The future of border control is already upon us. Driven by AI and machine learning, cloud and edge infrastructure, biometric technology is transforming airports, ports, land gateways, and other crossing points.
And while its potential to enhance border security and modernize the sector cannot be denied, the complexities of border security and its challenges should not be underestimated. U.S. Customs and Border Protection (CBP) has reported more than 2 million enforcement actions so far for the fiscal year.
From data privacy issues to potential biases and the ever-evolving cybercriminal landscape, seamless automated biometrics systems already in place at hundreds of airports and borders demand an urgent evaluation.
Understanding Borders and Challenges
Theoretically, the new biometrical gates border authorities use appear to be a flawless win-win design. However, the challenges of implementing these technologies are as monumental as the size of our borders.
In the U.S., for example, the largest federal law enforcement agency is CBP – a fact that speaks to the dimensions of the problem at hand. Charged with securing the nation’s borders and facilitating international travel and trade, the federal agency is responsible for more than 300 ports of entry, screening millions of foreign visitors and American citizens every year, and monitoring cargo.
Like the European Union and Middle East region, and countries such as the UK, Australia, New Zealand, Japan, South Korea, and others, CBP has deployed seamless biometric automated border control technologies under trusted traveler programs (TTP). But these are just the beginning of a modernization journey, and security, technical and ethical challenges are abundant.
The Cyber Threat Landscape of Border Security
As borders around the world go digital, bad actors inevitably turn to cybercriminal techniques to bypass, breach, hack, or cause havoc. iProov, a company recently selected by the U.S. Department of Homeland Security to expand CBP’s automation capabilities in border crossings, recently released its 2023 Biometric Threat Intelligence Report. The report shows a 149 percent increase in emulator attacks on mobile platforms with malicious devices pretending to be legitimate devices.
Additionally, iProov reveals a 295 percent yearly increase in biometric attacks that use novel face swaps. Using this technique, attackers generate synthetic images with AI, either replacing the face of the victim with a video of him to bypass liveness checks or with the face of the attacker itself.
But beyond deep fakes and other more rudimentary presentation attacks where identities are spoofed using masks or other presentation techniques, another type of attack is gaining ground: digital injection.
Digital Injection Attacks: When Traditional Methods of Biometrics Security Fail
Biometric injection attacks add sophisticated layers to attacks making them extremely dangerous. Multimodal authentication, the industry’s silver bullet for biometric security, is rendered obsolete and longer effective. Entire systems that verifying users by combining passport or ID data with face recognition, fingerprint ID, liveness checks, or iris scans are being challenged. In addition, creating synthetic identities with morphed photographs able to spoof biometrics is a form of attack also taking hold.
Injection attacks work by directly “injecting-data transfers”. Attackers use AI to generate fake synthetic IDs, photos, deep fake liveness check, videos, and even synthetic fingerprints. These attacks are 100 percent digital and therefore highly scalable.
Confronted with injection attacks, the industry is left with one option: to update their biometric systems. By combining malware detection software, endpoint protection solutions, and network management systems, biometric systems can work as a unit and identify, flag, warn, and shut down suspicious activity.
Simultaneously, AI detection software – capable of recognizing synthetic images, videos, templates, sound, or other maliciously generated content – can add a needed security layer.
Unfortunately, to date, not many biometric systems are equipped with injection attack detection technologies. And unlike presentation attacks, the global community has yet to establish security standards that companies must meet to prevent injection attacks.
Going even further, biometric manufacturers, partners, and third parties must understand that injection attacks are but another step in the ladder of cybercriminal evolution which has no end. New cyber threats will continue to emerge with every update and every new system presented as criminals continually escalate, challenging border security. Therefore, a creative, forward-looking mentality is necessary to keep one step ahead of bad actors.
Those who argue that the technology levels required to breach biometric border security controls are expensive and not widespread should take a closer look at what is happening on the dark web. Controlled by transnational criminal syndicates and nation-state cybercrime, the dark web operates at industrial global levels, generating an underground economy valued at billions of dollars. In the dark web, identities, personal data and ready-to-use malware kits are sold in bulk or auctioned to the highest bidder.
Innovation, Multimodal Biometrics, and Computing Power
Other types of biometrics, such as vein matching, which works by illuminating a certain region of the body with infrared light, or gait analysis – also known as motion analytics, which can recognize the specific walking pattern of a person – are undoubtedly more unlikely to be breached or spoofed. However, these systems are more expensive, still under development, and not available for mainstream deployment. Especially with gait recognition, the accuracy is still not there, as taking a reliable biometric sample of a gait is more difficult than just taking a selfie or fingerprint.
On the other hand, multimodal biometrics is a readily available technology. These systems can be updated to counter modern threats and be rapidly deployed. Still, these systems must overcome a barrier.
A country using biometric border security with millions of crossing every year faces a significant demand for computing and processing power. Millions of crossings means millions of data transfers moving from the hardware to the edge to the cloud. This can only be achieved by scaling up digital architectures.
New AI algorithms must be developed to run on scaled edge and cloud computing infrastructures. The systems must also have the storage, memory, and processing capabilities needed to process hundreds or thousands of verifications per minute. Luckily, recent developments in specialized chips mean that a large part of biometric identification – face extraction and biometric template creation, for example – can be offloaded to the cameras. The server can then only do the identification part, and only with a fraction of the data and bandwidth that the video transfer would take.
The resulting system is then very scalable, able to quickly add new cameras without upgrading the server hardware and more without losing its accuracy or speed. Moreover, the personal data are more difficult to intercept or spoof en route to the server, making the systems more secure.
Ethics, Transparency, Best Practices, and Infrastructures of the Future
While there are legal exceptions for border security authorities on handling personal data, compliance, governance, and ethics still play an important role in the sector. Additionally, for biometrics gateways to be efficient and properly perform, they require the user’s trust. Applying best standards is therefore the only way forward.
Biometric providers must ensure transparency, ensuring the government agency and its users fully understand the technology. Furthermore, a full disclosure of how the biometric data is secured, generated, stored, processed, managed, and transferred must be made available.
Biometric technology manufacturers must also apply the highest levels of accuracy and ensure governance, while promoting non-discrimination and equality. And while the user’s consent in biometric border security is different than in other sectors, users’ rights in border security must always be respected.
While there are new threats emerging – like the mentioned video injections or synthetic identities with morphed data – the responses are also quick due to the healthy competition on the biometric market. It’s very similar to the virus and malware protection industry: as soon as the new threat is detected, the remedy emerges quickly, because the industry experts are quick to analyze weak points and find a solution.
Furthermore, best practices for biometrics manufacturers must extend to their entire supply chain. The supply chain must be consolidated and secured, as the weakest link of a chain is nothing but the best low-risk, high-reward opportunity for criminals.
Like any other sector, border security is under rapid digital migration, transformation, and acceleration. While seamless border crossings will undoubtedly become the norm, sophisticated cyber attacks will continue to rise. In our modern technological era, under a constant state of flux, only flexibility, innovation, and best practices endure disruption. The border security sector must deploy an infrastructure that meets eye-to-eye the challenges of today and of tomorrow.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email editor @ hstoday.us.
