While passwords are still the most common authentication method for online banking and mobile financial services apps, they are highly prone to misuse as a result of theft and loss. Moreover, friction created by the password reset process is a very real pain point for users: according to one recent survey, approximately two out of three consumers report avoiding or dreading the password reset process.
Enter facial authentication, which is inherently more secure (and user friendly) than passwords. It’s virtually impossible for someone to steal your face print and it is delivered faster and more conveniently. As a result, many leading financial services firms are adopting facial authentication, but the reality is these systems can still be attacked and subverted if the right technology and support services are not in place.
Drawing from our real-world experience with a major international bank, this article explores the types of attacks facial authentication systems may be experiencing and offers insights into the protections that can be implemented to thwart such attacks. Lastly, we will discuss best practices and key takeaways for other financial services firms.
Attacks Against Facial Authentication Systems
The most common types of attacks, often referred to as “spoof” or presentation attacks, can dupe facial authentication systems by presenting a “face artifact” – for example, a photo from a stolen ID card or obtained from social media – as a legitimate user. Just a few weeks ago, Trend Micro issued a report exploring how social media threatens the security of biometric data (for example – trends like #EyeChallenge on TikTok expose iris patterns good enough to pass some iris scanners). The goal of the hacker or unauthorized user is to trick a device into thinking it’s reading the face of an authorized person, so accounts can be created and accessed fraudulently.
Another type of attack is called an injection attack, which fraudsters can create through off-the-shelf and open source software. During an injection attack, untrusted inputs or unauthorized code are injected into a program where it’s interpreted as part of a command. The program is then altered, redirecting the program for a nefarious purpose. In the case of facial authentication, the injection attack modifies communication between the unauthorized user and the identity verification server so the unauthorized user is allowed access.
Protection: Liveness Detection and a Multi-Layered Approach
The first, most vital step in protecting facial authentication systems is the use of liveness detection, an AI-based algorithm that distinguishes live human beings’ real faces from fake approaches, like spoofs or presentation attacks.
However, in recent years, the sophistication of presentation attacks has increased dramatically, with fraudsters using deep fakes, morphs and masks to evade liveness detection. For example, an attacker might cut the eyes out of a photograph and present their face to the imaging device or even have a 3D mask produced specifically for this purpose. The goal for the bad actors is to use the liveness of the eyes and/or the quality of the mask to get past the biometric checkpoint.
In addition to liveness detection, other best practices need to be considered and applied, including both biometric and non-biometric protection layers. While no system is perfect, the goal of these added measures is to prevent hackers from being able to access facial images being captured and stored in the system. The best assurance is to have data protected at all phases – from the point of acquisition, to transference and ultimately processing. As a result of liveness detection and added protections, the bank we worked with was able to achieve an 87 percent reduction in fraud from May to October 2022.
Best Practices and Key Takeaways
There are several lessons from our work with this bank that others should consider:
- Learning from Operational Realities: It’s one thing to outline what can theoretically be done in the event of a biometric authentication attack, but that’s very different than applying solutions in the real world and in real-time. When working with this bank, we were able to access these attack vectors and apply protection measures directly and extremely quickly. Additionally, we were able to enhance the effectiveness and accuracy of our algorithms based on the data on the attack vectors supplied by the bank. This synergistic relationship benefitted both our own efforts and the bank’s security work as attack vectors evolved.
- Approach the Problem Comprehensively: Addressing complex security issues while maximizing the usability of the system can be a hard balance to strike. Most banks recognize the need to make trade-offs between customer convenience and security; in fact, many view it as just the cost of doing business. The major U.S. credit card companies, for example, lose almost $9.5 billion in fraud each year, due to a large extent to maintaining authentication systems that may be too easy to use. The bottom line is that when implementing security protections, usability needs to be valued as much as the security aspect.
- Ensure a Quality Partnership: When selecting a biometric technology partner, banks should be sure to select a true partner that’s willing to go above and beyond to solve problems, so if a security issue arises anywhere in the pipeline – data acquisition, transference or processing – the partner has the resources and expertise in place to address it.
Conclusion: Due to the rise in data breaches, the industry needs more secure authentication – passwords are just no longer strong enough and biometric methods are gaining adoption. As financial services firms increase their receptivity to facial authentication, they must also stay one step ahead of emerging threats. By working with the right technology partners, it is possible for these firms to realize the maximum benefits of facial authentication – superior security and reduced fraud combined with the ultimate convenience that keeps users loyal to the brand.