Most Face Authentication Systems Can Be Bypassed By 3D Models Of Facebook Photos; Now What?

[Lucian Armasu]

Researchers from the University of North Carolina revealed that they could reconstruct someone's 3D virtual face in a VR environment from public Facebook photos, and then use that to bypass most face authentication systems.

Most Face Authentication Systems Can Be Bypassed By 3D Models Of Facebook Photos; Now What? : Read more

 

[InvalidError]

All forms of biometrics no matter how sophisticated will eventually get worked around of as long as would-be attackers have any form of access to the underlying data or enough related data to recreate it. I would not trust biometrics as anything more than a fancy and somewhat more secure user name replacement. I'd still require a password to complete authentication for anything requiring more than trivial security.

 

[pack3t]

Yea, no such thing as bullet proof in security. There will always be a workaround from someone. People should however understand that as techniques to bypass security are created depending on the use cases you will still reduce the number of attackers able to make effective use of the approach. So there is never a case where nothing is better than something. Just because researchers figured out a way around it does not mean that it should not be used. There are a number of things to consider to make that determination.

 

[Nintendork]

Can't you just auto delete user/post with "paycheck" "hours day" "online" in 1 comment?

 

[Nintendork]

The old trusty passowrd based secure system is still the best, better if you can have a 2-3 way password before accesing content (optional).

 

[bloodroses]

LOL, Now you know how Facebook has all your personal information.

 

[PartlyCloudy]

Do they get any credit for their work? Any links to their research?

 

[3ogdy]

Totally against biometric security. Private espionage under a brand new excuse. Now go out and scream: SECURITY! SECURITY! SECURITY!
Better tap your cameras, more elegantly (the way Asus did it) or less so...because your smartphone or laptop is not exactly yours, or under your control for that reason.
How many times do we need to read news about newly discovered backdoors and bugs that were being exploited by the NSA to understand the world we're living in?
Oh wait, yeah...let me go buy a smartphone with a fingerprint reader and that biometric security bullshit enabled. Just another chain tied to your neck.

Some people would be capable of proposing a law according to which we shall all walk completely naked in public so that we cannot hide anything under our clothes, be it guns, counterfeit money or some "Allahu akbar" bomb.

 

[Jeff Fx]

This is a lot of work to defeat a simple lock that's not meant to provide heavy security.

Holding your victims phone up to their face to access their phone would be much easier, and is also easier than beating a PIN out of them.

 

[InvalidError]

This is a lot of work to defeat a simple lock that's not meant to provide heavy security.

It won't be that much work once automated tookits to do that job become more common and many people will make the mistake of underestimating the importance of the data they are protecting with vulnerable biometric locks.

 

[alextheblue]

Multiple factor security is important. Facial recognition is OK as a part of that, but not as the only solution. Although, when I read the headline I already knew that Windows Hello couldn't be bypassed so easily since I had read about it when it was first released. In fact it can tell apart supposedly identical twins in the tests I saw.

 

[Suneater]

Infrared camera can't be fooled by 3d model. It detects thermal signature of a face which can't be obtained from a plain photo.

 

[InvalidError]

Infrared camera can't be fooled by 3d model. It detects thermal signature of a face which can't be obtained from a plain photo.

If you put infrared cameras in the cheap-and-plentiful market, plenty of people will have access to equipment to take IR pictures of people and it will only be a matter of time before they come up with a method of replaying IR pictures to biometric sensors, such as using a DLP chip with an IR light source.

Just because the technique is not currently widely used or available does not make it inherently more secure, only temporarily more difficult. A thief planning to steal your phone could very well take IR video of you prior to snatching your phone or have an accomplice taking care of IR imaging while he does his thing.

 

[bloodroses]

Infrared camera can't be fooled by 3d model. It detects thermal signature of a face which can't be obtained from a plain photo.

If you put infrared cameras in the cheap-and-plentiful market, plenty of people will have access to equipment to take IR pictures of people and it will only be a matter of time before they come up with a method of replaying IR pictures to biometric sensors, such as using a DLP chip with an IR light source.

Just because the technique is not currently widely used or available does not make it inherently more secure, only temporarily more difficult. A thief planning to steal your phone could very well take IR video of you prior to snatching your phone or have an accomplice taking care of IR imaging while he does his thing.

The other problem is that IR cameras won't work in direct sunlight; as my friend's senior design team found that out the hard way when they put a 360 Kinect sensor into an automated robot.

 

[bit_user]

Do they get any credit for their work? Any links to their research?

Yes. Check out the "Source:" link, right under the headline.

 

[fool20]

I wholly agree with the article. Keeping it real.

 

[KLH]

PS4 Dual Shock only needs a bluetooth controller to pair to a PC...

 

[SillieAbbe]

It’s really worrying that so many people are so tragically misinformed. Biometrics should not be activated where you need to be security-conscious.

It is known that the authentication by biometrics comes with poorer security than PIN/password-only authentication. The following video explains how biomerics makes a backdoor to password-protected information.
https://youtu.be/5e2oHZccMe4

 

[InvalidError]

It is known that the authentication by biometrics comes with poorer security than PIN/password-only authentication.

How much more/less secure than pin/pass biometrics are is largely dependent on how frequently the information/device being protected is protected using common pin/pass such as 'password' or '1234'.

Most of my new passwords these days are slaps on the keyboard in Notepad copy-pasted in the password fields and choosing "keep me logged in". The next time I need to log in, I simply do a password recovery and repeat the Notepad procedure for the new password.

 

[srmojuze]

InvalidError and 3ogdy is on the ball here. Just look up Blendswap, the consumer-level programs for recreating photoreal 3D models of people, buildings, anything just from photos and video frames(!!!) is mind-blowing.

I propose that the core of the issue is technology-focused people are making things more complex and exponentially more sophisticated yet on the front-end ever more easier and dumbed-down for the layperson. Hence this is just exacerbating the digital divide, which is most stark in security situations.

I spend most of my time nowadays with new devices turning off all the privacy-invading stuff, closing ports or what not, disabling location, rotating passwords (though like many I'm extremely lazy to do so most of the time). Even then I suspect it's minimally effective.

The average user? I don't think they ever stood a chance, not with massive government agencies, hacker groups, foreign entities and who knows what devoting all their energies to circumventing an average user's security while promising them security even though that security is mostly an illusion!

A classic case is the ol' going around to your coworker or relative's PC and seeing their browsers clogged with all kinds of gunk (toolbars, plugins, saved passwords, etc.) That hasn't changed in the past 10 years, and across all platforms it doesn't look like it will change significantly in the next 10 years.

With the explosion of selfie culture across the globe (it only seems to be accelerating at this stage) it would seem a hacker's paradise for the foreseeable future.

PS Without getting conspiratorial financial security is probably at its weakest point in digital history - I suspect banks are suffering big time (probably mainly due to lax security on the customer side) but are clever of keeping things under wraps.

PPS And indeed this is the perfect self-reinforcing cycle of promising more security which is actually more spying and less security which will lead to more invasion and hence more demands for more spying and surveillance ~in the name of security~ which will lead to the promise of more security and... let's just say this trajectory for the layperson is not looking good at the moment.