Biometrics Hacking: What You Need to Know

A 2021 survey asked Americans for their preferred method to protect their identity. Biometrics was the top choice, at 45%.

Given that biometrics correspond to unique features every person carries on themselves, it is tempting to think that they can’t be hacked. 

But they actually can – in many ways, from falsification to simple data breaches. And there is plenty of evidence. Let’s take a closer look.

Are Biometrics Safe?

Somewhat. Biometric verification and biometric authentication are both widely accepted and adopted, but that does not mean they are the be-all and end-all of online or offline security. Importantly, neither companies nor individuals should expect biometrics to be impossible to spoof or hack.

In fact, it’s often such complacency that opens the door to fraudsters – in other words, the misconception that if a system is making use of biometrics, there is no way for anyone with nefarious intentions to fool.

Can Biometrics Be Hacked?

Yes, biometrics can be hacked in a number of ways. In fact, the word “hacking” can refer to several practices to begin with, though in this context it is likely to describe the ability to circumvent biometrics checks, in one way or another. 

For example, someone can hack biometrics checks by:

• using a fake/synthetic identity with generated biometrics
• using deepfake technology to fool some checks
• stealing someone’s biometrics from databases 
• recreating someone’s biometrics 
• finding a way to bypass the biometrics check – a hole in the system
• social engineering (by convincing the victim to authorize them) 

Can Biometrics Be Stolen?

Yes, biometrics can be stolen. Biometric indicators gathered from various individuals – be they employees, customers or other users – is stored in databases. A data breach in any of these databases can provide the hackers with all the markers they need to impersonate everyone contained therein. 

That’s exactly what happened in 2019, when it was discovered that hackers gained access to the BioStar 2 database of fingerprints, captured features for facial recognition and more personal information. BioStar 2 had recently been integrated into an access control system called AEOS, used in 83 different countries by more than 5,700 organizations. In total, the researchers were able to locate more than 27.8 million related records in the dark web.

Among other companies, this database was being used by festival promoters, coworking spaces, medical products manufacturers and software consultancies, as reported by vpnmentor.

Another way to “steal” biometrics involves capturing their likeness using video, photographs or audio recordings to then recreate it in order to fool a biometrics system.

Can Biometrics Be Spoofed?

Yes, biometrics can be spoofed, and this is surprisingly (and worryingly) easy to do. How exactly this works depends on the specific feature that a fraudster is trying to spoof, from fingerprints to facial features and even typing cadence.

For example, researchers have demonstrated that there are several ways to spoof fingerprints. These include repurposing the remnants of someone’s fingerprints on a surface or just recreating them from video or photographs. 

A team at Kraken Security Labs memorably demonstrated this for under $5 – using only Photoshop, acetate paper, a laser printer, and wood glue to create a synthetic fingerprint based on a photo of an individual’s actual fingerprint. Others have shown that fingerprints can be spoofed using a 3D printer and high-resolution photo, albeit at a greater cost.

It’s possible to spoof voices, too. Back in 2018, at the Black Hat USA event, ethical hackers presented a method to hack voice authentication systems on a limited budget, using freely available machine learning models and text-to-speech modules. Voice deepfakes are used to convince employees they are talking to upper management as part of CEO fraud, as well as various other schemes, in addition to biometrics hacking.

Meanwhile, researchers have raised the alarm on what is called synthetic media social engineering, which uses deepfakes to make the victim believe that the attacker is actually someone they know. In this case, the biometrics hacker isn’t attempting to convince a machine but a person and, as it often happens, the elderly and those unfamiliar with technology are more likely to be targeted.

Beyond the above, facial recognition systems, handwriting and iris scanners are also susceptible to hacking. As biometric authentication adoption increases, so do bad actors’ methods of hacking into such systems.

How Does Biometric Data Get Hacked?

There are various ways for biometric data to get hacked, which range far and wide – from criminals breaching databases to copying and reproducing someone’s face as a mask, using deepfakes to copy their voiceprint or replicating their style of typing. 

What they are trying to do, essentially, is to bypass a subcategory of identity proofing – and they will try to use similar methodology.

Let’s take a look at some real-life methods, as evidenced by historic hacks and research:

• Database breaches: First, there is the fact that biometric indicator information is stored in databases. This is a fundamental part of an authentication system, as the user’s live data must be compared to that held on a database. And databases can be hacked, leaked and compromised through poorly implemented security. 
• Fake/synthetic biometrics: Biometrics can also be synthetic. An example comes from 2013, when Apple famously suffered a fingerprint hack. Just two days after the firm released the iPhone 5S, Germany’s Chaos Computer Club published a video online that showed how they had bypassed the smartphone’s security lock screen using a fake fingerprint. 
• AI-generated deepfakes: General adversarial neural networks (GANs) and other technologies have been successfully used by both criminals and researchers to convincingly reproduce the likeness of someone to bypass checks. This can include voice deepfakes and video content.
• Stolen biometrics: Depending on the biometric marker utilized, it may be possible to create a copy of someone’s biometric data by, for example, picking up their fingerprint and reusing it, or by sourcing markers from stolen photos or videos of them. 
• Bypassing checks: Sometimes, a savvy fraudster will find loopholes to bypass biometric checks put in place to help with accessibility or simply as a mistake. For example, they could opt for the “alternative” authentication method to a video call, for users who don’t have a working camera, which could be easier to fool – for instance, this could be giving them the option to use paper documentation instead.

How Does Biometric Spoofing Work?

The method largely depends on how the data was acquired or created as well as which particular biometric markers are being spoofed, from signatures to keystroke patterns, irises, fingerprints, vein patterns or facial features.

In general terms, this process involves the following steps:

1. The fraudster identifies where they want access to and what biometrics scanners are in place.
2. The fraudster checks if there are any workarounds to gaining access without having to provide biometrics – in which case, they will attempt this first as it is likely to be a simpler task.
3. The fraudster identifies specific people with access.
4. The fraudster identifies a way to reproduce, steal or fake the person’s specific markers, which can include:
   
   • social engineering hacks such as spear-phishing to convince the person to grant access 
   • attempts to reproduce their markers from video or images using 3D printing, transfer and other methods
   • deepfake technology to impersonate them
   • deepfakes or other tech to impersonate someone who doesn’t exist instead
5. If successful, the fraudster has just gained access. If not, they might try again – in which case, a fraud prevention system with velocity checks is more likely to catch them.

Another thing to keep in mind is that the above methods are highly related to whether there is a specific person the fraudster is trying to impersonate or if it could be anyone, as long as the system is fooled.

For example, in certain settings, only one or two individuals have access, so the fraudster may want to painstakingly spoof their biometrics. This could be someone’s high-tech personal safe. When it comes to access to an office building, though, any one of hundreds of employees would have it, and it is likely the fraudster can pass off a random fingerprint as their own rather than someone specific’s.

Examples: 3 Real-Life Biometrics Hacks 

Let’s now look at three fascinating real-life cases of biometrics hacks. These often originate from white-hat hackers – researchers who try to find errors and inadequacies in systems before actual criminals do the same, so they can be addressed or patched. Others get discovered by the victims or researchers after they have been successfully used for fraud.

Fake Hand Fools Vein Authentication System

In 2018, a group of German researchers arrived at a cybersecurity conference with a fake hand. It had been created using wax to hack vein recognition – a system that reads the unique vein patterns in an individual’s hand to authenticate them. To achieve this, they used 2,500 pictures, though they’ve specified they can be from as far as 5m (16ft) from the person. 

Was it successful? Yes. But in this case, it was also time-consuming and expensive.

Liveness Detection Hacked Using Eyeglasses

China’s Tencent Security discovered that a pair of glasses and black-and-white tape are enough to lead a biometric authentication system to believe that an unconscious or even dead subject is alive – convincingly enough to pass liveness detection checks. 

These check for 3D objects and compare them to the person’s likeness but are not as sophisticated when it comes to scanning the person’s eyes – at least not in 2019, when the findings were released.

Deepfake Videos Used for Tax Fraud

Still in China, an efficient biometric hack was this time invented by criminals, as came to light in 2021. 

Two fraudsters purchased thousands of facial images on the dark web and used machine learning modules to create deepfake videos of these people. From there, they set up an elaborate scheme where a shell company issued fake invoices owed to these individuals, ultimately defrauding the Chinese tax authorities for the equivalent of $76.2 million.

How to Protect from Biometrics Hacking as a Business

Effective biometric hack prevention requires a multi-pronged approach. This is no surprise considering the vastly different markers in use, as well as the techniques practiced by fraudsters and the variety of biometrics verification and authentication strategies, systems and workflows.

However, we can still discuss some best practices to be considered by those organizations that find themselves at risk of falling victim to biometrics hacks – and those are, unfortunately, almost anyone who employs biometrics.

• Consider artificial intelligence and machine learning: Researchers have found time and again that AI can efficiently flag biometrics spoofing. In fact, February 2022 research by ID R&D discovered that AI modules are more adept at identifying biometrics spoofing than humans, with 0% vs 30% false negatives and positives altogether. Machines were also quicker at this.
• Do not rely on biometrics alone: Biometrics can be a relatively low-friction method of user authentication or verification but they are much more reliable as one factor in a multi-factor authentication (MFA) system than a standalone single-factor workflow.
• Gather more data frictionlessly: In addition to the information the biometrics sensor returns – be it a signature, iris, voice, etc. – make sure you gather more data as well. Depending on the setting, this can be additional biometric markers, computer hardware and software setups, IP address information or even digital footprints. Use these to create more complete profiles of the individual, to prevent false negatives.
• Deploy fraud prevention software: Sophisticated fraud detection and prevention software combines multiple approaches to understanding whether someone is who they claim to be, gathering all the data, including biometrics and other findings, to provide risk scoring that reflects how dangerous someone could be. Riskier cases can be asked for further verification or reviewed manually by a human.
• Raise awareness among users: Even the best machine learning algorithms are no match for social engineering scams, and many biometrics hacks are powered by those – both on the level of convincing subjects to provide access to their characteristics, and of fooling gatekeepers. Make sure that your customers, staff or other users are aware of the risks and commonly seen types of schemes in your organization.

How to Protect from Biometrics Hacking as an Individual

For individuals, efficient prevention of biometrics hacking relies on four key tenets: 

First, protect your identity. This involves being mindful of where you keep sensitive personal information and official documentation, such as passports and identity cards. Identity theft in ecommerce, banking and other industries can involve biometrics as well as other verification methods.

Make sure you enable MFA where available so even if someone manages to reproduce your features, they will still need at least one more factor to gain access to your accounts.

Be vigilant and use complex passwords. Fraudsters will always take the straightest path to their destination – the easiest way to achieve their goal. This means that they are likely to attempt social engineering, brute force attacks or even shoulder-surfing to hack your password, for example, before they try biometrics hacking.

Keep up to date with best practices. If you use biometrics to gain access to your phone, to a physical space or to prove who you are to your bank, for example, it is a good idea to ensure that you are familiar with the advice and instructions specific to these systems that the organizations have provided. You will be better protected.

Sources

• IProov: Digital Identity in the USA: What Do Americans Want From the DMV?
• The Guardian: Major breach found in biometrics system used by banks, UK police and defence firms
• Help Net Security: AI can spot biometric spoofing attacks with ease
• Vpnmentor: Report: Data Breach in Biometric Security Platform Affecting Millions of Users
• eWeek: Biometric Security Can Be Hacked, but It’s Really Hard to Do
• Chief Investment Officer: Biometric Hacking: Even Your Face is Hackable
• FindBiometrics: Fraudsters Use Deepfake Biometrics to Hack China’s Taxation System