The Risk of Taking Identity at Face Value

January 30, 2019

A couple high-profile “hacks” of traditional biometric authentication are making headlines. Credit the talented security researchers behind these feats for driving awareness of the fact that singular human characteristics are not uniquely secure. Comparing what researchers coincidentally discovered in each separate case reveals a lot about the challenge of finding a single, unimpeachable physical characteristic for one-time biometric scans.

Two heads are riskier than one

First, Forbes reporter Thomas Brewster wrote an eye-opening story describing how he used accessible 3D-printing technology to create a lifelike scale model of his head, which he subsequently utilized to unlock a series of smartphones in an experiment. Brewster set up an iPhone X and four Android devices: an LG G7 ThinQ, a Samsung S9, a Samsung Note 8 and a OnePlus 6 in the trial. All were configured to only recognize his real face as the key, yet only the iPhone reportedly failed to fall for the knock-off head computerized machinery created with gypsum powder, based on photos of Brewster’s head.

In fairness to handsets proven vulnerable to the fake face exploits, their set-up documentation reportedly warned Brewster that activating face identification can make a device less secure, with one manufacturer warning “If you use facial recognition only, this will be less secure than using a pattern, PIN or password.”

Fallible facial recognition drives home the point that advances in precision, computerized rendering of pictures and physical materials mean that if you can acquire decent resolution imagery of something, you can usually create a decent replica of its shape, color, and contours. Much the way that high-end printers introduced new tricks for counterfeiters, pairing 3D printing with image capture means anything as plainly visible as your face should be considered vulnerable to copying that is good enough to fool popular handsets. Read Brewster’s story here for more details and security advice of you use one of these phones.

Vein attempts at authentication

Like facial recognition, recognizing unique blood vessel layouts in human hands is another biometric authentication scheme. With vein authentication, computers analyze unique vein maps under the skin. Motherboard reporter Joseph Cox explored how researchers at the annual Chaos Communication Congress hacking conference in Leipzig, Germany, defeated vein scans by creating a fake hand out of wax to fool sensors.

Cox explains how the researchers, Julian Albrecht and Jan Krissler, conducted research on their own hands in an experiment, using a converted SLR camera to take photos sufficiently revealing vein patterns. The process reportedly relied on photos taken up to five meters away. Albrecht and Krissler then used the vein photos to custom craft a model of their hands, recreating the vein detail. Check out Cox’s full article for more insight and scenario examples on how this attack could be employed.

Images versus continuous authentication

Pulling off biometric security bypasses with phony heads and hands reminds us of the challenge of finding durable, one-time biometric credentials. Device makers and physical access control developers lean toward using faces, fingerprints, hands and other obvious outward traits as unique biometric “tokens,” because they are readily visible to security equipment. Yet research shows modern photography and observation mean these traits are at constant risk of being captured in public and studied, leading to clones upending protection.

Ultimately, one-time biometric identifiers are too impractical and risky to rely on exclusively. BehavioSec’s behavioral biometrics approach surpasses one-time biometric scans by comparing users’ typing patterns, touchscreen pressure, cursor and mouse movements and other behaviors to authentic individuals’ known behavior. This depth of continuous authentication means that even if criminals or malware guess a password or harvest other credentials, their phony login attempts and transactions will be flagged as suspect, adding a powerful new layer of anti-fraud and risk management for Web sites, fintech apps and other sensitive interfaces powering the mobile-first era and digital transformation.

BehavioSec proves that impersonators and bots content to buy or steal login credentials struggle to mimic your unique device handling, swiping and typing otherwise taken for granted.

Behavioral biometrics breaks some of cybercrimes most reliable account takeover schemes, meaning attackers would be better served putting plaster and wax expertise to artistic use, instead.