Angelo Gajo | June 7, 2019 | 8 minutes
Voice biometrics, such as Auraya’s ArmorVox voice biometric engine, could prove to be the better biometric capability between voice and fingerprints as a dark web marketplace for digital fingerprints recently emerged. Initially spotted by Kaspersky lab researcher Sergey Lozhkin, Kapersky announced in their Singapore Kaspersky Security Analyst Summit that over 60,000 individual fingerprint data were being sold by criminals in the dark web marketplace named Genesis.
The creators of Genesis started advertising their products in the fall last year on forums where hackers discuss stolen payment card details. Users who previously have had malware or installed bad browser extensions would likely have their information and details stolen and sent to Genesis. A part of this stolen information includes those 60,000 fingerprint biometric data.
The reliability of the security of fingerprint biometrics was hit recently when someone managed to fool their new Samsung Galaxy S10’s ultrasonic fingerprint scanner with a 3D printed fingerprint replica of their own fingerprint.
Source: Imgur via @Darkshark
It only took Imgur user Darkshark 3 attempts in 13 minutes to create a replica of his fingerprint and hack into his own device. After learning the proper technique, he proclaimed that it can even be done in less than 3 minutes. The steps that he took to achieve this were also simple and straight-forward:
So, what do fingerprint, facial and iris biometric recognition have in common? It is that they are all static and replicable. You can’t change any of it unless you undergo surgery. Coupled with the stolen biometric data being sold off in the Genesis dark web marketplace, the reliability of these biometrics becomes quite questionable.
Further examples include United States’ Michigan police department 3D printing a murder victim’s finger to unlock his phone, Vietnamese cybersecurity firm Bkav creating a 3D printed mask to beat the iPhone X’s Face ID security feature and Chaos Computer Club bypassing Samsung Galaxy S8’s iris recognition via a printed photograph of an iris wrapped inside a contact lens.
This leaves us with voice biometrics. Unlike the other biometrics, voice is not static and already has numerous security features to combat fraud. Auraya’s ArmorVox voice biometric engine, for example, boasts a list of patented features such as automated tuning process, speaker specific threshold & speaker-specific background models, active learning, fused active/passive modes, impostor mapping & cross-matching, synthetic voice detectors and random challenge:
With these features, clients can enrol, verify and authenticate their customers securely and accurately, while detecting and mitigating fraudulent activities. Although it is still strongly advised, as with all biometric recognition capabilities, that it is implemented as a part of a multi-factor authentication method.