Thursday, March 28, 2024

Fake Face Fest — A Quick Overview of Biometric Antispoofing in China

The technology of “biometric identification”, while being a relatively recent know-how, has been widely represented in sci-fi movies and literature for decades. We’ve all seen villains and heroes using complicated devices to gain access to personal vaults, military installations, private bunkers etc. 

Frequently we see these systems being hacked as well. The spoofing tools are using gelatin fingerprints, fake eye retinas, and so on. How close is this representation to reality? Let’s take a closer look, based on one of the world’s most electronically advanced countries — China. 

First, let’s talk about spoofing in general. Liveness spoofing is a malicious activity aimed at gaining access to confidential info and/or personal valuables by using forged or counterfeit biometric data: photos, fingerprints, retina-based identification etc.

First attempts

Chinese liveness detection and anti-spoofing systems existed since the introduction of such methods back in the early 2000s. The earliest Chinese facial recognition and liveness detection systems were mostly based on the Western technology, such as the US Army’s Defense Advanced Research Projects Agency (DARPA) Ferret project. 

It was as an early example of such technology that contained a major drawback: it worked only under ideal conditions (front-side visa/passport photos) and with an approximate rate of 73% effectiveness.

With the first experiments conducted by the Chinese banks and financial institutions, the first challenges appeared: systems were unreliable, often failing to recognize the image of a person using them. Plus, they were easily fooled by lighting and artificially altered images. 

Gradual improvement of the technology involved several steps aiming at the security boost before anti-spoofing systems could be effectively put into use. 

Among a huge number of methods and technologies used in China we can highlight two of them based on facial recognition and widely implemented by such financial and technological giants as Bank of China, AliBaba, Tencent and others.

These methods include real-time polarized face anti-spoofing (PAAS) and Presentation Attacks Detection (PAD). Let’s first compare the two major systems in use.

          Picture: Example of the machine image analysis, using the PAD method

They shall not PAAS 


The first one of those (PAAS) uses a light polarization method, which implies the machine learning-based analysis of light reflection, using real faces, mock faces (dolls and sculptured faces) and computerized images. 

This is a greatly simplified outlook. However, it describes the main operative method of the system. As researchers from the Tianjin Academy for Intelligent Recognition Technologies outline in their comprehensive study of the topic

Because polarization reveals the information of shape, material, roughness and other attributes of an object, it becomes extremely difficult to imitate or change it by a third party for malicious intents.

PAD


The Presentation Attack Protection (PAD) is yet another method of anti-spoofing, developed, patented and maintained by a group of researchers from the Chinese branch of Institute of Electrical and Electronics Engineers (IEEE). 

This method is employed on a different level of biometric data recognition, compared to the PAAS method, described earlier. 

First and foremost it aims at creating a comprehensive network that would eliminate the difference in camera recognition effectiveness, which naturally stems from differences in quality and sensitivity of camera lenses, matrixes and other parts.

What PAD does is a complex analysis of the second, “underlying” layer of the face presented. Compared to the first layer, analyzed by the PAAS technology, PAD “disassembles” the image it’s “seeing” to quickly search for some small defects or any other altering clues that the second layer of the picture/video might contain.

Usage


The aforementioned Chinese technologies, as well as any complementary methods have found wide use in different areas, from e-banking to school exams. 

For instance, anti-spoofing and liveness detection technologies are widely used in university examinations, to confirm the identity of the student passing an exam. 

This measure prevents another person from taking an exam instead of an actual entrant, which is an illegal paid service, widely used throughout China.

So, we can conclude that throughout the early 2000s and up to this, China has been developing and implementing numerous methods aimed at raising its liveness detection in anti-spoofing technologies. We will cover the history of this process in the next article. Stay tuned! 

More information about liveness and anti-spoofing technologies you can be read on the liveness wiki – Here.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles