More and more valuable digital data is stored online—and more and more threat actors would love to get their hands on that digital data.
Although there are many ways for criminals to access data that is not theirs, one of the most common methods is to steal data using a legitimate person’s credentials.
Since 2008, Verizon has compiled an annual Data Breach Investigations Report (DBIR). The results and analysis from the 2022 edition document findings from over 914,547 incidents and 234,638 breaches for which Verizon and its partners have data. A few of the key results:
- Breaches affect a variety of industries, including financial services, healthcare, retail, and others.
- 80% of breaches resulting in data compromise come from outside the targeted organization.
- 96% of these external breaches are motivated by financial or personal gain.
- The chief variety of breaches (over 40% of all breaches) is credential theft (hacking).
It is not hard for dedicated criminals to perform credential theft. Sometimes it is possible to guess a person’s password, especially if the person’s password is the word “password” (too many people do this). At other times, a criminal may induce a person to give away their legitimate login and password: for example, by persuading the person to “login” on a spoofed website that appears to be a legitimate website.
Once a criminal has a person’s login name and password, the criminal has access to all the legitimate user’s data. If the goal is financial gain, the legitimate user’s account balance can be drained in seconds.
There are alternatives to logins and passwords, of course, such as passkeys as used by the FIDO Alliance and companies such as Apple. While passkeys are considered more secure than passwords, they depend upon other technologies to identify the user. For example, Apple’s passkeys use technologies such as Touch ID and Face ID, which of course use biometrics.
Can biometric credentials be stolen?
The spoofing examples above assume that the account credentials used to authenticate system access consist of a login name and a text password.
While many systems still govern access by logins and passwords alone, there are other ways to manage system access. One emerging method of controlling system access is by using biometric features, such as fingerprints, faces, or irises, in place of or in addition to a text password.
For example, a person authenticating access to a system will place their face in front of a smartphone, kiosk, or computer camera, and the system will calculate the features of the face and compare them against the features on file for the verified account holder. If the two match, the system will grant access.
This method works…as long as a hacker doesn’t “steal” your biometric attributes in the same way that hackers steal passwords. And yes, it is possible to “steal” biometric attributes…but there are also ways to protect against this, as we shall see.
For faces, credential theft could happen in one of two ways:
- A criminal can present a picture or a video of the legitimate person’s face and use that to gain access to the system. When the system expects to see the person’s live face, the criminal would present the picture or video of the person’s face instead.
- If the criminal wants to get fancier, the criminal can design a mask that looks just like the legitimate person’s face and wear that mask while trying to access the system. The system then “sees” a face that appears to be the legitimate user’s face.
However, advanced biometric authentication systems are not fooled by pictures, videos, or masks. They include features that allow detection of instances in which a bad actor tries to spoof a legitimate face. Properly designed biometric authentication systems only allow “live” faces to be used for system access.
Active liveness detection is not the best solution
One of the first ways that biometric authentication systems defeated spoofing was to implement a form of “liveness detection” to ensure that the face presented to the camera was truly the person’s face, and not just a picture or mask of a face.
The original solution for “liveness” was to ask the person to perform specific facial movements. After all, a static image can’t move.
The method to implement “active” liveness detection was to ask the person to perform a set of actions on command in front of the camera capturing the face. In theory, the person had no idea what actions would be requested, so the person couldn’t pre-record a video with the correct facial movements.
For example, the authenticating system may place a dot on the screen and ask the person to move their face in the same pattern in which the dot moves. This proves that the face in question is truly a live face and not just a static image of a face.
There are two drawbacks to active liveness detection, however:
- It takes time. Customers want to access their accounts as quickly as possible. They don’t want to wait an extra several seconds and complete a series of head movements. They want to look at the camera and access their account immediately.
- It can be difficult. In the real world, it can be hard for a user to move their face in a specific pattern. I remember my personal frustration in using some of the first active liveness detection systems. If you failed to move your face in just the right way, you’d encounter an error. Repeated failures in face movement would result in repeated errors. After too many errors, the user may give up in frustration, abandoning the solution. (68% of users who start a financial institution’s digital onboarding process abandon it, for reasons such as this.)
Is there a way to perform liveness detection without taking the time to move your head in multiple different directions?
Incode’s pioneering passive liveness detection solution
To provide security while simultaneously promoting ease of use, Incode pioneered a passive liveness detection system when developing the authentication system for Incode’s products.
Passive liveness tests detect spoofs by examining motion or skin texture on a single image without requiring the user to move their head in various directions. Accurate passive liveness detection not only offers security against fraud, but at the same time maintains a frictionless user experience. The user securely accesses the system without taking excessive time or bobbing their head around.
On August 23, 2019, iBeta announced that it had conducted Presentation Attack Detection (PAD) testing on Incode’s solution. Despite 1,500 attempts to spoof a live face, 0 of the attempts was successful. Incode was one of the first companies to receive a confirmation letter from iBeta documenting the success of our liveness detection solution.
This ability to reliably authenticate a user based on their live face dramatically reduces opportunities for criminals to access data in Incode-protected systems. Both users of these systems and the institutions that implement them are assured that user data remains secure and private.
And there is a lesser chance of users encountering a news headline stating that they have been the victim of the latest criminal hack.
Many government organizations and regulated public entities already trust Incode. Today, Incode’s identity solutions are impacting people worldwide with convenience and outstanding user experience, providing security they require.
If you would like to learn more about how Incode’s technology can protect your organization from credential theft, contact us for a demo.