Voice biometrics, such as Auraya’s ArmorVox voice biometric engine, could prove to be the better biometric capability between voice and fingerprints as a dark web marketplace for digital fingerprints recently emerged. Initially spotted by Kaspersky lab researcher Sergey Lozhkin, Kapersky announced in their Singapore Kaspersky Security Analyst Summit that over 60,000 individual fingerprint data were being sold by criminals in the dark web marketplace named Genesis.

Genesis: is your information in their marketplace?

The creators of Genesis started advertising their products in the fall last year on forums where hackers discuss stolen payment card details. Users who previously have had malware or installed bad browser extensions would likely have their information and details stolen and sent to Genesis. A part of this stolen information includes those 60,000 fingerprint biometric data.

Bypassing Samsung Galaxy S10's ultrasonic fingerprint scanner

The reliability of the security of fingerprint biometrics was hit recently when someone managed to fool their new Samsung Galaxy S10’s ultrasonic fingerprint scanner with a 3D printed fingerprint replica of their own fingerprint.

It only took Imgur user Darkshark 3 attempts in 13 minutes to create a replica of his fingerprint and hack into his own device. After learning the proper technique, he proclaimed that it can even be done in less than 3 minutes. The steps that he took to achieve this were also simple and straight-forward:

1. Take a photograph of the fingerprint on a wine glass using a smartphone to obtain fingerprint details

2. Open image in Photoshop and increase contract and create an alpha mask to increase the definition and quality of fingerprint image

3. Export image to 3DS Max and create geometry displacement to generate a 3D model

4. Print model into a 3D printer

Why voice biometrics is better

So, what do fingerprint, facial and iris biometric recognition have in common? It is that they are all static and replicable. You can’t change any of it unless you undergo surgery. Coupled with the stolen biometric data being sold off in the Genesis dark web marketplace, the reliability of these biometrics becomes quite questionable.

Further examples include United States’ Michigan police department 3D printing a murder victim’s finger to unlock his phone, Vietnamese cybersecurity firm Bkav creating a 3D printed mask to beat the iPhone X’s Face ID security feature and Chaos Computer Club bypassing Samsung Galaxy S8’s iris recognition via a printed photograph of an iris wrapped inside a contact lens.

This leaves us with voice biometrics. Unlike the other biometrics, voice is not static and already has numerous security features to combat fraud. Auraya’s ArmorVox voice biometric engine, for example, boasts a list of patented features such as automated tuning process, speaker specific threshold & speaker-specific background models, active learning, fused active/passive modes, impostor mapping & cross-matching, synthetic voice detectors and random challenge:

• Automated Tuning Process – achieves optimal results by tuning background voiceprint models to match the production environment

• Speaker Specific Threshold and Speaker Specific Background Models – achieves consistent levels of security of each user by allowing custom set security thresholds per user or use case

• Active Learning – achieves improved performance and accuracy over time by continually learning users’ voice prints for every opted interaction

• Fused Active/Passive Modes – achieves improved user experience and choice by allowing text-dependent, text-independent, text-promoted or digit-independent enrollment types

• Impostor Mapping & Cross Matching – detects and flags impostors and fraudsters by washing new and existing enrollees against the current database in great speeds

• Synthetic Voice – detects and flags synthetic or recorded voices by using machine learning algorithms

• Random Challenge – detect and deflect pre-recorded responses by issuing randomly generated, non-repeated challenge responses

With these features, clients can enroll, verify and authenticate their customers securely and accurately, while detecting and mitigating fraudulent activities. Although it is still strongly advised, as with all biometric recognition capabilities, that it is implemented as a part of a multi-factor authentication method.