Sunday Star-Times

Criminals could fool biometric security with fake faces

- Matt Lewis - research director of NCC Group, a cybersecur­ity company in London The Times

You’ve seen it in Mission: Impossible – agents in disguise evade high-tech security before peeling off their latex ‘‘faces’’ to reveal their true identities.

Now experts are warning that criminals could pull off similar stunts, using photos lifted from social media to order 3D-printed masks capable of tricking biometric systems.

Matt Lewis, research director of NCC Group, a cybersecur­ity company in London, bought a mask of his own face for £250, sending three photos from his Facebook profile to a company that renders faces in three dimensions and prints them in resin.

ThatsMyFac­e, based in Oregon, can use predictive software to model a 3D likeness from even one face-on photograph. The masks, which are marketed as novelty items for partygoers, can be delivered within days.

Wearing his false face, Lewis was able to gain access to Android phones with the latest facial recognitio­n unlocking, as well as apps that use face ID.

He said it was likely that the masks could also trick some systems used to gain access to buildings, and could be used to unlock some countries’ border controls.

‘‘Businesses aren’t deliberate­ly making masks to spoof biometrics, but the fact that the masks can trick commonly used systems shows the challenge security companies face.’’ Businesses aren’t deliberate­ly making masks to spoof biometrics, but the fact that the masks can trick commonly used systems shows the challenge security companies face.

Researcher­s have shown how early facial recognitio­n systems could be fooled by holding up photograph­s to the camera. The masks could be used to trick more recent systems that scan for facial depth.

Biometrics, including fingerprin­ts and voice and facial recognitio­n, is being used increasing­ly widely in security because of its convenienc­e compared with passwords and its perceived strength as a unique personal identifier. Facial recognitio­n unlocking is available on Android phones, and there are rumours that Apple will introduce it to unlock the iPhone 8, replacing fingerprin­t scanning.

Flaws have been found in several systems, not only facial recognitio­n. Real-life security breaches have included South Koreans entering Japan using false fingerprin­ts.

Experts said that despite NCC’s findings, better biometric systems detected ‘‘liveness’’ in various ways to distinguis­h between people and synthetic props.

For example, thermal imaging could be used to tell a real face from a mask. Some facial recognitio­n systems include iris scanners that register tiny contractio­ns of the pupil.

Robert Capps, of Nudata security, a biometrics company, said: ‘‘Biometric technology for commercial purposes is much more sophistica­ted than you’d find on consumer devices. Most have liveness checks that even a 3D-printed mask is unlikely to fool.’’

?? REUTERS ?? Sinn Fein president Getty Adams greets newly elected Sinn Fein Northern Ireland leader Michelle O’Neill at the count centre in Belfast.
REUTERS Sinn Fein president Getty Adams greets newly elected Sinn Fein Northern Ireland leader Michelle O’Neill at the count centre in Belfast.
?? GETTY IMAGES ?? Democratic Unionist Party leader and former first minister Arlene Foster celebrates after being re-elected in Omagh.
GETTY IMAGES Democratic Unionist Party leader and former first minister Arlene Foster celebrates after being re-elected in Omagh.
?? THATSMYFAC­E.COM ?? Realistic masks modelled on photos lifted from social media, like this one made by Oregon company ThatsMyFac­e, could be used to get around hightech security systems.
THATSMYFAC­E.COM Realistic masks modelled on photos lifted from social media, like this one made by Oregon company ThatsMyFac­e, could be used to get around hightech security systems.

Newspapers in English

Newspapers from New Zealand