October 27, 2022

What is a presentation attack and how does it impact ID verification?

Ravi Dehar

A presentation attack occurs when a bad actor, or fraud perpetrator, uses someone else’s physical characteristics or biometric data, commonly known as “spoofs,” to impersonate someone else. Biometric verification is a method to combat spoofs— it compares a person's physical characteristics to verify their identity.

This type of fraud can take different forms known as presentation attack instruments. The most common presentation attack instruments fraudsters leverage? Fake fingerprints or printed photos. 

As more of our lives shift online and as identity thieves grow more sophisticated, the risk of presentation attacks grows. Fraudsters may use this data to commit all kinds of theft. They may sign up for a mobile banking app or a line of credit online in an attempt to steal money from either a platform or an individual. 

How can you mitigate the risk of presentation attacks? 

When it comes to presentation attacks, you need robust protection. Verifying identities can include three different types of identity information from a customer: data source, documents, and liveness. 

  • Data source: a verification solution should check a customer’s identity across authoritative data sources such as financial institutions and banks, credit bureaus, or phone records that are governed by regulatory rules.

  • Documents: A wide variety of identity documents can be used for verification. You’ll need a solution that can confirm the authenticity of a customer’s government-issued documents. For example, a robust solution will make sure a document is not just a printout or a digitally edited document. 

  • Liveness: In addition to verifying the authenticity of someone’s identity documents, you can help mitigate the risk of presentation attacks through facial mapping technology. Facial mapping can verify that the person’s ID document photo matches the face they present during their liveness verification. Plaid Identity Verification uses advanced image processing and machine learning to combat fraud. Our solution can detect pixel changes, deep fakes, masks, and more to catch fraudsters using photographs and spoofs. 

When you use all three verification methods in concert, you can be more sure that new users are who they say they are: the user has provided legitimate identity data, possesses legitimate identity documents that match their provided identity data and has confirmed that they are a real, live person providing this information in real-time.

How does Plaid’s Identity Verification compare to other ID verification providers when handling presentation attacks? 

Identity Verification starts with data source verification, which: 

  • Matches user-entered details, like their address and government ID number,  against authoritative sources. 

  • Simultaneously, assess device behavior and how users enter their PII to assess familiarity and detect risky behavior typical of fraudsters and bots. 

  • Uniquely, Identity Verification also uses some of this data to confirm an online footprint, like email and social media accounts. 

Identity Verification then takes a photo of a government-issued ID document, like a passport or driver’s  license, and: 

  • Confirms the authenticity of the document using advanced machine learning to ensure it isn’t just a printout. 

  • Ensures the information on the document matches the data on that document to the data entered in the data source verification step using sophisticated OCR. 

And, finally, Identity Verification requests a liveness check in the form of very short videos, like a GIF. This: 

  • Uses complex machine learning algorithms to ensure that the person is real and not a person holding up someone else’s photo to their face. 

  • Uses face-matching algorithms to ensure the person matches the face on their government-issued ID document. 

Unlike other ID verification providers, Plaid Identity Verification prevents presentation attacks by asking users to record short videos, rather than simply uploading a photo. Users with slow or unreliable internet connections may fall back to a photo, but Plaid Identity Verification applies the same advanced algorithms to ensure the photos represent a real, live person, by looking at lighting, pixel changes, depth, and more. 

It’s worth noting that ID verification is just one area where the threat of presentation attacks exists—any biometric scanners, like building access controls, biometric employee time clocks, and others are at risk for presentation attacks. That said, they have different requirements, and as a result, the solution may be different. 

Ultimately, Identity Verification uses best-in-class fraud detection combined with a  conversion-optimized funnel to reduce risk and improve new user sign-up rates relative to other solutions. 

Active vs. Passive Presentation Attack Detection (PAD)

Balancing security with user convenience requires some trade-offs, but Identity Verification is optimized for a secure, convenient online identity verification process. 

Active Presentation Attack Detection (PAD) 

Active PAD requires users to perform actions to confirm their liveness, identity, and authenticity. For example, Plaid Identity Verification requires users to take several very short actions, such as looking left or smiling at their phone camera, to prevent a presentation attack. This method works well because new users can complete their identity verification entirely online, from their homes, in just a few minutes.  

Passive Presentation Attack Detection (PAD)

Passive PAD relies on specialized equipment, rather than a series of actions, to confirm someone’s identity and liveness. Specialized cameras, for example, look at lighting, depth sensing, infrared, and other characteristics to confirm someone’s authentic identity. 

Passive PAD is most useful in situations where absolute speed is critical, like building access.  However, because it requires specialized hardware far beyond a standard phone or laptop camera, a passive PAD is often not a good solution to online identity verifications.  

What are the risks of a presentation attack? 

How easy are presentation attacks to perpetrate? The threat of a presentation attack can range in severity, usually based on both the ease of committing fraud and the value of the target. But apps using ID verification solutions also need to balance the need for fraud protection against the need for usability among their customers. 

Plaid designed Identity Verification to balance those needs, in part by relying on artificial intelligence to handle presentation attack detection behind the scenes. Applications connected to users’ bank or credit card accounts must have fraud protection, especially when it does not add any burden to the new user sign-up funnel. 

Robust protection with your customer in mind

The risk of sophisticated presentation attacks has been growing as more people complete identity verifications online from their mobile devices. Because mobile cameras aren’t yet sophisticated enough to handle passive presentation attack detection natively, and because requiring in-person identity verification can be onerous – sophisticated, active presentation attack detection is the best option for accurately verifying identities online. 

Coupled with documentary and data source verifications – where people must also possess their physical ID documents, with a face that matches their liveness verification – Identity  Verification provides robust protection against presentation attacks, all without sacrificing user experience.

Ready to combat presentation attacks?