Fake faces could fool biometric security
LONDON You’ve seen it in Mission: Impossible – agents in disguise evade high-tech security before peeling off their latex ‘‘faces’’ to reveal their true identities.
Now experts are warning that criminals could pull off similar stunts, using photos lifted from social media to order 3D-printed masks capable of tricking biometric systems.
Matt Lewis, research director of NCC Group, a cybersecurity company in London, bought a mask of his own face for £250, sending three photos from his Facebook profile to a company that renders faces in three dimensions and prints them in resin.
ThatsMyFace, based in Oregon, can use predictive software to model a 3D likeness from even one face-on photograph. The masks, which are marketed as novelty items for partygoers, can be delivered within days.
Wearing his false face, Lewis was able to gain access to Android phones with the latest facial recognition unlocking, as well as apps that use face ID.
He said it was likely that the masks could also trick some systems used to gain access to buildings, and could be used to unlock some countries’ border controls.
Experts said that despite NCC’s findings, better biometric systems detected ‘‘liveness’’ in various ways to distinguish between people and synthetic props.
For example, thermal imaging could be used to tell a real face from a mask. Some facial recognition systems include iris scanners that register tiny contractions of the pupil.
Robert Capps, of Nudata security, a biometrics company, said: ‘‘Biometric technology for commercial purposes is much more sophisticated than you’d find on consumer devices. Most have liveness checks that even a 3D-printed mask is unlikely to fool.’’ The Times