Spoofing: Definition and Overview
Spoofing is a set of malicious techniques aimed at bypassing biometric security.
Essentially, spoofing combines two elements: a) Production and b) Presentation. The former stage implies creation of a synthetic artifact that imitates a certain biometric trait, be it a voice, fingerprint, eye retina, or other traits. The latter stage includes direct presentation of that artifact to the sensors of a biometric system with the goal of bypassing it.
Spoofing — in context of information security — was initially used as a term in 1989 when a computer engineer Steven Bellovin first addressed the issue of IP spoofing. One year prior to that, another researcher Robert Morris designed the famous Morris worm — a malware that could execute an IP spoofing attack.
It is suggested that spoofing attacks appeared together with the first biometric systems — such as the earliest commercial hand geometry recognition developed at the university of Georgia in 1974. A bright example of involuntary spoofing could be observed in Super Bowl 2001 when facial recognition, reportedly, gave no true positives whatsoever.
Finally, the threat began receiving attention in 1998 when, presumably, the first instance of fingerprint spoofing was reported by Network computing. The first liveness detection competition LivDet began in 2009 sparking a constellation of other biometric challenges.
It is suggested that spoofing requires proper evaluation, so effective benchmark systems could be created. To achieve such evaluation, the following elements should be considered:
Public and standardized datasets allow impartial and reproducible evaluation of different aspects of biometric security. They should be legally compliant to avoid privacy violation and distribution issues. As mentioned, researchers and institutions at times ignore the legal issues, which may spark ethical controversy. Besides, datasets should be statistically meaningful. That implies adequate proportion of real/fake samples and minimization of gender and racial bias.
As for the dataset content, it is supposed that they should feature various acquisition methods, artifacts such as noises or inconsistent illumination, and other elements that diversify the attack data. This measure will help to mitigate laboratory vs. real life and prepare a system for unconstrained conditions.
Algorithm and system approaches
Algorithm-based evaluation allows attesting the liveness detection software side of the solution and its know-hows. Its chief advantage is that algorithm-based evaluation is universal for the current solutions. So, a constellation of liveness detectors can be appraised with the same datasets and protocols.
System-based approach doesn’t provide the same evaluation flexibility as the previous method because the hardware architecture (including sensors) is unique in each case. At the same time, it focuses on an anti-spoofing solution as a whole and allows examining its commercial efficacy in a more harmonious fashion.
Main Types of Spoofing
Spoofing types and techniques are predetermined by the existing biometric modalities, among which fingerprint, face, and voice recognition are the most prevalent. Other modalities are also spoofed, even though to a lesser extent.
Facial authorization is the world’s second most popular biometric modality. Besides, facial images are a mandatory part of the identity documents throughout the world and also camera surveillance is often equipped with face recognition algorithms. (As of 2021, China alone had 540 million CCTV cameras installed.)
Malicious actors mostly resort to direct Presentation Attacks (PAs) to bypass facial authentication. Although indirect or injection video attacks are also observed by the research community.
PAs employ a repertoire of attack instruments (PAIs) that vary in quality and creativity. They range from simple facial cutouts to elaborate three-dimensional realistic masks made from latex to resemble human skin, deepfake manipulations, high-level makeup and even plastic surgeries.
Injection attacks imply tampering or replacing video data received by the system with a fake video stream and then presenting it on an internal level — system’s sensors aren’t physically interacted with. To mitigate facial spoofing, respective standardization and techniques are proposed.
As of 2020, about a half of all smartphone users used voice technology integrated into their gadgets. While this modality certainly decreases customer friction, it can also be vulnerable to speech synthesis, replay, voice conversion, and impersonation attacks.
While an Automated Speaker Verification (ASV) system equipped with liveness detection can effectively fend off voice spoofs, it still remains vulnerable to a degree. Voice cloning tools, that are freely available online, only aggravate the issue as their output offers a new level of realism. Speech synthesis, particularly based on the Hidden Markov Model, was first proved to be a threat in 1999.
Currently, a cavalcade of voice anti-spoofing methods are suggested against both replay and synthesis attacks — human impersonation isn’t considered a threat to ASV systems. They include phase spectrum analysis, F0 pattern examination with the unit selection approach, baseline EER monitoring for exposing voice conversion, and others.
Fingerprint recognition is based on analyzing basic patterns — whorls, loops and ridges — that are observed in human fingerprints. They are unique for every individual and do not change their structure over the time, with some slight exceptions. The main recognition algorithms are minutiae matching, correlation-based matching and non-minutiae feature-based matching.
Fingerprint PAIs are usually replicated with simple and available materials: clear gelatin, modelling clay, silicone, etc. Fingerprint samples can be procured through deception or coercion, as well as from leaked databases or even high-definition hand photos.
Human iris is reported to be 5 times more unique than a fingerprint, which also suggests a higher accuracy. At the same time this modality is sensitive to at least two types of PAs: printed/replayed and prosthetic eye attacks.
The former type involves either printed copies or digital iris photos presented from a high-definition screen. The latter type is much harder to execute as it requires financial expenses and a paramount skill level.
Electrocardiogram recognition is reported to be high in uniqueness and performance and medium only in measurability. ECG signals are highly unique for every person indeed, although they can be unstable and fuzzy in case of emotional stress or physical activity.
On the common user level ECG signals are registered with either smartwatches or wrist identity wearables akin to Nymi Band. However, cases of successful ECG spoofing are known. An experiment by Eberz et al. demonstrated that an ECG signal can be intercepted and used for attacking a wearable authentication device.
Spoofing in Multimodal Systems
Multimodal systems combine two or more biometric modalities: fingerprint + face, ECG + vein, and so on. They are generally believed to diminish success chances for spoofing as bypassing more than one modality can significantly increase the amount of cost and effort. However, a study by Rodriguez et al. suggests that bypassing one modality escalates the probability for spoofing others successfully.
- Steven M. Bellovin was at the forefront of spoofing studies
- Studying The History Of Ip Spoofing Information Technology Essay
- Morris worm (Wikipedia)
- Biometrics: Modern History
- That Time the Super Bowl Secretly Used Facial Recognition Software on Fans
- Hand geometry recognition is considered the first commercial biometric system
- Liveness in biometrics: spoofing attacks and detection
- Large Crowdcollected Facial Anti-Spoofing Dataset
- Biometric Spoofing: A JRC Case Study in 3D Face Recognition
- Facial recognition system Vocord tested in ‘field’ conditions
- International Biometric Group Announces the Availability of the Biometrics Market and Industry Report 2009-2014
- Surveillance camera statistics: which cities have the most CCTV cameras?
- Biometric Antispoofing Methods: A Survey in Face Recognition
- The man in the latex mask: BLACK serial armed robber disguised himself as a WHITE man to rob betting shops
- Realistic latex masks are used for spoofing and identity concealment as in the ‘betting shop’ robberies incident
- Voice Search Statistics and Emerging Trends
- What is Customer Friction and How Do You Relieve It?
- On The Security Of Hmm-Based Speaker Verification Systems Against Imposture Using Synthetic Speech
- Schematic representation of voice conversion, which can be used for spoofing
- Spoofing and countermeasures for speaker verification: A survey
- F0 pattern examination
- Fingerprint Sensor Global Market Report 2022
- Facial Recognition Global Market Report 2022
- Fingerprints change over time, but not enough to foil forensics
- Reddit user
- I attempted to fool the new Samsung Galaxy S10's ultrasonic fingerprint scanner by using 3d printing
- German Defense Minister von der Leyen's fingerprint copied by Chaos Computer Club
- A high-quality ocular prosthesis with a realistically painted retina
- Broken Hearted: How To Attack ECG Biometrics
- A Review Of Ecg Based Biometric Systems
- A Survey on Antispoofing Schemes for Fingerprint Recognition Systems