Do you remember the scene in ‘Ocean’s Eleven’ where Danny Ocean’s team cleverly tricks the casino’s security system? They injected a pre-recorded video feed of an undisturbed vault, leading Terry Benedict and his security team to believe that nothing was amiss, even as the heist was in full swing. This cinematic moment showcases the power and potential danger of video injection attacks. In the real world, detecting such breaches in surveillance and data systems is paramount. In this article, we will delve into the methods and technologies behind video injection detection, ensuring that life doesn’t imitate art in our most secure spaces.
‘Ocean’s Eleven’ movie: injection of a pre-recorded video into the casino’s security system (bottom), after the real video back (top).
Understanding video injection attacks
Video injection attacks are a form of cyber assault where unauthorized video content is inserted into a surveillance or data stream. This can mislead viewers, mask illegal activities, or compromise the integrity of a system. In the context of KYC (Know Your Customer) systems, which are pivotal in the financial industry for identity verification, such attacks pose a significant threat.
What are video injection attacks?
A video injection attack involves inserting fraudulent data streams between the capture device (the sensor) and the biometric feature extractor during identity verification. This is particularly relevant in KYC systems where biometric data, such as video frames of a person’s face, is compared against an identity document. The goal is to establish a fraudulent identity by manipulating the video feed.
Growing threat of video injection attacks
This evolving threat landscape has ushered in an era of sophisticated digital attacks. Video injection attacks have become notably more prevalent, being five times more common than traditional presentation attacks like masking a camera. The increase in these attacks, especially through the use of synthetic imagery, is attributed to the ease of automation and the widespread availability of malware tools. Mobile platforms, in particular, have seen a substantial 149% rise in such attacks.
Deepfake technology, previously a topic of debate, is now a prevalent tool in cybersecurity attacks. Attackers are creating highly realistic 3D videos to trick systems into authenticating false identities. Notably, the rise of real-time face swap attacks in 2022, increasing by 295% in just half a year, poses a significant challenge to both active and passive verification systems.
Methods employed in video injection attacks
Below is a list of video injection vectors fraudsters use to spoof remote facial recognition in remote onboarding and KYC systems, when a user explores a regular smartphone or laptop/PC to open a banking account, for instance.
- Virtual Cameras: These are widely used for fraud, with apps like ManyCam streaming prerecorded or deepfake videos to appear as if from a real camera. Fraudsters often rename these virtual cameras to mimic physical ones and may manipulate web browser functions to favor their use.
- Hardware Video Sticks: These devices, which connect via USB, don’t use optics but capture digital video streams, such as from another device’s screen. They’re recognized by operating systems as standard USB cameras.
- JavaScript Injection: For web-based KYC, malicious JavaScript code injected into a browser can alter or substitute the video feed, tricking the verification process with fake or prerecorded content.
- Smartphone Emulators: Used mainly in mobile app development, emulators can replicate a real smartphone’s functionality. Attackers use them to run apps and fake video streams, bypassing security checks meant for actual devices.
- Intercepting Network Traffic: By accessing and altering video data during transmission, attackers can replace legitimate video feeds with fake ones. This is particularly risky on public or insecure networks, where encryption might not be standard.
It should be noted that this is not an exhaustive list of injection attacks. More complex and sophisticated techniques exist, such as hardware injection, which require advanced skills and are less commonly seen in practice.
The inadequacy of current approaches in remote onboarding and KYC
While KYC systems are proficient in detecting standard presentation attacks, as guided by well-established standards like ISO/IEC 30107 and certified by organizations such as iBeta Quality Assurance Lab, they are increasingly challenged by the emerging threat of video injection attacks. These sophisticated attacks are not fully addressed by the current standards, revealing specific vulnerabilities in KYC systems:
Standard Recognition Protocols: Commonly, KYC systems identify cameras using device names or identifiers from the operating system. However, they often cannot differentiate between a real physical camera and a skillfully configured virtual one.
Lack of Physical Hardware Verification: Regular practices in KYC development focus on securing data transmission and encrypting communications. Yet, these measures generally do not include verifying the physical authenticity of the hardware. Consequently, a system can be misled by a virtual camera that convincingly emulates a real one.
Inadequate Anomaly Detection: Most KYC systems are adept at spotting irregularities in user behavior or data transmission but fall short in verifying the source of the video feed. This gap allows virtual cameras to go unnoticed.
Encryption and Obfuscation Limitations: While encryption effectively secures data during its transfer, it does not authenticate the data’s origin. Similarly, JavaScript obfuscation protects web-based KYC systems from code tampering but fails to prevent manipulation of the video feed prior to its arrival in the browser.
Deepfake and Synthetic Video Challenges: The advancement of deepfake technology further complicates this landscape. The high fidelity of modern synthetic videos poses a challenge in distinguishing them from authentic feeds, even for systems that can detect anomalies in video content.
Adherence to the ISO 27000 family standards does not necessarily mitigate the risks posed by video injection attacks. For instance, ISO/IEC 27001:2013, while establishing a robust Information Security Management System (ISMS), typically lacks guidelines for verifying camera authenticity. Consequently, a KYC system compliant with this standard might still be susceptible to attacks using virtual cameras. Furthermore, the ISO/IEC 27002:2013 standard, which outlines information security controls, mainly addresses data protection and integrity, not the validation of the video feed’s source.
The way forward: enhancing video injection attack mitigation
To strengthen defenses against sophisticated threats like video injection attacks, including deepfakes in KYC systems, specific and advanced strategies are essential:
- Implement Comprehensive Detection: Utilize technologies that combine presentation attack detection with injection attack detection. This technology can detect various attack contents, including deepfakes and face morphs.
- Target Delivery Channels: Focus on shutting down channels like virtual cameras in desktop browsers and hardware attacks that fraudsters use to deliver deepfakes and other fraudulent content.
- Adopt User-Friendly Security: Implement security measures that do not require user interaction and do not add friction to the user experience.
- Utilize AI for Detection: Leverage deep learning algorithms for AI-powered detection, which can identify complex attack patterns that are challenging for humans to detect.
In conclusion, there’s a hopeful anticipation that the security landscape for KYC systems will evolve with the development or enhancement of specific standards targeting video injection attacks. The establishment of dedicated certifications and evaluation laboratories is an e
Article: Video injection attacks: What is that and the way forward?