New Zealand has launched a trust framework for digital identity, a crucial step towards the country's digital transformation.
TrustCloud strengthens its capabilities in the detection of presentation attacks with a significant certification
TrustCloud has successfully passed the ISO 30107 compliance audit, certifying that its identity verification solutions are at the forefront of the fight against fraud.
T
rustCloud has obtained certification corresponding to the ISO 30107 standard, which provides a foundation for detecting presentation attacks (PAs). These attacks threaten the operation of video identification solutions, leading to unauthorized access, fraud, or identity theft with long-term consequences.
Thanks to its excellent performance, facial recognition has been integrated into various aspects of our daily lives, such as device control and unlocking or mobile technology payments. However, there is a risk that someone may attempt to deceive a video verification system with facial recognition by presenting a forgery instead of their own biometric features.
Diversity of attacks and tactics
The landscape of presentation attacks is a diverse one that includes both traditional methods as well as advanced digital resources. To fully understand their scope, we can classify them into three general typologies:
- Print attacks. Print attacks represent an attempt to manipulate facial recognition systems using printed static images. In this scenario, an attacker presents a photograph depicting the face of an authorized person. The goal of this type of attack is to fool the system into believing that the printed image is authentic and corresponds to a real face. Essentially, the attacker seeks to exploit the printed image, whether on photographic paper or another medium, with the intention of bypassing the security of a system that relies on biometrics for authentication (prior to account opening, for example) or access.
- 3D mask attacks. 3D mask attacks involve the use of three-dimensional replicas of the facial features of an actual person. These masks can be exceptionally lifelike, becoming difficult to distinguish from a real face. Attackers can employ various resources in this category, ranging from meticulously crafted latex masks to a mannequin’s head placed in front of the screen.
- Video replay attacks. These involve using previously recorded videos showing an authorized person interacting with the video identification solution. By playing the video, the attacker tricks the system into believing it is interacting with the real person, when in fact, it is a recording. These attacks can be activated in various ways: by showing the screen of a mobile device with the person’s image or by creating a 3D digital model from a video or photograph. Generating apparently authentic movement with these manufactured models also attempts to bypass life testing filters.
The multifaceted contributions of PADs
ISO 30107 certification is a reliable indicator of a system’s ability to detect and resist presentation attacks, providing confidence in the security and effectiveness of facial recognition technology. Like other cybersecurity-related standards, it is always updated to adapt to new threats and emerging technologies. Presentation attack detection (PAD) systems continue to evolve in response to constantly changing methods. This means that PADs must be able to learn and adapt to new attack patterns to maintain their effectiveness over time.
While security is a fundamental aspect of PADs, it is important to recognize that these technologies have a broader scope covering multiple areas and benefits.
- Improved user experience: PADs can significantly contribute to enhancing the user experience in various contexts. In everyday applications such as unlocking mobile devices or entering buildings, facial recognition systems backed by PADs can streamline and simplify authentication. By ensuring quick and reliable authentication, users benefit from a smooth and frictionless interaction with the systems and devices they use daily.
- Service customization: In hospitality or e-commerce environments, PADs can contribute, through their filters and barriers, to tailoring offers and services according to individual user preferences and needs. This can generate greater satisfaction and loyalty from customers who feel they are receiving more personalized attention.
- Forensic and investigative applications: In crime resolution and legal cases, PADs are a useful asset for verifying the authenticity of images and evidence, identifying manipulations or alterations. This aspect is particularly relevant in the digital age, where determining the authenticity of images can be a complex task that nevertheless must be resolved promptly.
- Data analysis and emotion tracking: By observing facial features, PADs also provide valuable information about users’ emotions and reactions, a very useful factor in applications such as customer experience research, attention tracking during advertising, and adapting user interfaces based on emotional reactions.
Identity custody and maximum rigor
The ISO 30107 standard defines terms and provides a framework for specifying and locating the attack events described. In this way, they can be analyzed in depth to subsequently make decisions and evaluate performance. It is worth noting that it does not address all possible attacks in a biometric system but focuses on attacks carried out by the subjects of biometric capture, i.e., the people being scanned or whose biometric data is being captured.
The goal is to ensure that biometric systems are secure and reliable by detecting and preventing the use of forgeries. This is vital to protect people’s identity and security in onboarding and authentication processes, promoting transparency and avoiding unauthorized access to systems and data.
Obtaining the ISO 30107 certification enhances TrustCloud’s capabilities as a trusted service and as a secure environment in each of its identification modalities.