized as a different, legitimate user. Obfuscation, on the other hand, occurs when a user manipulates his or her biometric traits to avoid recognition altogether.
The history of impersonation attacks is long, and as Partington explains, perpetrators can come in many forms.
In a classic example of impersonation, a South Korean woman was deported from Japan in July 2007 after illegally residing in Nagano and working as a bar hostess. She was ordered not to re-enter Japan for five years following her deportation but immigration officials in Tokyo found the woman in Nagano a year later.
The Japanese government discovered that the woman had managed to spoof a million-dollar fingerprint-scanning system at the Tokyo International airport using little more than a piece of tape stuck to her finger. The woman had repeatedly entered Japan using the same trick.
The airport scanner cross checks passengers’ prints against a database of registered criminals and individuals with deportation records. Along with the aid of a black market broker, the Korean woman used a fake passport and tape with another individual’s fingerprint. By placing her tape-covered finger to the fingerprint scanner, she was able to successfully fool the system.
In a more bizarre attempt at impersonation, Brazilian doctor Thauane Nunes Ferreira was convicted of clocking in absentee co-workers by defrauding fingerprint scanners, which served as time clocks at the hospital where she worked – using a bag of silicone fingers. The woman was found with six fake silicon fingers each bearing the fingerprints of her co-workers. Dubbed “ghost workers,” police investigations revealed that nearly 300 employees had been receiving pay without going to work.