Facial ID farming: a threat for biometric security checks

The operation, uncovered by the U.K.-based cybersecurity company iProov's biometric threat intelligence unit, involves systematically harvesting genuine identity documents and facial images specifically to defeat Know Your Customer (KYC) verification processes used by financial institutions.

Facial ID farming

As cybercriminals exploit the unique and immutable nature of facial recognition data, facial ID farming is becoming a growing concern. These illicit operations involve harvesting, selling, and misusing facial images and associated metadata, posing significant risks to individuals, businesses, and governments.

Facial ID farms collect data from a variety of sources. Data breaches remain a primary method, with hackers targeting companies that utilize facial recognition systems or store vast quantities of photos. Social media platforms and websites are also vulnerable, as criminals scrape publicly available images to build extensive databases. Phishing schemes trick individuals into uploading selfies or other personal images, while malware can extract biometric data directly from compromised devices.

The multi-layered challenge facing verification systems

The new threat highlights the importance for organizations to not only be able to detect fake documents, but also to detect genuine credentials used in fraudulent financial applications. 

But how does the attack process work? The threat works threefold:

• Document verification: Traditional systems fail against entirely legitimate, unaltered documents acquired through dark web sources.
• Facial matching: When criminals pair authentic facial images with their corresponding legitimate documents, conventional matching algorithms can be deceived since they're comparing genuine materials.
• Liveness detection: These attacks operate on three tiers:

- Basic: Using printed photos and altered documents

- Intermediate: Employing real-time face swapping and deepfakes with genuine documents

- Advanced: Utilizing 3D modeling and real-time animation to bypass liveness checks.

This multi-layered threat requires organizations to implement comprehensive security measures that can detect and prevent fraud across all sophistication levels, the iProov report highlighted.

The permanent nature of biometric data

The risks associated with this facial ID farming threat are multifaceted and alarming. Identity theft is one of the most immediate dangers, as criminals can use stolen facial data to impersonate individuals and bypass security measures in banking, travel, or other sensitive areas. Deepfake technology compounds this issue, enabling the creation of hyper-realistic videos or images that can be used for scams, blackmail, or disinformation campaigns. 

On the dark web, marketplaces thrive by selling stolen facial data alongside other personal information, such as social security numbers or credit card details. Buyers range from criminal enterprises seeking to bypass biometric security systems to corporate espionage agents aiming to access sensitive systems or facilities. State-sponsored actors may also exploit this data for surveillance or disinformation campaigns, highlighting the global implications of this threat.

However, what makes this issue particularly serious is the permanent nature of biometric data. Unlike passwords, which can be changed if compromised, facial data is immutable. Once it is exposed, it can be used indefinitely, creating a long-term risk for individuals whose data has been stolen.

Taking proactive measures

To mitigate these risks, individuals and organizations must take proactive measures. Limiting the sharing of high-resolution selfies or unnecessary facial data online is a crucial first step. Multi-factor authentication (MFA) should be used wherever possible, pairing facial recognition with additional security measures to strengthen defenses. Organizations must prioritize securing their systems through encrypted storage and regular security audits, ensuring that facial recognition data remains protected.

The facial ID farming threat underscores the importance of treating biometric data as sensitive and ensuring its protection. As technology evolves, so must the measures to safeguard this critical aspect of digital identity.