Virtual Biometrics Created from Facebook Photos Fool Security
Researchers at University of North Carolina at Chapel Hill have taken the next step in the biometrics authentication race and fooled biometric security logins with images taken from Facebook.
The process is straightforward. The target posts their picture in publicly accessible locations like social media sites. The attacker downloads the pictures, uses face mapping software to scan them and then creates an aggregate composite in 3D. Fix the blurry eyes and give the face some expressions and you are ready to fool a facial biometric login. Using a smartphone displaying the 3D image, researchers found many of today’s security systems accept the doppelganger and authenticate the attacker.
This is one of the core risks of biometric factors. They become more available publicly over time and therefore more susceptible to counterfeiting.
Personally, I like biometrics for the convenience and improvement of security over passwords, if implemented and used correctly. But I also know they are a stopgap measure with a limited lifetime of practical use. Until then, the attackers and defenders will continue their race of one-upmanship, outsmarting each other. But in the end, I know who wins. There will be a day, probably about a decade away, where we cannot reliably use biometrics anymore.
Research Sources:
Research slides and Image credit: Virtual U: Defeating Face Liveness Detection by Building Virtual Models From Your Public Photos
Research Paper: Virtual U: Defeating Face Liveness Detection by Building Virtual Models from Your Public Photos
Scary, but not surprising.
Face recognition is NOT a secure system. (and the number of false positives is very high too).
It's a more a nice addition to your phone password or fingerprint: we will still have to use a X-factor auth system in oder not to be "doppelganged".
Therefore, in the future, I would see multiple seamless systems cooperating:
When you add-up (read: multiply the probabilities) all these systems, even if they have low success rates, you arrive at very high success probabilities for identification (and all systems do NOT have to be positive, only a few).
In the end, if someone REALLY want to hack you, they will succeed.
(an antenna sniffing your microsofit wireless keyboard is enough to keylog your strokes).
Facial recognition with 3D cameras should be able to defeat this, at least for a while. 3D camera systems typically use 2 fixed cameras looking at the subject simultaneously to calculate depth as well as process images in 3 dimensions. But even those will likely be defeated by some, yet unknown, hack. I do love technology!
I think over time AI can know the person better than the person knows themselves. I'm thinking full persona recognition is going to be possible, and it will include face, fingerprint, iris, and whatever else a person is, but also how they are.
So typically it's about what someone is, what someone knows, what someone has, but in the future we will be able to include how someone is or how they act. So I do think security will improve in this area dramatically.
I have been following some AI companies here in the Valley and "behavioral identification" is still at its very beginnings.
Nevertheless, there are applications where we can have an immediate application: Cars for instance (see WHO drives, and prevent the car from being stolen... at least taken far away).
I still remain "bullish" on the behavioral identification in the future . AI techniques are the new trending thing, and are helped by massive computational power (Nvidia DGX-1).
Btw, speaking about robots: did you try the X.ai assistant ?
Ha! That's awesome! Kinda scary, but awesome.
Yeah, in theory they could do that for iris and even fingerprint.
What is your opinion on the security of the Samsung Note 7 Iris Scanner? So far it hasn't been fooled but is it really better than a password?
I have not played with the Note 7, so I can't speak to the quality of it's scanner. Overall, I have always thought the two best biometric factors are fingerprint and iris.
Security is a balance of cost, usability, and risk reduction. Fingerprints are low cost, very user friendly, but not too strong on security. Iris is medium cost, not very user friendly, but strong on security. So, depending on your needs, out of all the bio factors, I think finger and iris are the best.
One of the issues I have seen with iris scanners on handheld devices, are usability issues if the lighting is not correct. Angle of sampling and time to pattern match can also be a problem in some devices. But again, I have not played with the Note 7.
If you have one, I would like to know your thoughts.
I can see you really know what you're talking about when it comes to Cybersecurity because that is a very nuanced diplomatic answer. In my opinion, diversity of options can improve security and Iris combined with an ID card and pass code would be more secure in my opinion than an ATM.
But there are risks as well, and I haven't looked into the Note 7 to answer that question which is why I asked you about it. It does look intriguing though and much better than fingerprint which I never viewed as secure.
MFA - Multi-Factor Authentication, is much more security, but there is a trade-off: usability. do you really want to scan your iris, swipe a card, and type in a passcode every time you want to unlock a device? For some transactions, like banking at an ATM, that might be okay. But not with everyday devices.
For example, I greatly appreciate the fingerprint scanner on my Galaxy S7. It makes it so easy to unlock as compared to typing in a PIN. And consider this (I am a big fan of fingerprint for some usages), I believe my fingerprint phone unlock is significantly more secure than a 6 digit PIN. I can, in a room full of people looking at me, unlock my phone without anyone learning how to do it. If I had a passcode, then others would see and know how to unlock my device. Proof is that my kids HATE the fact they cannot just learn my passcode. My phone is only unlocked with my finger. Ha!
For certain transactions yes, for certain transactions no. To unlock the device probably not, but for banking yes, for Steem yes.
I favor multifactor for sake of variety and let the user choose which factors from a list. Different apps could require different factors.
I expected this to already, or one day be an issue, where politicians, famous people and other important role models can be either killed or paid off, and another with money and an agenda can use the persons influence while conveying their own ideas.