What is a Spoofing Attack? Prevention with Liveness Detection

Spoofing involves deceptive practice in which cybercriminals pretend to be trusted entities or devices to manipulate users into taking actions that benefit them. That’s why whenever an online scammer conceals their true identity by impersonating something else, it counts as a spoofing attack. Read more.

iDenfy

April 19, 2020

Blog
Our features
What is a spoofing attack and how to prevent it

If you think biometric face recognition systems are not vulnerable to spoofing attacks, you’re mistaken. Over the past few years, biometric face spoofing attacks have increased significantly all across the globe.

However, thankfully, we have liveness detection, which plays an extremely important role in identity verification by confirming the live presence of the individual, making it far more challenging for spoofers to impersonate someone else. What’s more, is that this technology enhances security while also improving the overall user experience in the authentication process.

In this post, we’re going in-depth regarding liveness detection techniques to help you prevent spoofing attacks and presentation attacks (PA).

What is a Spoofing Attack?

Two people with masks holding signs that say,
For those who don’t know, a spoofing attack is when a cybercriminal tries to gain illegitimate access to someone else’s rights through a photo, video, or other material for an authorized person’s face. If the attempt succeeds, the scam artist gains the rights of another person.

A spoofing attack is a fraudulent act of hiding your identity or disguising another form of communication to appear as a legitimate and trusted source. In the context of Know Your Customer (KYC) verification, this is a common tactic used by bad actors to bypass the identity verification check, which often happens during the account opening process on environments like a banking app or an iGaming site. Other popular types of spoofing include email spoofing in phishing campaigns and caller ID spoofing.

Spoofing attacks often exploit trust by pretending to be a familiar person or organization known to the victim. In certain scenarios, like phishing with website spoofing, these fraudulent messages may even be customized to the victim’s identity, aiming to deceive them into thinking the communication is genuine. When users are unaware of the scam, they become vulnerable to falling victim to a spoofing attack.

There are numerous ways hackers can execute face spoofing attacks. Let’s have a look at some common methods below.

Classifications of a Spoofing Attack

People attempting face spoofing with 2d and 3d printed masks
Most of the face spoofing attacks come under the category of presentation attacks. Such attacks involve using 2D and 3D — statistic or dynamic — objects to deceive facial recognition software:

  • 2D Presentation Attacks: Static 2D attacks are conducted using facial masks, photographs, or flat paper, while dynamic versions use multiple pictures in a sequence or screen video replays.
  • 3D Presentation Attacks: In 3D static presentation attacks, cybercriminals use 3D prints and sculptures, whereas, in dynamic versions, they use advanced robots to fool face recognition solutions.

Of course, these are not the only methods spoofers use. Presentation attacks are evolving with technology. However, due to technological limitations, 2D attacks are comparatively widespread.

It’s true that face recognition systems can easily be exposed to spoofing attacks; it doesn’t mean you can’t do anything to prevent them. Some biometric liveness checks can help you fight against hacking attempts.

And now, let’s get to know about some techniques to prevent face recognition spoofing.

How to Prevent a Spoofing Attack with Liveness Detection?

Liveness detection example showing two faces: photo on the phone marked as fake and a person holding the phone marked as real
There are various methods to counter face spoof attacks. They all come under the general term of “liveness detection.”

Liveness detection is a process used to identify non-living spoofs, such as photos, prints, or masks, ensuring the person in a selfie is real. This is a common technique used in biometric authentication or selfie verification. For regulated industries like banks, this is a mandatory KYC procedure, often combined with another KYC measure, document verification. What’s good about liveness detection technology is that it runs in the background after submission, using advanced algorithms. Liveness checks deter fraudsters or reveal mismatches with uploaded ID documents.

Liveness detection aims to identify if a face is alive or created by cybercrooks. In short, the technology detects the difference between a real face and a replica. That said, there are two major approaches when it comes to liveness detection, known as active and passive liveness detection. The active approach needs users to evidence their “liveness” by communicating with a face recognition system. On the contrary, passive liveness detection is hidden from the end-user and doesn’t need any action on its side.

The difference between active and passive liveness checks is user involvement. Active checks require users to perform specific actions to prove their live presence, while passive checks do not rely on user participation and aim to detect liveness through automated analysis.

We go into more detail below:

🟢 Active Liveness Detection

As mentioned above, active face liveness detection is an interactive approach to detect fraud; users have to stand in front of a camera and perform certain actions to demonstrate their rights or privileges with the system.

For example, these actions could be a smile, nod, blink, etc. In some cases, these actions could be randomized to add an extra layer of security to the system. Users won’t be able to gain access until they don’t complete all the required actions.

The choice between active and passive liveness checks depends on the specific use case and the balance between security and user experience. Active checks are often preferred when a higher level of security is required, while passive checks may be more suitable for applications where user convenience is a priority.

🟢 Passive Liveness Detection

In some cases, passive liveness detection proves a convenient protection option. Passive liveness checks are designed to be less intrusive and more user-friendly since users do not need to perform any actions. They aim to detect liveness while minimizing user interaction.

With this type of detection, there is no way for users to find out that they are being tested. The detection devices manage everything on their own. In general, passive liveness checks use advanced algorithms and sensors to analyze various biometric data, such as facial movements, thermal signatures, or even pulse detection, without any explicit user involvement.

Top 5 Anti-Spoofing Techniques

Illustration of a face detection system
Now it’s clear that face detection systems based on 2D and 3D images are vulnerable to spoofing attacks. However, it’s also true that such attacks can be prevented using liveness detection techniques based on texture, motion, shape, color, or reflectance.

Check out some popular liveness detection techniques below:

1. Eye Blink Detection

Eye blink detection has the highest accuracy. Natural eye blinking is a straightforward way to find out whether or not a face is live. The average human being blinks 15 to 30 times every minute, and eyes stay shut for approximately 250 milliseconds during a blink.

The modern, state-of-the-art cameras are capable of recording videos with far smaller intervals between frames. Consequently, eye blink detection implementation can help you identify and prevent possible presentation attacks. Deep learning can be added to this technique to enhance its effectiveness.

2. Deep Learning

It is another effective solution that can help you with anti-spoofing. A convolutional neural network or CNN can be trained to determine the difference between real and spoofed photos. Already a lot of businesses have brought this technology into use to protect their systems.

3. Challenge-Response Technique

A challenge-response system validates the identity of a user based on a series of challenges, such as head movements, smiles, and facial expressions of happiness and sadness.

4. 3D Cameras

3D Cameras are considered one of the most reliable techniques to prevent spoofing techniques. These cameras can determine the difference between a face and a flat shape. Therefore, they provide high accuracy against presentation attacks.

5. Active Flash

Active Flash reduces the risk of presentation attacks by enabling us to identify spoofing using the reflections of light on a face. It involves using a changing light environment offered by the extra light that comes from a device’s screen. The white light gives sufficient facial reflection.

What Else Can You Expect Next for Anti-Spoofing Technology?

iDenfy superhero
There is much more you can expect from liveness detection technologies in the coming years. With the combined use of artificial intelligence and deep learning, face anti-spoofing technology can be made more robust and effective. At iDenfy, we understand that you want the most accurate KYC checks with a focus on user experience.

And, for that, we have used automation to create a complete RegTech suite: automated ID verification solutions (with active and passive liveness checks, customer reverification options, etc.), including other solutions for ongoing due diligence, such as AML screening or automated customer risk assessment – both for individual clients and other companies.

Let’s chat so we could show you around our dashboard for a more hands-on approach.

What is a Spoofing Attack?
Classifications of a Spoofing Attack
How to Prevent a Spoofing Attack with Liveness Detection?
Top 5 Anti-Spoofing Techniques
What Else Can You Expect Next for Anti-Spoofing Technology?

Frequently asked questions

1

What is the Most Common Spoofing Attack?

Arrow

Email spoofing is popular among bad actors. It works by impersonating legitimate identities, such as another person or a legitimate company, by sending emails with official logos and headers, replicating an official tone and vibe of the email to make it appear more legitimate. Similar to phishing, it targets multiple recipients to deceive them and get a more positive success rate on the fraudster’s end. 

2

What is the Difference Between Passive and Active Liveness?

Arrow
3

Is Spoofing a Crime?

Arrow
4

How Does Selfie ID Verification Work?

Arrow
iDenfy

Read more articles

Blog

December 18, 2024

Refund Fraud: Definition, Key Types & Ways to Stop It

Learn why scamming away and abusing return policies remains a serious threat to various e-commerce marketplaces and access key solutions explaining how businesses should respond to refund fraud.

Written by Gabija Stankevičiūtė
Kyc in the Metaverse
Blog

December 18, 2024

KYC in the Metaverse: Trust in a Virtual World

The metaverse is revolutionizing how we connect, work, and even do business – a path that holds incredible opportunities and enormous challenges in security and trust among users. Know Your Client (KYC) processes are key to preventing fraud and building trust in a virtual environment that supports safe interactions and growth.

Written by Andrius Juodis
Blog Regulations by Country

December 16, 2024

Beneficial Ownership Information (BOI) Reporting [Guide]

Access the latest news and summarized takeaways regarding FinCEN’s Beneficial Ownership (BOI) Reporting rule: which entities need to comply and what exact steps reporting companies need to take right now.

Written by Gabija Stankevičiūtė

Save costs by onboarding more verified users

Join hundreds of businesses that successfully integrated iDenfy in their processes and saved money on failed verifications.

Try for free Talk to sales mr-10 Try for free
LLOYDS

All iDenfy’s products are protected with the number one cyber insurance package and the Technology Errors & Omissions insurance.

SOC Certificate ISO 27001 standard iBeta ISO 30107 standard
X