Equally troubling are the reports of attempted obfuscation.
In 2007 Dr. Jose L. Covarrubias, a U.S. citizen and plastic surgeon, was arrested after replacing the fingerprints of an alleged drug dealer with skin from the bottom of his own feet. Authorities reported that Dr. Covarrubias had been paid $20,000 to perform the surgery that aimed to help the drug dealer avoid arrest. The drug dealer was apprehended much earlier, in 2005, as he was still limping badly near the Nogales border crossing in Mexico.
More extreme is the story of Edgardo Tirado, who was arrested by Lawrence, Mass. Police for drug detention. Upon arrest, officers noticed rows of thick stitches on the tips of his fingers and thumbs. Edgardo Tirado turned out to be Gerald Perez, and the stitches were part of a procedure he had performed in the Dominican Republic to obliterate his fingerprints, making him impossible to identify through normal law enforcement means.
An officer who had dealt with Perez before was the only one able to identify the fraudster. Apparently many criminals travel to the Dominican Republic to have this procedure performed – a cash procedure that costs from $1,000 to $7,000. At least six similar cases have been reported in the past two years. Once the fingerprints are obliterated, the criminal needs only new ID documents, a birth certificate and Social Security card.
While these cases may seem far-fetched or downright comical, one troubling fact remains; they represent only those actually caught in the act.
While impersonation and obfuscation are the primary methods employed by biometric fraudsters, they are not the only means of attack. Another class of biometric fraud involves the theft of biometric data.
“This is generally more effectively achieved through classical IT cracking rather than sensor-time attacks,” says Partington. “In any case, the criminal use of stolen biometric credentials will often involve a subsequent impersonation attack.”
Partington suggests that this new breed of identity fraud is the product of an ever-evolving authentication technology market. “Rather than significant changes in the types of fraud anticipated, we would point to a decreased barrier to entry for criminals wishing to attempt biometric frauds,” says Partington. “This is enabled by the same technology advances – and cost reductions – that has driven the global uptake of biometric systems.”
Ironically, biometric evolution and advances in technology overall, may prove detrimental to system security. “Biometric fraudsters can now readily access the technologies needed to tamper with biometric documents, create spoofs, and test their results – all from the comfort of their own homes,” says Partington.
The arsenal of attacking options at the fraudster’s fingertips begs the question, what is being done to prevent fraudulent biometric attacks?
Partington suggests a pragmatic approach to biometric fraud detection. “It’s a complex subject, with many factors to be taken into account, such as potential increased cost and complexity of the solution, a possible dependency on specific hardware or software components and the anticipated impact of anti-fraud measures on user convenience.”
Partington prescribes a three-pronged defense to help organizations implement the proper biometric system and precautionary measures.
“Consider the business purpose of the system and the exposure it has to the outside world,” says Partington. “These factors determine risk and required fraud detection capabilities.”
Partington describes it as a trade-off. “Anti-spoofing measures typically decrease user convenience, as they can generate false alerts on genuine users. They should therefore only be applied when high levels of security are genuinely required,” he explains.
“There is no ‘silver bullet’ solution to the challenges presented by biometric fraud,” says Partington. “No one prevention technique is sufficient, as each type of anti-fraud test can be surmounted with the appropriate capabilities.”
Multi-modal, holistic approaches show promise
One approach that has gained momentum is the use of multi-modal biometrics, or the blending of more than one method of biometric authentication. Partington explains that though this approach is a step in the right direction but it can’t act as a stand-alone solution.
“Multi-modality is a helpful approach, but it is far from being a sufficient countermeasure on its own,” says Partington. “Defense-in-depth is key – fraudsters must be presented with a series of varied and unpredictable barriers, making their job considerably more challenging – and impossible to systemize.”
“Organizations need to adopt a holistic approach; one that integrates robust and innovative biometric fraud detection along with more traditional IT security techniques and processes,” he concludes.