However, different liveness solutions provide varying levels of security. Some of them only protect against simple kinds of fraud, like tricksters wearing paper masks; while others can handle cunning hacks such as man-in-the-middle attacks.
At Sumsub, we’ve spent years testing out the various liveness technologies on the market. Today, we want to share with you how tricksters bypass liveness and provide insights into choosing the best identity fraud protection.
When it comes to fooling facial biometrics, the oldest trick in the book is to wear a mask. Indeed, fraudsters use silicone masks, printed photographs of other people, or even life-size mannequins to get onboarded or hack into accounts. This kind of fraud is known as ‘face spoofing.’
The second method of tricking liveness is a bit more advanced. It involves fraudsters hacking into cameras and injecting pre-recorded videos or hacking the server itself and editing uploaded biometric data. This method is referred to as bypassing.
Method 1: Spoofing
Chinese scholars recently discovered that Face ID, Apple’s facial verification system, can be easily hacked
by placing glasses—with two black dots taped in the middle—on the face of a sleeping device owner. Such a trick unlocks Apple devices since Face ID cannot thoroughly scan the eyes of a person wearing glasses. This is one of the simplest spoofing techniques out there. Now let’s take a look at some more complex methods.
How fraudsters use pictures to spoof liveness
In the era of social media, fraudsters can obtain almost anyone’s picture and use it to fool face verification. Therefore, if a liveness technology does not analyze the depth of an image, fraudsters can simply use social media images to hack devices and accounts.
This is indeed the case with the Samsung Galaxy S10’s face recognition system—which can be easily tricked
by using someone’s photo on a screen.
Fraudsters can also use a similar method to gain access to people’s bank accounts, among other sensitive information.
Using video to fool liveness
In our industry, conventional wisdom states that if a liveness system asks users to make movements like winking or blinking, it becomes impossible to trick the system.
Unfortunately, these movements can be recorded in advance, and some liveness systems fail to recognize these pre-recorded videos, as is the case
with the USAA Bank.
Face spoofing with masks
Fraudsters can spoof liveness systems by using a wide range of props, from paper masks to life-size mannequins.
There are silicone masks so realistic that it is impossible to detect when a fraudster wears one. Criminals in fact used this loophole to impersonate the French Defense Minister and were able to steal $90 million
. They did this by phoning heads-of-states, wealthy businessmen and large charities via Skype and claiming that they needed money to save people kidnapped by terrorists.
Silicone masks can work if liveness technologies do not scan skin texture, blood flow, and the other characteristics of a real face.
Using deepfakes to trick liveness
In 2018, a video in which Barack Obama called Donald Trump certain names went viral
. The video was so realistic that many actually believed it. However, in reality, this was a deepfake.
Deepfakes are videos or audios that have been created using artificial intelligence. If initially deepfakes were used to cause harm to famous persons or just have a laugh with a friend, the evolution of this technology has led to companies being frightened
that deepfakes could threaten their businesses.
Fraudsters are increasingly using
deepfake technology to impersonate CEOs and steal money from corporations. In 2019, the Wall Street Journal reported
that criminals had used AI-based software to deepfake the voice of a UK CEO and stole $243,000 USD.
Deepfake technology can also be used to spoof or bypass liveness. Since everyone can create a deepfake at little to no cost, as there are many free deepfake generators, fraudsters can easily face-swap with the individual they want to hack and gain access to their account.
Method 2: Bypassing
Bypassing liveness does not involve impersonation. Instead, fraudsters hack the liveness system itself by swapping-in or editing biometric data.
Every liveness technology contains three weak points that hackers can target: