Behind the mask of biometric security
How reliable is biometric security? Computers recognize us by our faces, voices and fingerprints, but can we trick them by pretending to be someone else? In this edition of Futuris Denis Loctier finds out just how easily this can be done.
Facial recognition is sometimes used instead of passwords for secure computer access. But if an intruder uses a mask, some biometric systems can be tricked into letting him in.
Computers rely on complex algorithms to learn and recognize our faces. However, systems of biometric identification can be surprisingly easy to get around.
A European research project is studying weaknesses in biometric systems in order to make them more secure. The problem for Sébastien Marcel, researcher in biometrics, at the Idiap research institute is that “biometric systems most effective at recognising a person are also potentially the most vulnerable. Every time there is a new attack we have to develop a new counter measure. So there’s still quite a bit to do before we understand why biometric systems are vulnerable.”
Realistic masks are the latest challenge to facial recognition systems. Until recently, infiltrators used photos or videos of the targeted person’s face. Software developed by the researchers prevents such attacks.
Movement is a key element, according Nesli Erdoğmuş, a researcher in 3D face recognition at Idiap: “Firstly, there’s eye blink detection: the software can ask the user to blink at the right moment. That makes it impossible to log in by just showing a portrait of the person to the camera. Another countermeasure is motion detection: a printed face and a real face don’t move in the same way.”
Researchers are working on a further feature that would analyse skin texture. That should allow their biometric software to distinguish a real face from a realistic mask. It seems facial recognition still needs some work, but are fingerprints more reliable?”
Fingerprint patterns are often considered a perfectly secure method of identification – but researchers at the University of Cagliari in Italy have shown that that is not always the case.
Gian Luca Marcialis, a researcher in pattern recognition at the university’s UNICA PRA laboratory says: “Recent studies have shown that it’s possible to con fingerprint systems with artificial fingers, which can be made with material easily bought in a supermarket.”
A fingerprint left on some surfaces, such as glass, can be copied and reproduced within minutes. The quick and cheap process involves making a gum fingertip and replicating the skin pattern of the original. Incredibly, many fingerprint scanners don’t see the difference.
“We can choose a fingerprint stored in the system and use its replica to get an almost perfect match,” says Marcialis.
The proposed solution is so-called ‘liveness assessment’ which, when activated, rejects the scanned fingerprint if the skin texture appears too artificial, as Marcialis explains: “our system measures two things: the pattern match score and the liveness score. So even with a very accurate fake fingerprint an impostor won’t be able to pass through security.”
Despite the successes, keeping one step ahead of the fraudsters is keeping biometrics experts on their toes.