Facial recognition technology used to secure airports and process payments has been fooled by photographs and 3D masks.
Researchers at Kneron were able to access a self-boarding terminal at Amsterdam’s Schiphol Airport by tricking the sensor with a photo on a phone screen. Using the same technique, the researchers managed to gain access to pay fares and board trains at several railway stations in China.
In stores in Asia, where use of facial recognition technology is widespread, the Kneron team were able to trick payment systems AliPay and WeChat into allowing purchases to be made. All it took to assume someone’s identity and make payments as them, was the donning of a high-quality 3D mask.
The elaborate masks were obtained from expert mask-makers in Japan and are not commonly available, but the experiment still raises concerns over the reliability of this increasingly popular technology in preventing fraud.
Kneron’s CEO Albert Liu said that solutions are available to fix the weaknesses in facial recognition technology that his company’s tests were able to exploit, but companies are unwilling to pay for them.
“This shows the threat to the privacy of users with sub-par facial recognition that is masquerading as “AI”.” said Liu, “The technology is available to fix these issues, but firms have not upgraded it. They are taking shortcuts at the expense of security.”
Schiphol Airport, We Chat, and AliPay did not respond to Fortune’s requests for comment about the effectiveness of their facial recognition technology.
Even with the cleverly wrought 3D masks, Kneron’s researchers weren’t able to fool all the facial recognition systems they tested and had to admit defeat against the tech used by Apple’s iPhone X.
Kneron conducted their face-based experiments as part of the research and development process for a new type of facial recognition technology which they are creating. With the financial backing of high-profile investors including Qualcomm and Sequoia Capital, Kneron is developing a product called Edge AI which will not rely on cloud-based services to function.
Source: Infosecurity Magazine