Facial Biometrics Screening For Identity Verification: Dispelling Myths & Deterring Facial Spoof Attacks

Introduction

Biometrics is a process by which a person’s identity can be verified using their unique biological characteristics. These characteristics could be fingerprint geometry, iris patterns or color, and facial features. Biometrics are routinely used in identity verification by law enforcement personnel, authorities at airports, or within the banking and fintech industry. Using biometrics to verify customer identity risk profiles is a challenging task considering the determination of fraudsters. 

The role of identity verification using biometrics is expanding rapidly due to the enactment of new laws and regulations worldwide. Due to the pandemic, identity fraud and identity spoofing are also becoming more prevalent. 

Several forms of identity verification exist include: 

• Biometric verification (facial recognition, iris identification, fingerprint match, voice comparison)
• Two-factor authentication
• Knowledge-based authentication
• Credit bureau-based authentication
• Online verification (remote or eKYC)
• Database methods (government pr LEO database records search)

Specific forms of identity verification used during the Customer Identification Program (CIP) include: 

• Iris recognition
• Fingerprint scanning
• Facial recognition 
• Finger-geometry recognition
• Hand-geometry recognition

Despite the numerous amount of identity verification techniques, illicit actors and criminals attempt to circumvent the security features within these techniques to access banks’ services.

Identity Verification with Biometrics, Liveness Detection, & Facial Recognition

The use of biometrics is so widespread that the Federal Bureau of Investigations is now using a custom-tailored system to store and identify persons of interest in cases as well as for general identification purposes. According to the FBI, “In an effort to harness new technologies and improve identifications, the Bureau developed its Next Generation Identification (NGI) system, which provides the criminal justice community with the world’s largest and most efficient electronic repository of biometric and criminal history information.” Like identity verification solution providers, the FBI protects personal data in encrypted files. The FBI’s NGI system also stores biometric data. If this data falls into the wrong hands, or if the data is improperly used, identity fraud can occur (in addition to many other serious crimes).  

The FBI’s NGI system has some of the most advanced capabilities in biometrics, including: 

• Advanced Fingerprint Identification Technology (AFIT)
• Repository for Individuals of Special Concern (RISC)
• Latent and Palm Prints
• Rap Back (authorized agencies and personal can receive information on activities of persons in positions of trust)
• Interstate Photo System (IPS)
• NGI Iris Service

Identity verification solutions like IDMERIT use verification tools and anti-fraud techniques to help identify attempts at fraud and immediately limit access to a bank’s precious resources. In addition to limiting access, risk profiles are delivered to clients to alert them of an applicant’s potentially negative financial activities. Facial recognition is a tool that is used to verify customer identity profiles in seconds.  

Preventing Synthetic Fraud with Biometric Facial Recognition Match

Sophisticated fraud attempts are becoming more prevalent including the use of synthetic identities in order to attain a host of privileges at banks or restricted institutions. When a bad actor attempts to create a synthetic ID, several tasks must be accomplished: 

1. A modus operandi (motive or goal) must be chosen
2. Real personally identifiable information (PII) must be sourced from a worthwhile target
3. Pieces of real and fraudulent information must be stitched together to create an identity the criminal can use to commit an act of identity fraud
4. The criminal must then knowingly use the identity to apply for some sort of benefit via a bank or organization and be able to fool the identity verification or know your customer solution 

Many criminals use brazen techniques to steal PII data or identifying data out of dumpsters or even purchase this data on black market exchanges (in-person or online). Once the criminal acquires this information there are normally two routes to using the information after they are approved for services:  quickly attaining resources and maxing out a financial instrument or using the fraudulently attained resources to build a credit score up over time and simply disappearing after the entirety of funds are depleted.

In order to combat this threat, several techniques are used (including the use of facial recognition), which detects facial features/patterns (nodal points). Techopedia defines facial recognition as, “a biometric software application capable of uniquely identifying or verifying a person by comparing and analyzing patterns based on the person’s facial contours.”

Each human face has 80 nodal points that can be used to differentiate one face from another. When nodal points are combined with authentic data from an independently verifiable database such as those used by identity verification solution IDMkyc. 

Nodal points used in facial recognition include: 

• Distance between the eyes
• Width of the nose
• Length of the jawline.
• Depth of the eye sockets
• The shape of the cheekbones

These nodal points are used to create a distinguishable code/number that matches up to a face in an identity verification database. Criminals are continuously attempting to circumvent facial recognition systems using masks, deep fake attempts, and more. 

“Before the coronavirus pandemic, facial-recognition algorithms failed to identify 20-50% of images of people wearing face masks” according to a report from the National Institute of Standards and Technology. The potential for fraudsters to use these limitations to their advantage has been a concern among the identity verification community, as masks are now mandatory in most countries. 

According to a recent statistic in the Wall Street Journal, “between June 2020 and January 2021 it found more than 80,000 attempts to fool the selfie step in government ID matchups.” One technique to combat this type of fraud is by the use of liveness detection.

Liveness Detection Algorithms

Liveness detection algorithms determine whether in fact there is a live person standing or sitting in front of the camera.  Liveness detection often thwarts fraudsters’ use of Presentation Attack Instruments (PAIs) such as the following list used in face spoofing attempts: 

• “2D static attacks are made with high-definition face pictures on flat paper, simple flat paper masks with holes. 
• 2D dynamic hacks are carried out with multiples photographs to be used in a sequence or a video replay via a low or high quality (4K) screen. The high-definition screen is used to spoof low-resolution cameras. A video sequence with pictures can be used to answer basic challenge/response methods. The holes, in particular, allow for the eyes to blink. These 2D attacks are well documented.
• More recent 2D dynamic potential attacks can include 3D digital doubles or avatars (on a 2D screen) and deep fake puppets so-named because they leverage deep learning processes. 
• In 3D static attacks, impersonators use 3D prints, wax heads, or sculptures.
• IN 3D dynamic attacks, fraudsters can use masks in resin, latex, or silicone with holes for the eyes and other specific areas such as the mouth, lips, and eyes brows.”(Thales)

LIveness detection uses texture and motion analysis in addition to the above-mentioned facial recognition tools that detect specific nodal points to determine if a facial spoof attempt is in progress.

Common Biometrics Myths

There are several myths that exist when it comes to biometric (fingerprint or facial recognition) when it comes to identity verification. In order to verify a customer’s identity, it is important to remember that some criminals may go to the extent of using some of these techniques or believe that these myths are, in fact, ways to help them circumvent an identity verification solution’s system altogether. 

4 Common Myths About Biometrics 

Myth 1: Biometric data is stored as images in easy-to-hack locations

Reality: During the onboarding process, if a bank has previously scanned the fingerprint, iris, or facial features of a potential customer then there will already be a biometric template or mathematical file that the system can compare extracted data to. If not, data from the image (nodal information for instance) is extracted and stored in the biometric template file for later comparison. This data is stored in a secure environment and encrypted which is extremely difficult to hack or gain access to without the proper credentials.

Myth 2: Fingerprints can be easily replicated to ‘spoof’ recognition systems

Reality: It is extremely difficult to replicate or “spoof” fingerprint biometric data. “Despite what we see in Mission Impossible or similar action movies, biometrics are actually quite difficult to replicate,” says Dr Toby Norman, co-founder and chief executive of Simprints. “The large majority of vendors have implemented liveness detection and other forms of anti-spoofing within their solutions that render it increasingly challenging to fake a biometric.”

Myth 3: Biometric data is unreliable and ridden with errors

Reality: Biometric data is extremely accurate and has been battle-tested to ensure that data integrity is maintained at the highest levels and errors are minimal.

Myth 4: Using biometrics for identity verification is expensive and isn’t cost-effective

Reality: IDMERIT’s IDMkyc and suite of identity verification solutions are quite cost-effective and can help you meet your banking compliance obligations without losing quality or efficiency.

Contact one of our identity specialists to Schedule a Demo of IDMkyc today.

Facial Recognition Technology Speeds Up Boarding Time & COVID Health Screening

According to a recent Government Accountability Office (GAO) report, “U.S. Customs and Border Protection (CBP) has made progress testing and Facial Recognition Technology (FRT) at ports of entry to create entry-exit records for foreign nationals as part of its Biometric Entry-Exit Program. As of May 2020, CBP, in partnership with airlines, deployed FRT to 27 airports to biometrically confirm travelers’ identities as they depart the United States (air exit) and was in the early stages of assessing FRT at sea and land ports of entry.” The results of a recent controlled scenario test by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) showed that facial recognition reached up to 96% accuracy which is a useful statistic for those in favor of this technology. 

Facial recognition and using biometric technology have the potential to improve the lives of millions and deter bad actors at the outset.

Thermal Facial Recognition & Remote Fever Detection Detect PCR Status 

Thermal facial recognition and remote fever detection are used regularly by Airport security and CBP officers to ensure travellers are not currently suffering from symptoms of COVID. 

According to the Oxford Journal of Law and the Biosciences, “ among a growing list of COVID-19 symptoms, fever (defined as a body temperature above 100.4°F/38°C) is one of the telltale symptoms of infection. As the pandemic has gained momentum, government agencies and corporations are increasingly turning to fever checks as a mechanism for gauging the potential presence of SARS–CoV-2 among citizens, travelers, and employees.”

Key Takeaways & Future Trends

The future of using biometric analysis within the onboarding process at banks is becoming standard. Customer Identification Programs now feature the use of remote Know Your Customer (or eKYC) capabilities which require the use of specific liveness detection algorithms and facial recognition technology to remain in compliance. Remote identity verification is being adopted more rapidly due to the COVID-19 pandemic and the ease of use of systems such as IDMkyc. 

IDMkyc is a best-in-class identity verification solution that can provide quick and easy personal identity verification. Utilizing an API (REST) it can access over 400 official data sources across 175+ countries to provide Know Your Customer (KYC)

• Simple multi-source matching (minimum 2 in-country official sources)
• All Personal Identity Information (PII) match
• Our KYC verification provides a 2+2 match API that meets regulatory compliance including the Financial Action Task Force (FATF)

Contact one of our identity specialists to Schedule a Demo of IDMkyc today.

Stay tuned to our Identity Insights blog for more content relating to facial recognition, anti-spoofing, and identity verification. 

Follow our LinkedIn and Facebook pages for anti-money laundering news and significant regulatory changes.

About IDMERIT

Headquartered in San Diego, California, IDMERIT provides an ecosystem of identity verification solutions designed to help its customers prevent fraud, meet regulatory compliance and deliver frictionless user experiences. The company is committed to the ongoing development and delivery of offerings that are more cost-effective and comprehensive than other solution providers. IDMERIT was funded by experts who have been sourcing data on personal and business identities across the globe for over a decade. This access to official and trusted data throughout the world has become increasingly important as companies find themselves completing transactions across borders as a standard course of business. www.idmerit.com