Abdarahmane Wone, Software Engineer at Fime

As adoption of biometric authentication increases, so does the need to ensure that biometric systems are resistant to attacks. Presentation attacks, such as spoofing, which aim to “spoof” a biometric verification or identification procedure, can compromise biometric authentication. Fime is exploring how to transform genuine biometric images into synthetic spoofs and evaluate the robustness of biometric systems in detecting presentation attacks.

Stéphanie Pietri (SP), Communications Director at Fime, speaks to Abdarahmane Wone (AW), Software Engineer, about Fime’s new research paper to discuss the potential impact that digitally synthesized fingerprint spoofs can have on anti-spoofing systems.

SP: What is an anti-spoof test?

AW: Presentation attacks, when an attacker attempts to trick a biometric system, are one of the key security challenges facing biometric systems. It is critical that the presentation attack detection (PAD) technology in a biometric system is thoroughly tested, as this is what ensures the security of the system. Presentation attack detection testing is usually done by creating presentation attack instruments (PAIs) and performing active spoof attempts to determine whether a biometric system will authenticate a credential that is not genuine. This requires significant skill and time investment from testing labs.

SP: What did Fime do?

AW: To learn more about biometric systems’ ability to resist presentation attacks, Fime conducted research to determine whether digitally synthesized images are as good as real spoofs. AI and deep learning were used to transform genuine fingerprint images into spoof images similar to the ones made from the spoof materials commonly used in anti-spoofing tests. We did this in order to simulate the standard testing process.

We used a multi-domain style transfer model taking data from LivDet, an international competition of presentation attack and fingerprint liveness detection. Data from five different materials were used: Ecoflex, gelatin, latex, modasil, and wood glue. The data set was composed of a training set and a testing set, each containing 2000 images (1000 genuine images and 200 of each spoof material for each set). We extracted and randomly cropped multiple 224×224 patches from each image and injected them into the system to see if they were detected as spoofs under the NIST Fingerprint Image Quality (NFIQ) algorithm.

By using this kind of method, the testing process is sped up and a larger number of spoof materials are covered than it would be possible to physically fabricate in a given time.

SP: What was the impact of the digitally synthesized spoofs on the system?

To assess the validity of the digitally synthesized fingerprint spoofs, the NIST Fingerprint Image Quality (NFIQ) algorithm, which provides an overall score on a scale of 0 to 100, was used. This is based on the usability and features of an image. We used this algorithm to determine whether the quality of the presentation attack instruments was similar to that of the synthetic presentation attack images.

For each material, we found that there is a similarity between the distribution of the genuine images and synthetic images.

SP: What does this mean for the future of biometrics?

Fime has developed a method that can be used to evaluate biometric systems’ ability to resist fingerprint spoofs. This can help vendors to develop their fingerprint recognition products, in particular training algorithms to resist presentation attacks. Payment schemes can also use the research to implement new testing methodologies for these products. These findings will ultimately help laboratories to make cost and time savings, helping secure products launch more efficiently.

What are the biggest fraud concerns for FICO’s customers?

Scams are definitely high on the list. There is a continued surge in Authorised Push Payment (APP) scams, advanced social engineering, and pandemic-related fraud.

The level of sophistication present in scams seems to grow at a daily rate and that is always one of our biggest concerns – staying ahead of the criminals. A coordinated approach to managing the authentication of customers will be a strong starting point for any organization, so that they can adapt and adjust as the market changes. To address current fraud concerns, banks need to take this into consideration. There are specific machine learning models designed to detect scam-related activity, and banks should explore those.

How have scams changed since the pandemic started?

Investment and crypto scams saw a big spike and there was a swift rise in vaccine-related scams with an emergence of a black market for the sale of fake vaccine passports. There is certainly a good level of public awareness of scams, but according to our consumer fraud survey, only 6% of customers said they were most concerned about being tricked into sending payments to a fraudster — as compared with 26% who were most concerned with having their stolen identity used to open an account, which is much less likely. This relaxed attitude in combination with increasingly realistic and creative social engineering and impersonation schemes, is part of the reason why fraudsters continue to succeed in scamming customers.

Authorised push payment fraud is one of the biggest concerns in the digital payments industry. According to UK Finance, APP fraud has, for the first time, surpassed card fraud with £355 million in losses attributed to APP fraud in the first half of 2021.

What is the challenge for banks right now in dealing with APP scams?

APP scams present a unique challenge as they involve tricking the victim into sending money to the fraudster. Despite measures like Confirmation of Payee (CoP) being put in place to stop these fraudulent transactions, the victim will have the final say and can override warnings put in their way. A layered approach is needed to prevent it, multiple tiers of armor are always most effective.

Some improvements in payment technology are actually making it easier for criminals to commit APP fraud. As more consumers and businesses adopt simple ways to send money in real time the pool of potential victims increases, a trend accelerated by the COVID crisis pushing more people to use online banking. Real-time payments also lower the risk for fraudsters, as money is transferred instantly, fraudsters can move payments through multiple accounts in a process of layering to launder the proceeds of the fraud and make tracing them more difficult.

Criminals are devious and clever, and victims cannot simply be written off as gullible exceptions. As real-time payment schemes can be used to transfer large sums of money, there is a need to employ layered fraud protection across all products and channels used to manage real-time payments.

Maintaining good customer experience by not impacting too many genuine transactions is a growing concern. As banks get better at detecting scams, there is still a very high false positive rate with many genuine customers needing to be disrupted in order to find a single fraud. This is where advanced analytics and particularly a consortium approach are critical aids.

What has your research told you about how different generations think about fraud and scams and the actions they take to avoid them?

We frequently survey consumers across the world to get a sense of their attitudes towards fraud and the security measures implemented to catch it. The results are always interesting and often flag the differences in how age groups approach financial security.

For example, in our most recent survey of 1,000 UK consumers, 55% said they would switch banks if theirs was reported to be involved in a money laundering scandal. The younger age groups would be most eager to swap their financial service provider after a money laundering scandal: 64% of 18 to 24 year-olds would switch, as would 68% of 25 to 34 year-olds.

Those in the Millennials generation – aged 25-34 – appear to be the least impressed with banks’ current approaches to fraud. When asked about account takeover, 19% thought banks were not fair with customers in terms of how they resolved this. And when considering cases of customers being tricked into sending money to fraudsters, 21% of them thought measures were not fair.

How much of an issue is social engineering?

Social engineering is a vital component of a fraudster’s playbook. It is not a new approach for them but is one that can cause devasting results. Fraudsters buy compromised data (credentials, ID documents, personally identifiable information or payment details) and ultimately, they use it to manipulate victims and commit fraud. Sometimes, fraudsters don’t have all of the pieces of the puzzle together, so they often further manipulate systems and customers in order to get the full suite of assets they need to steal.

The complexity of scams and social engineering means that financial institutions have to take a layered approach to prevention and detection. For example, checking device characteristics is useful, but when combined with Confirmation of Payee, transactions analytics, customer profiling and instant messaging services for verification, this is where the layers play extremely well together. When and how fraud prevention solutions are deployed must be balanced with other factors such as customer experience and operational costs. Being dynamic and flexible is key to both creating the necessary balance and evolving at least as fast as the fraudsters can.

Identity authentication isn’t as strong in a scam event as it is in other fraud types. Nearly all fraud events start with a data compromise and with scams it’s no exception. Identifying compromised and vulnerable customers is still very inconsistent across banks, so there is a big opportunity to be more proactive in stopping the scam before it is initiated.

Many banks have incorporated consumer protection into their marketing plans but I would like to see more do it across the industry.

What are the latest scams you are seeing emerging?

Before Open Banking, criminals applied for low-risk accounts using a fake identity in order to start building up their credit file. Over time, they would move into commerce and then onto higher-value targets, hitting them hard.

We believe this approach is finding its way into the Open Banking ecosystem as a faster route to higher-value credit. Having secured low-risk bank accounts and passed the Know Your Customer requirements, criminals are attempting to access new services through Open Banking third-party providers, who offer loan approvals and various other financial and investment services.

We’ve also seen a steady rise in fake videos and audio with targeted content that manipulates and gains access to personal and finance data. As the technology becomes more sophisticated, it’s becoming the new favorite tool in financial crime. For instance, bank manager in the United Arab Emirates fell victim to a threat actor’s scam, when hackers used AI voice cloning to trick the bank manager into transferring $35 million.

We believe this will become a big challenge for banks in Europe and across the globe as they find themselves increasingly targeted in this way. As those deep fake technologies develop, we will see more innovation and use of a wider variety of biometric technology thrown into the mix.