Seeing is Not Believing: Bypassing Facial Liveness Detection by Fooling the Sensor
September 26, 2024 (GMT +8)
11:00
Ballroom 1 & 2
Given facial recognition's continued popularity as a form of identity verification, organizations are grappling with the real threat of facial spoofing attacks, particularly in light of the rapid pace of development in AI and deepfakes. To combat fraudsters, organizations introduced “facial liveness detection” to ensure the end-user is a live person; but can these systems trust the evidence from their own sensors?
This presentation will demonstrate how to bypass facial liveness detection systems on different platforms by fooling the camera/sensor. While previous research in this area has relied on hardware modules, the method demonstrated here leverages open-source software and is simple, free, and not time or resource-intensive. The talk will also cover the tools used, the setup process, and demonstrations of the bypasses using different platforms. The pros and cons of this approach will also be considered, as well as the threats it poses, particularly, how videos posted on social media platforms could help fraudsters abuse this method. The presentation will conclude with recommendations to help organizations combat such an attack.
The main takeaways from this research are:
- How easy it is to bypass facial liveness detection using publicly and readily available tools
- How fraudsters could use what is posted on social media platforms
- How this attack could be mitigated for organizations to improve their algorithms/detection, and inform users on what to look for when choosing an identity verification provider.
The main objective of this topic is to provide awareness to users about the risk involved with posting their videos on social media platforms and inform organizations on how easy to bypass facial liveness detection to improve their systems.
Speaker
Elvin Gentiles (@CaptMeelo) Elvin Gentiles is an Offensive Security Consultant with years of experience conducting various types of penetration testing services and security assessments against several organizations of varying sizes, and across diverse sectors - from SMEs to Fortune 500 companies. Throughout his career, he has earned multiple certifications, published several blog posts (at https://captmeelo.com/) and security advisories, participated in different bug bounty programs, and became a speaker at SANS HackFest 2022.
« Back