We are Allowme, a business unit of Tempest Security Intelligence, a cybersecurity company from Brazil, Latam, with more than 22 years in operation. Allowme's mission is to help companies protect the digital identities of their legitimate customers through a complete fraud prevention platform.
Through our Security by Design culture, AllowMe has become the most trusted platform on the market, protecting valuable data and the reputation of innovative businesses.
We facilitate faster and more accurate decision making, optimizing flows to scale business sustainably.
Threat Context
The use of security mechanisms is needed for digital identities attestation and protection. To achieve that, many authentication factors are used, including biometric facial authentication, which is becoming more common.
One of the main attack paths, which compromise facial validation, is the use of external mechanisms to inject 3rd party photos and videos impersonating someone else, known as face spoofing attacks (instead of using the native camera).
An engaged attacker could easily collect the target's social media photos and use them to open accounts on digital banks on behalf of these targets in LATAM, without consent or authorization of the owners. During Know Your Client (KYC) processes for financial services, many documents are usually requested, making document pictures upload a mandatory feature, which became possible pathways for Identity Falsification Attacks or Fake Accounts Creation.
Proposal
To have a safe and reliable way to know if the photo of the face or of a physical document was taken from a physical native camera (or not). In other words, the proposal is to have a way to attest the underlying method to collect that data (picture) to avoid spoofing.
Privacy implications and safeguards
There are no PII being used for origin identification of the picture.
Safeguard #1
The API could return only a bit informing if the image has been captured through the native physical hardware or not.
We are Allowme, a business unit of Tempest Security Intelligence, a cybersecurity company from Brazil, Latam, with more than 22 years in operation. Allowme's mission is to help companies protect the digital identities of their legitimate customers through a complete fraud prevention platform.
Through our Security by Design culture, AllowMe has become the most trusted platform on the market, protecting valuable data and the reputation of innovative businesses.
We facilitate faster and more accurate decision making, optimizing flows to scale business sustainably.
Threat Context
The use of security mechanisms is needed for digital identities attestation and protection. To achieve that, many authentication factors are used, including biometric facial authentication, which is becoming more common.
One of the main attack paths, which compromise facial validation, is the use of external mechanisms to inject 3rd party photos and videos impersonating someone else, known as face spoofing attacks (instead of using the native camera).
An engaged attacker could easily collect the target's social media photos and use them to open accounts on digital banks on behalf of these targets in LATAM, without consent or authorization of the owners. During Know Your Client (KYC) processes for financial services, many documents are usually requested, making document pictures upload a mandatory feature, which became possible pathways for Identity Falsification Attacks or Fake Accounts Creation.
Proposal
To have a safe and reliable way to know if the photo of the face or of a physical document was taken from a physical native camera (or not). In other words, the proposal is to have a way to attest the underlying method to collect that data (picture) to avoid spoofing.
Privacy implications and safeguards
There are no PII being used for origin identification of the picture.
Safeguard #1
The API could return only a bit informing if the image has been captured through the native physical hardware or not.