Biometric SpoofingSafer Authentication Protocols Might Not Be Enough

January 31, 2023 | 12 min read

This image was created by artificial intelligence using the following prompts:

Someone having a biometric eye scan, colored red and teal, all other colors muted, wide angle shot

Biometric Spoofing

In a Nutshell

Your face is more unique than your password: that’s the basic idea behind biometrics authentication. Biometrics are powerful, but they can still be spoofed. Today, we're discussing how biometric spoofing works, why it’s a problem, and ways to guard against the danger.

Biometric Spoofing & Consumer Data: What are We Still Missing in Terms of ID Protection?

Passwords. They’re a necessary evil; remembering dozens of different passwords is one of the biggest hassles of the internet age.

While it’s easy to acknowledge the need to keep accounts and devices, passwords almost seem like more trouble than they’re worth sometimes. Well, there’s good news on that front: new technologies like biometrics promise to help ease the password problem. 

Not only are they easier to use,  but biometric security tools are remarkably more secure than traditional passwords. But still, “more secure” doesn’t mean “100% safe.”

Biometrics can still be spoofed. That’s why, in this post, we’re looking at how biometric spoofing works. We’ll see why it’s a problem, and explore some new technologies that promise even greater security.

Biometrics: A Quick Overview

To understand how this works, it will help to take a quick look at the basics of biometrics.

When most people hear of biometrics, they think of fingerprint or facial recognition. That said, there’s actually a wide (and growing) range of techniques being used to digitally identify and validate individuals. For the most part, these can be broken into two main categories: 

Physiological Biometrics

These indicators allow for identification by unique physical characteristics. Some examples include:

  • Fingerprints
  • Vein recognition
  • Iris recognition
  • Retina scanning
  • Facial recognition
  • DNA matching
  • Voice recognition
  • Digital signatures
  • Finger geometry (the size and position of fingers)

Behavioral Biometrics

These indicators allow for identification by measuring patterns of user behavior. Some examples include:

  • Body posture
  • Gait (walking style, for crowd identification)
  • Voice behavior (style, accent, pronunciation, etc.)
  • Keystroke dynamics (speed, duration, pauses, etc.)
  • Cursor movement tracking

Most biometric systems function in a similar way: a device is used to capture and read the user’s biometric identifiers. The data is then converted to a digital numeric code, which will be compared against information on file. Details are based on two factors: how the data was acquired (or created) and the type of biometric markers being used.

Learn more about biometrics

What is Biometric Spoofing?

Biometric Spoofing

[noun]/bī • ō • met • rik • spo͞of • iNG/

Biometric spoofing is an identity theft attack method by which a fraudster attempts to compromise a system secured by biometric detection tools. This is done by using a spoofed (i.e. fake) biometric indicator based on a sample stolen from an actual user.

Used as a first, second, or third form of authentication, biometrics can be an extremely efficient and reliable way to validate an identity claim, offering far more security than passwords or PINs. Biometrics work well because they’re difficult to fake; like any security technology, however, the more popular the process becomes, the more likely fraudsters will try to hijack it for their own gain.

Defend yourself against fraud... in all its forms.REQUEST A DEMO

Biometric spoofing refers to any scheme by which a fraudster defeats biometric data validation and impersonates another individual. For instance, using a fake fingerprint to unlock a device is an example of biometric spoofing. The same applies for using means like deepfake technology to bypass facial recognition technology.

While preventative techniques continue to improve, there are still a number of ways to defeat biometric systems, as we’ll see in the next section.

Bio-Spoofing in Action: The “Gummy Bear” Experiment

In 2002, Japanese researcher Tsutomu Matsumoto was curious to see how easily he could spoof a biometric identity. He managed to capture a latent fingerprint on glass, using just gelatin from a Gummy Bear candy and a plastic mold. This fingerprint was “real” enough to fool a fingerprint sensor in 80% of cases.

How Does Biometric Spoofing Work?

As an example of how biometric spoofing works, let’s look at one of the most commonly used techniques: fingerprint recognition.

Modern systems are considerably harder to fool than older ones. That said, there are still many ways to copy or create workable imitation fingerprints using a range of easily accessed materials. An individual’s fingerprints can be captured using:

  • Paper printouts of fingerprint photos
  • Gelatin (animal collagen) or wax (organic or petroleum-based)
  • Modeling clay or Play-Doh (Play-Doh can be particularly effective if the color reflects natural skin tones)
  • Pliable Silicones (used for dental impressions)
  • Latex (natural rubber)
  • Regular school glue or wood glue
  • Silly Putty (can be mixed with other elements for better conductivity)

Again, many of these techniques (and others) will only work with older scanners. However, the more widespread use of biometric technology is incentivizing fraudsters to do their research and discover new methods of defeating these systems.

New tech is making other biometric verification methods open to attacks. Fraudsters now have means to defeat iris, vein, and even DNA-based systems.

Even scarier? With the right biometric hacking software, fraudsters may also be able to create AI-generated deepfakes that register as authentic human beings. Deepfakes use a form of artificial intelligence (or “deep learning”) to produce bogus images of fingerprints, retinal patterns, and so on. Advanced deepfake technology can even create convincing fictional photo profiles from scratch.

What Makes Biometric Spoofing Different From Other Threats?

When functioning correctly, there are many advantages to using biometrics as a form of authentication.

Unlike static forms of authentication, biometric identification is intrinsic to an individual. It cannot be lost or transferred. It is person-specific, and is easy to use. But, all these benefits depend on systems being implemented and performing correctly.

If things go awry, biometrics theft can cause more trouble for its victim than identity theft. With the latter, fraudsters steal an online profile. If biometrics are stolen, they take the entire victim, for all intents and purposes.

Think about it: if personal information gets out, passwords and account numbers can be changed. That’s not the case with biometric data. You can’t switch out your face or fingerprint; that information is permanent, and as such, is permanently compromised.

Bio-Spoofing in Action: Cross-Border Travel for $15 or Less

In January 2012, a journalist successfully spoofed a biometrics device used for immigration clearance at the Hong Kong-China border. His biometric hacking tool? A fingerprint cast bought online for less than $15.

Biometrics information is essentially available everywhere. Wherever people go, they leave fingerprints behind on door handles, chairs, tables, or any other surface they touch. And procedural television crime dramas have shown fraudsters multiple ways to lift those prints for misuse.

Human uniqueness increases the difficulty of using capturing and reproducing biometric data, but the potential is still there. Accounts can be created with stolen fingerprints, as can “Frankenstein” profiles that combine fake prints with data from other users.

It gets worse. Researchers from NYU have demonstrated that by manually combining various features and characteristics, they can create a “master print,” or a fingerprint that can work for multiple people. That technology could function as a type of “skeleton key” to access a myriad of different systems.

How Much of a Threat is Biometric Spoofing?

At this stage: a moderate threat.

Identifying which specific person or persons have access to the correct data is comparatively easy. The same can be said about finding what kind of biometric reader is being used by the intended victim. Getting workable data, on the other hand, is more troublesome.

Biometric marker information is stored in secured databases, and like all digital storage methods, these are vulnerable to hacking. Modern biometric systems have rigid encryption protocols for the depersonification of information, though.

Personal data, biometric templates, photographs, and more are stored in separate databases. A professional hacker may steal the info, but tying all the pieces together would be next to impossible.

Biometric hacking is only one of the many fraud threats merchants face. We can help you plan for all of them.REQUEST A DEMO

Biometric information from a large data breach may actually pose less of a risk than individual, dedicated fraudsters. A scammer targeting one, specific individual with silly putty is more dangerous than a hacker, from a biometric standpoint. That doesn’t mean, however, that data breaches can’t happen.

Bio-Spoofing in Action: Faces for Sale

In one instance, the fingerprints, admin panels, dashboards, facial recognition data, face photos of users, unencrypted usernames and passwords of over 1 million people were discovered on a publicly accessible database.

Spoofing personal traits is not the easiest way to commit fraud. Criminals are likely to try other channels or even other targets before attempting to bypass biometric security. Nonetheless, the threat is real.

Can Biometric Spoofing Be Prevented?

If they can bypass biometric roadblocks, fraudsters can access consumers’ most sensitive and vulnerable information. Anything from digital wallets and bank accounts to Social Security numbers, birthdates, and more could be at risk.

A spoof-proof biometrics authentication system doesn’t exist, but it’s not because developers aren’t trying. A couple of the more promising solutions for biometrics fraud are multi-model systems and liveness detection:

Multi-Modal Biometric Systems

If faking one characteristic is difficult, it should be exponentially harder to fake two in conjunction. That’s the thinking behind multi-modal biometrics. This works by simultaneously validating more than one biometric trait, such as fingerprint and facial recognition. Not only do both markers need to match previous readings, they also have to match each other.

While this is an excellent first step toward reducing vulnerability, even multi-modal biometric systems can be breached. Again, developers continue to work on the problem. 

Liveness Detection

A more recent technology, liveness detection, is also showing great promise. Like multi-modal systems, liveness detection relies on more than one marker for its decisioning. In this case, however, the process seeks to verify the authenticity of a person by looking for genuine signs of life.

Liveness detection makes it harder to spoof the system by taking things like blinking, smiling, head tilts, and even emotional reactions and comparing them to known standards. This helps ensure that the person presenting the biometric data is dynamic — i.e. alive — rather than being a static representation like a photograph. 

Even with this advancing technology, future ID prevention solutions still need to expand beyond conventional thinking.

Not all protection lies in biometric programs. Strategies must also incorporate such factors as scanner intelligence and geolocation capabilities.

Gauging the physical actions of the purchaser is great. That said, it would be better to include ongoing behavioral patterns that make up their purchasing history. Where and when they shop, for example, along with the profile and location of the merchant. These behavioral indicators could be the key to making biometrics a more perfect solution.

A Final Word

Unless a merchant is actively using some type of biometric identification themselves, most information on the subject is rhetorical. While over 75% of Americans have used biometric technology of some kind, widespread adoption is mostly in the areas of healthcare, banking, and law enforcement. Its use by merchants for payment authentication is still limited.

Biometrics alone are not a silver bullet to safeguarding identity. In cases of consumer fraud, it’s good to keep in mind that biometric spoofing is only one of many threats. Even if biometrics were a common verification method, it still wouldn’t help at all with post-transaction fraud such as chargeback abuse.

In the end, no single method can provide all the fraud management merchants need. The only real solution is to combine the right tools and strategies to optimize all fraud strategies.

FAQs

Can fingerprints be spoofed?

Yes. At the moment, fingerprint spoofing is technically possible, but biometric technology continues to evolve, and new techniques – combining multiple biometric authenticators, for example – promise additional protections. For now, most fraudsters still gravitate to more easily hacked protocols, such as passwords.

What is biometric spoofing?

Biometric spoofing is a term for illegally gaining access to user data by faking biometric identifiers (fingerprints, facial recognition, etc.).

Can biometric systems be hacked?

In a manner of speaking, yes. Biometrics are among the best data protections available, but to date, no form of authentication has proven to be 100% secure. With the right tools and knowledge, hackers may still be able to access information by duplicating someone's biometric signature.

What happens if biometric data is stolen?

Leaked credit card or account data can be reported and fixed by changing numbers; stolen biometric data is trickier, since people can’t easily change their face or fingerprints. Admittedly, that feature makes it hard for fraudsters to use the information, but, if the metadata associated with the bio-data were also leaked, cyber thieves might be able to access accounts in that manner.

What are the main types of biometrics?

Biometrics can cover a wide range of methods. The two main categories are physiological biometrics and behavioral biometrics. The former is more common, and refers to unique physical characteristics, such as facial recognition, fingerprints or finger geometry, retina or iris scan, and finger/hand veins. A type of behavioral biometrics would be keystroke dynamics, which measures the time it takes to press each key, delays between keys, characters typed per minute, and so on.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
triangle shape background particle triangle shape background particle triangle shape background particle
Please share a few details and we'll connect with you!
Revenue Recovery icon
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form