Biometric Spoofing and Anti-Spoofing - Research … · Biometric Spoofing and Anti-Spoofing ... MacGyver - The Human Factor ... Handbook of Biometrics,2008 40/43. Definition

Biometric Spoofing and Anti-SpoofingPresentation Attack Detection – part 1

Sebastien Marcel

Head of the Biometrics Security and Privacy grouphttp://www.idiap.ch/

~

marcel

IEEE Workshop on Information Forensics and Security,Rennes,

France – December 5, 2017

1/43

http://www.idiap.ch/~marcel

Outline

IdiapWhere is Idiap ?What is Idiap ?

IntroductionBiometrics SecurityPresentation Attacks in MoviesPresentation Attacks in realityDefinitionImportance

2/43

Where is Idiap ?

3/43

Where is Idiap ?

4/43

Where is Idiap ?

Altitude to ski ranges from 1400m to 3000m

5/43

What is Idiap ?

• Non-for-profit research institute founded in 1991

• A�liated with Ecole polytechnique federale de Lausanne(EPFL)

• Research, Education and Technology transfer

• 9 research groups in Human & Media Computing (computervision, speech and audio, machine learning, . . . ) and onegroup on Biometrics Security and Privacy

For more information:

www.idiap.ch

6/43

www.idiap.ch

Biometrics Security

A biometric system is vulnerable to attacks 1

7

1

2

3

4

5

6

Sensor Feature Extractor Comparator

Database

Decision

8

biometric data biometric feature score

biometric

reference

• Indirect attacks (2-8)

• Direct attacks (1)

1NK Ratha et al., Enhancing security and privacy in biometrics-based authentication systems, IBM Systems

Journal, 40(3):614634, 2001

7/43

Biometrics Security

Indirect Attacks

7

1

2

3

4

5

6


Database

Decision

8


biometric

reference

Indirect attacks are performed inside the system by:

• bypassing the feature extractor or the comparator (3, 5),

• manipulating the biometric references in the biometricreference database (6),

• exploiting possible weak points in communication channels (2,4, 7, 8).

8/43

Biometrics Security

Direct Attacks

7

1

2

3

4

5

6


Database

Decision

8


biometric

reference

Direct attacks (presentation/spoofing attacks) are performed atthe sensor level: the sensor is fooled and not replaced nortampered.

In this lecture we are concerned with presentation attacks

9/43

Presentation Attacks in Movies

MacGyver - The Human Factor (S02E01 1986)

Using dust and jacket to simulate a hand on the hand printscanner !

10/43


MacGyver - The Human Factor (S02E01 1986)

1 scraped some plaster o↵ the walls,

2 sprinkled the plaster dust over thepalm print reader revealing theColonels hand print,

3 laid a jacket down over the plasterhand print impression and lightlypressed down on the reader.

11/43


Sneakers (1992)

Replay a voice recording in front of a speaker recognition system !

12/43


Sneakers (1992)

13/43


Demolition Man (1993)

Present an eyeball in front of a iris scanner !

14/43


GATTACA (1997)

Injecting blood samples in a false finger tip to fool DNAidentification !

15/43


Minority Report (2002)

Using eyeball-swapping surgery to avoid iris identification !

16/43


X-Men 2 (2003)

High-tech iris spoofing !

17/43


RED 2 (2013)

Iris spoofing (not retina) with a fake contact lens !

18/43

Presentation Attacks in reality

CVDazzle (Apr 2010)

Camouflage from face detection (Adam Harveyhttp://ahprojects.com/projects/cv-dazzle)

19/43

http://ahprojects.com/projects/cv-dazzle


CVDazzle (Apr 2010)

Designed to confuse boosted weak-learners based on Haar-likefeatures (OpenCV implementation of Viola-Jones)

20/43


Bank robbery (2010)

Conrad Zdzierak used a silicon masks to pass himself o↵ as a blackcharacter ”SPFX The Player” during robberies !

21/43


Hong Kong - Vancouver (Jan 2011)

A passenger boarded a plane in Hong Kong with an old man maskand arrived in Canada !

22/43


Camoflash (Nov 2011)

Anti-paparazzi fashion accessory using high brightness LEDs(Adam Harvey http://ahprojects.com/projects/camoflash)

23/43

http://ahprojects.com/projects/camoflash


Blind Cameras

Blind Cameras with an Infrared LED Hat

24/43


Blind Cameras

25/43


Android 4.0 (Nov 2011)

Android 4.0 Face UnLock feature spoofed by photograph

26/43


Android 4.1 (Jun 2012)

Liveness check (eye blink) introduced in Android 4.1

27/43


Bank robbery again (2012)

Burglars who robbed a cash-checking store in Queens disguised ascops !

28/43


Brazil (March 2013)

Fake fingers used to fool Hospital clock-in scanner

29/43


More bank robbery (2013)

Steven Ray Milam robbed 11 banks in Texas with ”SPFY TheHandsome Guy” silicon mask

30/43


iPhone 5s - Touch ID (Sep 20 2013)

How many days will it take to spoof it ?

2 days !iPhone 5s spoofed by the Chaos Computer Club (1st public ...)

31/43


iPhone 5s - Touch ID (Sep 20 2013)

How many days will it take to spoof it ? 2 days !iPhone 5s spoofed by the Chaos Computer Club (1st public ...)

31/43


iPhone 5s spoofed by CCC (Sep 21 2013)

http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

32/43

http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid


Apple and fingerprints the full story

http://fingerchip.pagesperso-orange.fr/biometrics/types/

fingerprint_apple.htm

Jean-Francois Mainguet (Sep 22 2013)

33/43

http://fingerchip.pagesperso-orange.fr/biometrics/types/fingerprint_apple.htm

http://fingerchip.pagesperso-orange.fr/biometrics/types/fingerprint_apple.htm


Finger-vein (Oct 2014)

Finger-vein commercial system spoofed by a piece of paper

34/43


Samsung Galaxy S8 Iris spoofed by CCC (May 23 2017)

35/43


Samsung Galaxy S8 Iris spoofed by CCC (May 23 2017)

https://media.ccc.de/v/biometrie-s8-iris-en

36/43

https://media.ccc.de/v/biometrie-s8-iris-en


iPhone X FaceID (Sep 2017)

37/43


iPhone X FaceID robust to masks (Sep 2017)

38/43


iPhone X spoofed by Bkav (Nov 27 2017)

http://www.bkav.com 39/43

http://www.bkav.com

Definitions

Spoofing AttackOutwitting a biometric sensor by presenting a counterfeit biometricevidence of a valid user2

Anti-SpoofingCountermeasure to spoofing attack

No common terminology so farspoofing, evasion/concealment, anti-spoofing, livenessdetection, presentation attack, presentation attack detection, . . .

2K. A. Nixon et al. Spoof Detection Schemes; Handbook of Biometrics, 2008

40/43

Definition by ISO 3

Presentation Attack – PApresentation to the biometric data capture subsystem with the goalof interfering with the operation of the biometric systemmethods: artefact, mutilations, replay, . . .goals: impersonation or not being recognized (concealment)

Normal (Bona Fide) Presentation

interaction of the biometric capture subject and the biometric datacapture subsystem in the fashion intended by the policy of thebiometric systemin short anything which is not a PA !

Presentation Attack Instrument – PAIbiometric characteristic or object used in a presentation attackeg. artefacts, dead bodies, altered fingerprints, . . .

Presentation Attack Detection – PADautomated determination of a presentation attack

3ISO/IEC 30107-1:2016, Biometric presentation attack detection – part 1, 2016

41/43

Importance

Presentation Attack is a major threat

7

1

2

3

4

5

6


Database

Decision

8


biometric

reference

because it can be created and performed by anyone with nospecific skills in computer science

42/43

Importance

Funding programs/projects

• EU TABULA RASA ”Trusted Biometrics under SpoofingAttacks” (2010-2014)

www.tabularasa-euproject.org

• EU BEAT ”Biometrics Evaluation and Testing” (2012-2016)

www.beat-eu.org

• CH/VS: Swiss Center for Biometrics Research and Testing(2014–)

www.biometrics-center.ch

• NO: SWAN ”Secure Access Control Over Wide AreaNetwork” (2016-2019)

www.ntnu.edu/iik/swan

• US: IARPA Odin Thor/Loki red team approach (2017-2020)

www.iarpa.gov/index.php/research-programs/odin

43/43

www.tabularasa-euproject.org

www.beat-eu.org

www.biometrics-center.ch

www.ntnu.edu/iik/swan

www.iarpa.gov/index.php/research-programs/odin

Biometric Spoofing and Anti-Spoofing - Research … · Biometric Spoofing and Anti-Spoofing ... MacGyver - The Human Factor ... Handbook of Biometrics,2008 40/43. Definition

Documents