What is Biometric Spoofing?Betrayed by Biology
What is Biometric Spoofing? Definitions & Overview
We’ve been told that biometric security represents an upgrade from alphanumeric passwords.
That’s largely true; in many ways, biometrics are more secure. After all, you can forget a PIN or lose a key fob, but you can’t misplace your own face or forget your fingerprint at home. But then again, biometrics aren’t entirely invincible against fraud.
While biometric markers like fingerprints or facial features are unique to you, they’re still essentially data — and all data can be stolen, copied, or replayed. That’s the essence of biometric spoofing: the malicious act of tricking a computer into thinking a fake copy of a biological trait is the real, living deal.
Biometric Spoofing
Your face is more unique than your password: that’s the basic idea behind biometrics authentication. Biometrics are powerful, but they can still be spoofed. Today, we're discussing how biometric spoofing works, why it’s a problem, and ways to guard against the danger.
Biometrics: A Quick Overview
To understand how this works, it will help to take a quick look at the basics of biometrics.
When most people hear of biometrics, they think of fingerprint or facial recognition. That said, there’s actually a wide (and growing) range of techniques being used to digitally identify and validate individuals. For the most part, these can be broken into two main categories:
Physiological Biometrics
- Fingerprints
- Vein recognition
- Iris recognition
- Retina scanning
- Facial recognition
- DNA matching
- Voice recognition
- Digital signatures
- Finger geometry (the size and position of fingers)
Most biometric systems function in a similar way: a device is used to capture and read the user’s biometric identifiers. The data is then converted to a digital numeric code, which will be compared against information on file. Details are based on two factors: how the data was acquired (or created) and the type of biometric markers being used.
Learn more about biometric paymentsThe Biometric Payment Process
Biometric payments are most commonly seen with the use of contactless payment apps like Apple Pay or Google Pay.
Under the hood, biometric payments are pretty complex. The user experience, however, is designed to be seamless.
First, a customer registers their biometric features via a fingerprint, face, or iris scan. The biometric payment system then captures this raw data and converts it into a biometric template — a mathematical representation of the data — instead of storing the actual image itself.
The biometric template is encrypted and stored either locally on the user’s device (like Apple Pay or Google Pay) or in a cloud-based database. This is done to keep this personally identifiable information (PII) secure. All future authentication attempts are then compared against this template.
When a customer is ready to pay, they present their biometric data by touching a sensor or looking at a camera. Their device system captures a live sample, converts it into a similar mathematical sequence, and uses a matching algorithm to compare it against the enrolled template. If the new sample matches the stored template within a specific accuracy threshold, then the payment is authorized.
Despite its complexity, the biometric payment process is very fast. A biometric payment can usually be completed in a matter of seconds.
What is Biometric Spoofing?
- Biometric Spoofing
Biometric spoofing is an identity theft attack method by which a fraudster attempts to compromise a system secured by biometric detection tools. This is done by using a spoofed (i.e. fake) biometric indicator based on a sample stolen from an actual user.
[noun]/bī • ō • met • rik • spo͞of • iNG/
Used as a first, second, or third form of authentication, biometrics can be an extremely efficient and reliable way to validate an identity claim, offering far more security than passwords or PINs. Biometrics work well because they’re difficult to fake; like any security technology, however, the more popular the process becomes, the more likely fraudsters will try to hijack it for their own gain.
Biometric spoofing refers to any scheme by which a fraudster defeats biometric data validation and impersonates another individual. For instance, using a fake fingerprint to unlock a device is an example of biometric spoofing. The same applies for using means like deepfake technology to bypass facial recognition technology.
While preventative techniques continue to improve, there are still a number of ways to defeat biometric systems, as we’ll see in the next section.
