[Column] Gur Geva: Biometric attacks on the rise: the trends financial institutions need to be aware of in 2023

In the past year there has been a 149% increase in threat actors using emulators to attack mobile platforms. There has also been a 295% increase in novel face swaps. Biometric attacks continue to grow in volume, intensity and sophistication. If we are to successfully combat these risks, we need to uncover and understand the anatomy of biometric attacks.

As governments and businesses continue to unlock new value and efficiency through digital services, one key challenge remains. Organisations need to be assured that the person on the other side of the screen is human, and are who they claim to be. INTERPOL’s first-ever Global Crime Trend report estimates that over 70 per cent of respondents (all from law enforcement) expect crimes such as ransomware and phishing attacks to increase significantly in the next three to five years.

This renders traditional verification technologies such as one-time passwords (OTPs) outdated and a security risk. Biometrics such as iris and retina offer a deeper method of verification but fall short in terms of liveness - they cannot bind a digital identity to a real-world individual in motion. In addition to this, the technology used to capture this biometric data may not always be as accessible or inclusive as required.

We have worked with our local public and private sector partners to champion face-verification authentication in South Africa and beyond. By scanning their facial features using their smartphone or tablet, individuals can verify their identity. However, as this space grows, so do the threats to its safety. Cybercriminals continue to find new, sophisticated ways to intercept this technology. With this in mind, organisations need to remember that not all face verification technologies can keep up with the rapidly changing threat landscape or have the same level of security, resilience and ability to adapt to novel threats.

Biometric security threats currently fall into two categories: presentation attacks and digital injection attacks. Presentation attacks refer to photos, videos or even masks being held up to a screen to fool the technology into mapping the features of the identity being defrauded. In the case of digital injection attacks, imagery is injected directly into the video stream, either through emulators, hacking tools, or virtual cameras. In 2022, we witnessed injection attacks occur five times more frequently than persistent presentation attacks across the web. This is because injection attacks are far more scalable than presentation attacks, as they do not require the manual creation of a physical artefact or any physical presentation, but rather the creation of a highly automated attack machine.

2022 saw dramatic changes in digital injection attacks. Criminals are now advancing across platforms, targeting mobile web, native Android, and native iOS via emulators. With the emergence and growth of sophisticated face swaps, low-skilled criminals now have the means to launch advanced attacks. Threat actors launched motion-based attacks simultaneously and at scale against hundreds of systems globally.

Three types of synthetic injection attacks dominated the threat landscape in 2022: two-dimensional image face swaps, image-to-video deepfakes and video face swaps. The iProov report defines face swaps as a form of synthetic imagery created using two inputs where a criminal combines traits from one face, such as motion, with the appearance of another face to create a new synthetic 3D video output. This results in a product that carries the person’s individual facial features so accurately that the imagery can match their government-issued identification photograph.

Cybercriminals now have access to publicly available prepacked tools from code depository websites, allowing them to create and launch advanced synthetic attacks with little skill. In addition to this, the Crime-as-a-Service economy enables bad actors to buy, sell, and share attack methods over the dark web. A recent Europol report stated that Deepfakes-as-a-service has led to organisations delivering tailored deepfakes upon request.

Understanding the anatomy of a biometric attack is crucial in helping the public and private sector make decisions based on real-world threat intelligence, ensuring technology meets the anticipated threats. The technology organisations use to detect liveness has to be equipped with the latest defence. At iiDENTIFii, our platform is informed by the most recent research into biometric threats.

Gur Geva is the Co-Founder and CEO at iiDENTIFii

Also read:

[Column] Thabiso Foto: Fintech is a path to democratised financial services

[Column] Mukesh Bector: The ingredients of tech innovation

[Column] Takalane Khashane: Building a digital, sustainable bank for the future

[Column] Gur Geva: How biometrics can fuel inclusive growth in Nigeria’s ICT sector

[Column] Imane Charioui: Addressing the gender gap in the technology sector