Why masks aren’t just scary at Halloween: investigating growing biometric fraud vectors

October 31, 2019

From witches, to ghosts, to clowns, scary masks are everywhere at Halloween. But what about a mask of your own face, or your customer’s? You may think there’s nothing scary about that, until that mask ends up on someone else’s face. And that someone else is committing identity fraud.

2D and 3D masks are just one of the more sophisticated techniques that fraudsters have developed when it comes to targeting facial biometric technology. 

In the fight against identity fraud, biometric verification plays an important part. When combined with document verification and identity database checks, you have a powerful and comprehensive ID verification solution at your fingertips. But what happens when fraudsters go to more extreme lengths to try and trick your identity checks? How can you protect your business?

We’ll take a look at some of the lengths fraudsters are going to in their attempts to fool facial biometrics. But first, let’s remind ourselves of the role biometrics plays in identity verification.

Why use biometrics as a part of identity verification?

When you ask for a user’s name, date of birth, and address—and compare that data to what is held by a credit bureau—you’re only able to protect against fake data. This information doesn’t protect you against fake identities.

If you ask for an ID, the risk of impersonation drops. However, it’s nearly impossible to detect IDs that haven’t yet been reported as stolen or added to a law enforcement database. This is where biometrics comes in.

Facial biometrics can be used to prove that the person is truly the owner of the government-issued identity document they've presented. Sophisticated technology compares the facial characteristics of the user presenting the ID document, with the photo (or photos) on the document itself. This adds an extra layer of protection against stolen IDs and impersonation attacks.

But criminals are continuing to find new ways to impersonate a real identity or invent a false one. From amateur to highly sophisticated attacks, they are endlessly creative.

So what lengths are fraudsters going to in their attempts to fool biometric technology?

Spoof selfies, fake masks—can fraudsters trick biometric technology?

Social media profile pictures, readily available photos or screenshots from the web—these are just some of the ways fraudsters get hold of a victim’s photo. These photos can then be used to create fake masks.

Fraudsters use advanced printing technologies to create a 2D mask of a victim’s face. And it’s easy to buy a 3D mask online for a few hundred dollars. Cutting out eyeholes then allows them to respond to commands from an eyeball tracking solution.

Fraudsters also use digital tools to alter their faces and others, then re-publish the results as photos or videos. They can also create deep fake videos, controlling a live video of someone else’s face, along with a realistic live voice that is mapped to facial gestures.

Masks are a highly-sophisticated type of impersonation fraud, and require a sophisticated solution. Any identity verification process used by your business needs to be able to catch sophisticated attacks, as well as common ones. Simply using biometrics to match an image of the person who owns the ID with the photo on the ID, won’t catch the range of attack vectors that are out there. So what’s the solution?

Using deep-learning algorithms as part of a biometric verification solution

Getting your user to take a selfie or live video helps prevent a variety of fraud attack vectors. Deep-learning based algorithms can identify masks, image printouts and photos on screens. 

But how does this work exactly?

Onfido’s algorithm goes through any image captured from a user and extracts patches. It uses textural analysis to look for patterns. This is an effective way to identify  print outs or photos of digital screens. The aim is to make sure there is always a real human face being used as a comparison with the photo on the ID document.

When it comes to masks, live videos add an extra layer of protection. In the first place, fraudsters are highly unlikely to have a video of the person they are impersonating. And by asking users to move their head or speak random characters aloud, means we can track their face during the video. 

The movement aspect identifies anyone wearing a 2D mask by capturing a 3D video of their face. And by asking a user to speak characters out loud means they have to move their jaw. This in turn moves their whole face. Lip synching technology will then detect whether a 3D mask is present.The randomness aspect of the challenge also prevents the fraudster from using a deep fake video.

As sophisticated types of digital identity fraud increase, it’s more important than ever that your ID verification solution is sophisticated enough to deal with the attacks. We believe facial biometrics and deep-learning algorithms are a key part to this solution. How else can we catch the fraudulent ghosts and ghouls that are hiding in the shadows?

Previous Article
What is digital identity verification?
What is digital identity verification?

We take a look at what digital identity verification is, why it became necessary, and how you can use it to...

Next Article
Onfido’s Fraud Index Reveals Criminals Professionalizing, Working Typical Workweeks
Onfido’s Fraud Index Reveals Criminals Professionalizing, Working Typical Workweeks

Remote verification needs to keep up with the fraudsters