Biometric technologies were, until recently, widely used by just two types of people - police detectives and Hollywood spies. But the world is waking up to the fact that biometrics can enable faster, easier identity recognition.
With governments and businesses increasing their uptake of newly-mature fingerprint, finger-vein, iris, voice, and face recognition technologies to provide a cost-effective answer to a range of identity authentication scenarios, biometrics are now being used in airports, on the high street, and on mobile devices. So how can we be sure that today’s biometric systems can be trusted? And what happens if that trust is misplaced?
Vulnerability to fraud attempts is increasing, as criminals and opportunists look to take advantage of new, large-scale biometric systems. “Biometric fraudsters” typically attempt two kinds of attacks:
- Impersonation: An imposter seeks to be incorrectly recognised as a different, legitimate user.
- Obfuscation: A user manipulates his or her biometric traits to avoid recognition.
Fraudsters are prepared to go to extreme lengths, including coercion of legitimate users, creating fake samples, using mutilated body parts and resorting to plastic surgery. They have also benefitted from the same technological advances as cyber-criminals and can access the technology needed to tamper with biometric documents, create biometric spoofs, and test their results-all from the comfort of their own homes.
We know fake fingerprints can be created, but are some of the newer biometric modalities immune to attacks? It seems not. Accenture reviewed state-of-the-art biometric modalities and discovered that they can all be spoofed. Fingerprint, face, and voice recognition systems appear to be the most commonly affected, primarily due to their wide deployment; however, iris, vein, and even DNA-based systems are also vulnerable.
So how can we create biometric systems which are resistant to biometric fraud? A typical approach is to opt for a multi-modal biometric system, which relies upon multiple biometric traits to confirm an identity; however, while this is an excellent first step, recent studies have shown that even these can be breached. Often, successfully spoofing the modality that is considered the most reliable (and has the highest weighting in the matching calculation) can fool a simple multi-modal system.
System vendors have incorporated analytical features, additional data and more sophisticated biometric fusion algorithms into more advanced products to reduce this risk. However, multi-modality alone is not a panacea to safeguarding identity and combatting biometric fraud.
Accenture proposes a pragmatic approach to combatting biometric fraud:-
- Firstly, consider the system to be protected. Depending on the business purpose of the system, and its exposure to the outside world, it may require significant fraud detection capabilities. Anti-spoofing measures typically decrease user convenience, as they can generate false alerts, and should only be applied when high levels of security are required.
- There is no “silver bullet” solution. While multi-modality is a helpful approach, it isn’t a sufficient countermeasure on its own. Fraudsters must be presented with a series of varied and unpredictable barriers
With these considerations in mind, it is important to choose countermeasures wisely. The individual defences that strengthen a biometric system’s resistance to attacks can be drawn from the following categories:-
- Functional decisions, such as the use of multi-modal biometrics, or the combination of biometrics with other authentication factors.
- Technical capabilities, such as biometric anti-spoofing and likeness-detection algorithms, advanced analytics capabilities, cancellable biometrics and template-protection algorithms.
- Operational decisions, such as measures to deter fraud attempts before they are conceived, the level of supervision to be applied to the system, the strategy to “stay ahead” of the threat, and the security upgrade plan.
When considering biometric fraud detection, many factors need to be taken into account, including the increased cost and complexity of the solution, dependency on specific hardware or software components, and the impact on user convenience. A cost/benefit analysis is an essential step, to prove that the anticipated costs of the proposed countermeasures outweigh the expected benefits of reduced biometric fraud.
All the stakeholders in a biometric solution— governments, public safety agencies, business owners, biometric system vendors, system integrators, and indeed, the end-users - ordinary citizens and customers—have a vested interest in the system being resistant to fraud. As biometric systems are increasingly adopted to help deliver fundamental services, fraud resilience becomes an urgent requirement. Effective biometric fraud detection requires a diverse set of capabilities, as well as a broad range of third-party vendor, academic, and standards-body relationships.
In short, organisations need to adopt a holistic approach; one that integrates robust biometric fraud detection along with more traditional IT security techniques and processes. In ‘our always on and always connected’ world each of us has a role to play to ensure that biometric technologies become a force for good in society, delivering change despite the efforts of a few would-be fraudsters.