The internet is slowly (and painfully) discovering that security is a hard mistress. I mean fingerprints have been hacked, and passwords have not been delivering for a long time. Next step was having a camera look at your face to see if you are really you.
Of course, the early systems could be hacked with a high quality printed photo. So security added a “check if it’s alive” method. That in turn was hacked using tablets and videos. The next step was to check if the received images makes sense (so videos were out). But then hackers started using 3D printed masks.
But 3D masks are hard to create. Why not just grab a few of your social media photos, and use those to create a model that looks so real that it fools security systems.
And this is what the team at University of North Carolina did.
Turns out, it is not that hard. All they needed is 2 front facing photos off social media and 2-3 side facing photos and then they own you. And really, who does not have at least 5 (cross that, 5 million) online photos of themselves.
Here is how it works:
- First the team needs them photos. Instagram, facebook, twitter, anything goes, tough, obviously, higher res is better.
- Your face is being extracted from the photos, and your mouth, nose, eyes and other features are modeled.
- Any weird textures are smoothed out
- Your gaze (a.k.a eyes) are replaced with “real eyes”
- and they even add blinking, eyebrow movement and a other expressions
The team fooled the system so well that in some cases, they got through 97.5% of the times (where a real person got through 98% of the times).
What can you do now? well, the team offers at least two methods of killing this attack:
- adding an infrared scan of the face or
- projecting a pattern and looking for it in the analyzing software.
Till we have better detection systems, know that you are exposed.
[Virtual U | The University of North Carolina at Chapel Hill]