Spoofing biometrics: Research nascent but standards developing
28 September, 2011
category: Biometrics, Government, Library
A common refrain for those opposed to biometrics is that the identification technology is easy to spoof. It’s widely touted that fingerprint scanners can be fooled by fashioning a simple “gummy finger” from common household products.
These attacks were first revealed in the early 2000’s when Japanese and German researchers successfully fooled fingerprint scanners with relative ease. A lot has changed since then as vendors stepped up efforts to ensure validity of presented biometric samples. But at the same time new attacks have been developed forcing vendors to keep ahead of the curve so systems can’t be fooled.
“Many vendors are pursuing techniques that minimize the vulnerabilities,” says Stephanie Schuckers, associate professor at Clarkson University who studies biometric spoofing.
The attacks on systems vary from the obscure to the overt. As countries started collecting biometric samples from travelers at border crossings, criminals began working to defraud these large, one-to-many fingerprint systems. The difficult thing in fooling these systems is that a border agent is typically present watching an individual provide the biometric sample.
At the other end of the spectrum systems used to protect a door or a computer network are typically unattended, so no one is watching the individual presenting the biometric sample.
Though spoofing attacks are not new, standards for likeness detection to spot possible spoofs do not yet exist. The National Institute of Standards and Technology is, however, working with standards making bodies to establish initial approaches.
But spoofing is hard to quantify. “If someone successfully spoofs a system we don’t know about the attack,” Schuckers says. “It’s hard to say how much of a threat it really is.”
The fingerprint attacks of the past involved making fake fingerprints out of gelatin, silicon, wax or other materials. Either a complete fake finger would be produced or just the fingerprint and then placed over an individual’s actual finger. Some of these attacks are still valid, Schuckers says, though new more invasive ones are emerging.
Though hard to imagine, there are cases of individuals undergoing surgery to alter physical features in an attempt to fool biometric systems. In 2009 a 27 year-old Chinese woman was arrested attempting to illegally gain entry into Japan following a deportation in 2007. The fingerprints of her right hand were surgically switched with those of her left hand in attempt to fool the biometric checks the Japanese government performs on non-citizens entering Japan.
She had successfully fooled agents collecting data at the Kansai Airport in 2008 before being caught the following year. She spent around $17,000 for the surgery that was performed in a private home in China.
More commonly, individuals have placed thin films over their fingerprints to obscure patterns or make them look like another pattern, says Robert Rowe, chief technology officer at Lumidigm, a fingerprint vendor whose technology includes multi-spectral imaging designed to spot spoofs. Others have purposefully obscured or damaged their fingerprints to prevent detection.
How to prevent it
There are two routes vendors can take to protect biometrics from spoofing, Schuckers says. One is a software approach that conducts additional analysis on the captured data. The other is a hardware fix where additional sensors are placed into the biometric readers to capture additional physical features.
The problem with both of these fixes is that additional analysis or hardware adds cost and can diminish system performance, Schuckers explains. “You can put in additional measures that reject spoofed fingers but you have to realize the costs, which can include increased false rejections,” she adds. “You can set up a system where 90% of spoofs would be recognized but you may be dealing with a 5% increase in false reject rates.”
Another way to prevent spoofing is requiring multiple forms of identification, Schuckers says. PIN or an ID credential plus a biometric would make it more difficult to spoof a system because all the authentication factors would be needed. Spoofing a single factor would not be sufficient to pass the overall authentication process.
Some pattern recognition software would also be able to analyze the fingerprint pattern to determine if it’s fake or has been tampered with, says Rowe. “It’s generally possible to look at a pattern you’re measuring and see that the lines or ridges and valleys aren’t something you would expect in a regular space,” he says. “You’ll see evidence of abrupt transitions, scars and marks that are obscuring patterns.”
Keeping up to date with potential spoofs is crucial for biometric vendors. Rowe explains that when Lumidigm hears of a new attack they create software fixes to address it and then download the new code to the sensors.
Standards activities
NIST posted a special publication on electronic authentication, which lays out the case for authentication over a trusted network. Biometric technology is not included in the publication at least in part because measurable liveness testing is needed, says Elaine Newton, a scientist at NIST.
“Biometrics aren’t included in the authentication piece because they aren’t secrets,” she says. Every time an individual touches a surface his or her fingerprint are left behind for someone to potentially replicate and use. In 2008 German hackers published the fingerprints of the German Interior Minister to protest the biometric being placed in electronic passports.
This has lead NIST to begin the creation of an international standard for liveness detection, Newton says. “All this is very nascent work,” she says. “There hasn’t been a lot of work done on this.”
The lack of standards for liveness detection has held back biometric use in key applications, Newton says. Even though some vendors have addressed liveness testing in their products there still need to be standards so the government or corporation buying the product can use the same measuring stick to make sure the system is protected against spoofing.
It’s early in the process with the group just getting through a first working draft for the International Organization for Standardization. The group is working on defining terminology and data formats with additional efforts coming down the road.
“What information can be sent in a standard data format for a relying party to know how confident they are that the subject is who they claim to be?” she asks. Addressing this will build a foundation to standardize liveness detection, freeing biometrics from its early days of gummy fingers and spoofing.
Common approaches to combat spoofing
Spoofing is an attempt to defeat a biometric system through the introduction of fake biometric samples. Common spoofs include photos of face or iris, latent fingerprints, artificial fingers, and voice recordings.
There are several categories of anti-spoofing approaches commonly used by vendors and users of biometric systems.
Attended, supervised sample collection
By placing a human watcher at the point of biometric sample collection (e.g. a border control agent at an entry point), spoofing attempts can be made more complicated. In most cases, however, this is an unpractical and cost prohibitive approach.
Challenge and response procedures
With certain modalities, the specifics of sample can be customized and changed at the collection point. Facial recognition systems can randomly ask for changes in face characteristics (e.g. smile and alter gaze direction). Voice systems can specify the words to be submitted for the sample or the sequence of the words presented.
Liveness detection
Making sure a biometric sample is from a living, breathing human being is a key tool in the prevention of spoofing. Techniques for liveness detection vary from modality to modality and vendor to vendor. Iris and face vendors look for subtle, often involuntary movements that occur in human samples.
There are a number of different approaches fingerprint vendors take to ensure that the biometric is not coming from a plastic mold or other spoof. Some look below the surface of the skin to detect the presence of tissue, veins or other features. Others look for the naturally occurring pulsation, electric conductivity, radio waves, perspiration, heat or other byproducts of live tissue.