• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Log In
  • Member Registeration
  • Account
  • Our Services
  • Contact Us
  • Newsletter
  • Top Nav Social Icons

FindBiometrics

FindBiometrics

Global Identity Management

  • Biometrics
    • What are Biometrics?
    • FAQ
    • Biometric Associations
    • Companies
    • Premier Partners
  • News
    • Featured Articles
    • Interviews
    • Thought Leadership
    • Podcasts
    • Webinars
    • Year in Review
  • Applications
    • Biometric Security
    • Border Control and Airport Biometrics
    • Consumer and Residential Biometrics
    • Financial Biometrics
    • Fingerprint & Biometric Locks
    • Healthcare Biometrics
    • Justice and Law Enforcement Biometrics
    • Logical Access Control Biometrics
    • Mobile Biometrics
    • Other Biometric Applications
    • Physical Access Control Biometrics
    • Biometric Time and Attendance
  • Solutions
    • Behavioral Biometrics
    • Biometric Sensors and Detectors
    • Facial Recognition
    • Biometric Fingerprint Readers
    • Hand Readers & Finger Scanners
    • Iris Recognition
    • Biometric Middleware and Software
    • Multimodal Biometrics
    • Physiological Biometrics
    • Smart Cards
    • Vein Recognition
    • Voice and Speech Recognition
  • Stocks
  • Events
  • Companies
  • Podcasts

FaceTec: High-Profile Spoofs on New Phones Reveal Problematic Biometric Security Claims

April 23, 2019

Security exaggerations damage the industry’s reputation. They need to stop, says FaceTec.

FaceTec: High-Profile Spoofs on New Phones Reveal Problematic Biometric Security Claims

Recently in news that made it around the world, the latest flagship smartphone from Samsung was reported to be spoofed – again. As every hardware-based face and fingerprint biometric has been spoofed shortly after new phones were introduced, each highly visible incident casts further doubt on the efficacy of mobile consumer biometrics. 3D face authentication specialist FaceTec is saying, enough is enough!

Since the 2013 launch of the iPhone 5S and Apple’s Touch ID fingerprint sensor, hackers and security researchers have honored a new tradition: spoofing the latest consumer biometric hardware. Biometrics systems that match the user to their own fingerprint, face, voice, and even palmprints, have all been circumvented with easy-to-imitate presentation attacks. Several days ago, the FIDO-certified ultrasonic in-display fingerprint sensor in Samsung’s Galaxy S10 handset was spoofed with a fake fingerprint. It took 13 minutes to take a photo of a fingerprint on a wine glass and make a 3D-printed finger, allowing unlimited device access.

In another recent spoof example in China, a man’s bank account was hacked and his savings stolen while he was sleeping because his phone was only locked with unsecure 2D on-device face recognition. His roommates unlocked his phone by pointing the camera at his face and even with his eyes closed it gave them access to his WeChat where there they transferred his money to their accounts.

After launching a new white paper demystifying biometric liveness detection, FaceTec is now calling for the biometrics industry itself to consider these consumer device presentation attacks a serious threat to the public perception of authentication technologies. Mainstream articles featuring these spoofs expose exaggerated security claims and, unfortunately, get a lot more readers than when a new biometric authenticator passes the iBeta/NIST PAD tests for the very first time.

“Every time a high-profile biometric presentation attack makes mainstream headlines it hurts our industry,” said John Wojewidka, FaceTec’s International Marketing Director, when FindBiometrics reached out for comment. “There is a material difference between a spoof-able smartphone fingerprint sensor and a real authentication solution with certified liveness detection. But when the average consumer, customer, and even person within the biometrics industry, hears that big companies can’t create secure biometrics, they assume smaller companies can’t either. The negative press hurts the public’s view of biometrics. It’s a serious problem that can only be addressed with third-party certifications based on rigorous, sanctioned testing. Given the increasing need for universal digital identity services, our industry needs to stop letting manufacturers pretend sensors without liveness detection provide security, and they certainly shouldn’t be given security certifications to glorified convenience features.”

On Imgur, according to the security researcher who goes by the handle “darkshark,” the ultrasonic sensor was expected to detect liveness by sensing blood flow, but seems not to be the case. Another possible explanation for the spoof is that after the S10 began shipping, a late February 2019 S10 software update addressed, among other things, user complaints about difficulties using the fingerprint sensor which might have affected the performance.

In an article posted on LinkedIn, FaceTec VP Steve Cook explained the spoof in detail, what liveness detection could have done to prevent it, and why it is the industry’s responsibility to take on this problem. Calling for greater accountability from solutions providers, he said it’s not enough to take a vendor’s word regarding the performance of a security biometric.

“Many have claimed liveness detection, but cannot back it up,” wrote Cook. “This is a serious issue. As we move quickly to embracing digital identities, sanctioned third-party certification against spoof attacks has become a necessity to ensure that the security a vendor promises can be reliably delivered.”

Asked for further comment, Cook elaborated, “That this spoof came only weeks after the Galaxy S10’s FIDO Certification has undercut the trust of a standard that we’d hoped could engender trust in consumer-facing biometrics. Once that mainstream trust is gone, I don’t know how you get it back.”

FaceTec’s response to the Galaxy S10 spoofing is emblematic of the company’s recent outreach initiatives intended to educate organizations and end users alike, and to advocate for rigorous, transparent third-party testing of biometric solutions. After ZoOm 3D Face Authentication software was the first (and still only face biometric) to pass the iBeta Level 1 Presentation Attack Detection Certification test in August 2018, the experience led them to the vocal promotion of third-party testing.

“The iBeta PAD tests are extremely challenging, but vendors owe it to our customers and their users to get certified, and if a product cannot achieve at least Level 2 PAD Certification it should not be sold,” said CEO of FaceTec, Kevin Alan Tussy. “At FaceTec, testing is a part of our culture and the result is better security, so it’s frustrating to watch these hyped sensors that are really only designed to unlock phones cast doubt on the security capabilities of all biometrics. Unlike most biometric vendors, we never make claims about security or Liveness Detection without the 3rd-party testing to back them up.”

In the months after the first certification, FaceTec entered into high profile liveness detection-focused partnerships with digital identity companies including Jumio and Yoti, while publishing two educational white papers on the importance of biometric standards testing and liveness detection.

In early 2019, FaceTec passed iBeta’s Level 2 Presentation Attack Detection Certification with a 100 percent spoof-proof score, as it did in Level 1. Learn more about what’s involved by reading our recent interview with Rich Lobovsky, the company’s SVP Business Development.

—

April 23, 2019 – FindBiometrics Editorial Team

Related News

  • FaceTec’s Revenue Growth Climbs Even Higher in Latest QuarterFaceTec’s Revenue Growth Climbs Even Higher in Latest Quarter
  • FaceTec Continues Hypergrowth In Q2 UpdateFaceTec Continues Hypergrowth In Q2 Update
  • Face Biometrics, Privacy, and Finance: Download the 19th Annual FindBiometrics Year in Review ReportFace Biometrics, Privacy, and Finance: Download the 19th Annual FindBiometrics Year in Review Report
  • Seeking to Build Trust in Metaverse and DeFi, Avarta Leverages FaceTec BiometricsSeeking to Build Trust in Metaverse and DeFi, Avarta Leverages FaceTec Biometrics
  • SmartOSC Fintech Partnership to Extend FaceTec’s Reach in AsiaSmartOSC Fintech Partnership to Extend FaceTec’s Reach in Asia
  • GoodDollar Implements FaceTec 3D Face Authentication in Digital Wallet PilotGoodDollar Implements FaceTec 3D Face Authentication in Digital Wallet Pilot

Filed Under: Features, News Tagged With: 3D facial recognition, Biometric, biometrics, FaceTec, facial recognition, in-display fingerprint sensors, Liveness Detection, mobile ID, presentation attack, public perception, smartphones, spoofing

Primary Sidebar

Watch This Finance-Focused On-Demand Webinar

Sponsored Links

facetec logo

FaceTec’s patented, industry-leading 3D Face Authentication software anchors digital identity, creating a chain of trust from user onboarding to ongoing authentication on all modern smart devices and webcams. FaceTec’s 3D FaceMaps™ make trusted, remote identity verification finally possible. As the only technology backed by a persistent spoof bounty program and NIST/iBeta Certified Liveness Detection, FaceTec is the global standard for Liveness and 3D Face Matching with millions of users on six continents in financial services, border security, transportation, blockchain, e-voting, social networks, online dating and more. www.facetec.com

TECH5 logo

TECH5 is an international technology company founded by experts from the biometrics industry, which focuses on developing disruptive biometric and digital ID solutions through the application of AI and Machine Learning technologies.

TECH5 target markets include both Government and Private sectors with products powering Civil ID, Digital ID, as well as authentication solutions that deliver identity assurance for various use cases. 

Learn more: www.tech5.ai

Mobile ID World Logo

Mobile ID World is here to bring you the latest in mobile authentication solutions and application providers. Our company is dedicated to providing users with the best content and cutting edge information on technology, news, and mobile solutions for your mobile identity management needs.

HID logo

HID powers the trusted identities of the world’s people, places and things. Our trusted identity solutions give people convenient and secure access to physical and digital places and connect things that can be identified, verified and tracked digitally. Millions of people use HID products to navigate their everyday lives, and billions of things are connected through HID technology. https://www.hidglobal.com/

Prove Logo

As the world moves to a mobile-first economy, businesses need to modernize how they acquire, engage with, and enable consumers. Prove’s phone-centric identity tokenization and passive cryptographic authentication solutions reduce friction, enhance security and privacy across all digital channels, and accelerate revenues while reducing operating expenses and fraud losses. Over 1,000 enterprise customers use Prove’s platform to process 20 billion customer requests annually across industries including banking, lending, healthcare, gaming, crypto, e-commerce, marketplaces, and payments. https://www.prove.com/

Recent Posts

  • Biometrics in Policing, Passports, and Deadbolt Locks – Identity News Digest
  • UK Policing Minister Plans Comprehensive, Searchable Platform to Identify Criminals
  • ComplyCube Launches Age Estimation Tool
  • Veriff Launches New Anti-Fraud Packages for Organizations
  • WATCH: Around the World with Strong Identity

Biometric Associations

IBIA and fido

Footer

  • About Us
  • Company Directory
  • Advertise With Us
  • Contact Us
  • Privacy Policy
  • Terms of Use
  • Archives
  • CCPA: Do not sell my personal info.

Follow Us

Copyright © 2023 FindBiometrics