Skip to main content

Facial fraud

Doing away with a phone (or a card or a chip in your head) and just going with biometrics is a different issue. Biometric identification is a much harder problem and is fraught with difficulties. It can work very well with limited populations, which is why it is being installed in airports all over the place. I rather like the system going in to Chinese airports where when you walk up to one of the screens displaying flight information it switches to displaying your flight only. Very helpful. And earlier this year at KnowID in Las Vegas I saw a super presentation from US Customs and Border Control talking about the specific use of biometrics in airports as an interesting example of how to use biometric technologies for security but at the same time deliver convenience into the mass market. The investments made in biometrics to allow paperless travel have obvious benefits in terms of security but, as we have found in our other work about the cross-sector exploitation of digital identity, intelligent use of these new capabilities can also transform the customer experience. The same biometric system that scans your passport picture on entry to the airport and then checks you in for your flight can also be used to direct you through the airport and implement smart departure boards that as you approach them switch from displaying a list of all flights to displaying your flight only.

You can imagine this kind of system being extended to retailers and banks. Having been to the AmazonGo

When I go to the airport, however, I want to be identified. I’m already a member of a subgroup of the general population (ie, people who are flying from that airport on that day) and I want to co-operate in being identified to make my journey more convenient. It’s a different matter when  you are dealing with the population as a whole, not a self-selected subgroup, including people who don’t want to be identified. The Metropolitan Police have revealed that their facial recognition technology incorrectly identified members of the public in 96% of matches made between 2016 and 2018. So, round off, that’s in practical terms all matches that were incorrect.

Hhhmmmm…..

One particularly interesting aspect of biometric identification is its amusing susceptibility to what is known as “adversarial” biometrics. If you know how a face recognition algorithm works, for example, then you can deliberately choose to wear make-up or some disguise that exploits the characteristics of that algorithm. In fact, as it turns out, it is all too easy to do this and to do it in such a way as to give the recognition algorithms high confidence that they have correctly identified something. When it comes to picture recognition, the results can be hilarious (and disturbing). MIT researchers found that Google’s AI-powered open source “Inception” picture classifier can be easily fooled. Take a picture of a cat, add some “noise” that is imperceptible to people and the computer thinks it is looking a guacamole (this is a real example). There are techniques, such as Adversarial Generative Networks (AGNs), that can automatically create images to fool the recognition algorithms!

 

Master criminals may not need to resort to such sophisticated algorithmic skullduggery to get away with 

 

xxx

Despite all the trouble of updating her ID and registering her new face on all the online platforms she used, Huan said she was very happy with her new nose.

Facial recognition technology in China beaten by a nose job | South China Morning Post:

 

xxx

Comments

Popular posts from this blog

There is no excuse for not taking cards

So we went to the pub. For lunch. Seven of us. Say £20 per head. £100+ quid. Say £50 quid gross for the pub. Colleague goes to order food and drinks and pay at the bar. Apologetic barmaid comes over to explain that their “card machine” is down, so she can only accept cash. Under normal circumstances I would have simply walked out, feeling it wholly inappropriate to reward such a poorly managed establishment and, as a functioning actor in a capitalist economy, done my duty to depress their lunchtime takings. Here’s what we wanted to say: This is absurd. This is 2016 not 1916. Your card machine is down? Well, so what! Are you seriously telling me that mein host has no mobile phone number capable of registering for PingIt or PayM? That none of the staff or the pub itself have a PayPal account that I can send the money to? That neither the owners nor managers not contingency planners thought to tuck an iZettle behind the bar to use when the clunky and expensive GPRS terminal fails for o...

Financial Cryptography: Corda Day - a new force

Forum friend Ian Grigg, who I always take very seriously indeed on any such topic, wrote about Corda on his blog and concluded with a powerful statement. Bitcoin told the users it wanted an unstoppable currency - sure, works for a small group but not for the mass market. Ethereum told their users they need an unstoppable machine - which worked how spectacularly with the DAO? Not. What. We. Wanted. Corda is the only game in town because it's the only one that asked the users. It's that simple. From Financial Cryptography: Corda Day - a new force xxx It seems to me, however, what Ian is pointing to as the greatest strength of their approach is also the greatest weakness. A staple feature of unimaginative management consultants presentations about innovation is some variation on the statement by Henry Ford that if you had asked users what they wanted, they would have asked for faster horses coupled with some variation on the statement by Steve jobs that it was pointless ask...

We could fix mobile security, you know. We don't, but we could

Earlier in the week I blogged about mobile banking security , and I said that in design terms it is best to assume that the internet is in the hands of your enemies. In case you think I was exaggerating… The thieves also provided “free” wireless connections in public places to secretly mine users’ personal information. From Gone in minutes: Chinese cybertheft gangs mine smartphones for bank card data | South China Morning Post Personally, I always use an SSL VPN when connected by wifi (even at home!) but I doubt that most people would ever go to this trouble or take the time to configure a VPN and such like. Anyway, the point is that the internet isn’t secure. And actually SMS isn’t much better, which is why it shouldn’t really be used for securing anything as important as home banking. The report also described how gangs stole mobile security codes – which banks automatically send to card holders’ registered mobile phones to verify online transactions – by using either a Trojan...