Manipulated photos enable two people to use the same passport – this is how such fraud can be stopped

Passport fraudsters are taking over Europe. Literally. Some make fake passports. Others get a real passport, but have made sure that two people can use it.

Fraudsters use ‘morphing’ techniques to create an artificial facial image. You can do it yourself with free software or one of the many online tools.

Morphing means you take two images – passport photos, in this case – and merge them into a new, third photo. The morphed image is somewhat similar to both of the two originals. The face that appears is a cross between the two real photos.

1000 morphing fraudsters nabbed

When a morphed image is used in a passport, the result is that two people can use the same passport. Both individuals’ faces are similar enough to the morphed passport photo that they can fool both human and electronic border controls.

Facial morphing has become good business for fraudsters. Border inspectors around Europe have to date discovered over 1000 cases of passports with morphed passport photos. No one knows how many have slipped through the controls.

Selling passport and travel packages

NTNU professor Christoph Busch uses Albania and Mali as examples of passport fraud.

Albanian citizens can buy a whole package: they get a Slovenian passport with a morphed photo of the two individuals involved – the Albanian who is going to travel illegally and the Slovenian to whom the passport actually belongs. They can purchase the passport in combination with an itinerary to Canada via Vienna and Warsaw.

“In Mali, many people right now want to flee to Europe. They buy a passport with a morphed photo that belongs to someone around the same age, having the same skin colour and citizenship in a European country. A border inspector and an electronic system could both be deceived,” Busch says.

Noise is the solution

Now researchers can offer a solution. Busch and NTNU are collaborating with other researchers, small and large businesses, and police in Norway and the rest of Europe to develop it.

The solution? Digital noise.

Every digital image contains image noise. Image noise consists of imperfections that cause small errors in the image, such as colour or a blur. To the untrained eye, an error is difficult to detect. Technology, on the other hand, is able to do more than just detect the error; it can recognize whether two images come from the same camera.

“Every camera has its own ‘fingerprint.’ The noise on one camera isn’t the same as the noise on another camera. If a passport photo is taken with one camera, then there’ll only be one noise pattern. If it’s a morphed image, we get a mixture of two such patterns,” says Busch.

Whites of the eyes

Looking at skin texture or the geometry of different facial features are a couple of other ways to detect morphed images.

“If one person has larger whites of the eyes than the other person, then the area around the eyes is shifted slightly. We’re able to analyse that,” he says.

These are just a few examples. The digital morph detection application also has to be able to learn for itself, so that it improves the more it is used.

Into border security

It won’t be long until the technology is put into practical use.

“In addition to the companies involved in the research project, other companies have contacted me directly. One of them is in the process of integrating the tool into the electronic gates (eGates) that are part of border control,” says Busch.

The company name and where the morph detection tool is being used are business secrets for now.

Leader in biometrics

Mobai is one of the companies involved in the research project. Mobai originated in NTNU at Gjøvik.

“The research group at the Norwegian biometrics lab is a world leader in a biometrics niche,” CEO Brage Strand told the trade journal Aktuell Sikkerhet about Mobai two years ago.

Biometrics involves confirming who a person is using biometric characteristics, such as the shape of the face, fingerprints, the iris or the voice.

Mobai has developed a facial recognition system that is specially designed to detect attempts to trick the technology.

related

People are deceived by Internet fraud daily. Police are often unable to help

Change passwords

Knut Ivar Rønning is Chief Operating Officer at the Norwegian Center for Information Security (NorSIS). He characterizes the cyber security environment at NTNU as extremely strong. He and NorSIS are primarily concerned with facial recognition and passwords.

“Passwords are a weak link, so biometrics is a very exciting activity,” says Rønning.

“It’s important to use different passwords for different services and to use complicated passwords. But we probably shouldn’t change passwords too often either, because people then often choose simpler passwords. Using two-step login is also important,” Rønning says.

Write down passwords!

Rønning recognizes the dilemma: Should you have a strong password and change it infrequently, or should you settle for a weaker password that you change more often? Changing passwords frequently also places a burden on the IT department, which has to help you when you forget your new password.

“It’s difficult to keep track of a lot of passwords. When you have different passwords for every service, it's actually better to write them down in a book and hide them in a discreet place in your house. Then anyone who wants to attack you digitally has to first gain access to your house. So this might be the safest way to store passwords,” says Rønning.

References:

Ulrich Scherhag, Christoph Busch et.al.: Face Recognition Systems Under Morphing Attacks: A Survey. IEEE Access, 2019.

Sushma Venkatesh, Christoph Busch et.al.: Face Morphing Attack Generation and Detection: A Comprehensive Survey. IEEE Transactions on Technology and Society, 2021.

Torsten Schlett, Christoph Busch et.al.: Face Image Quality Assessment: A Literature Survey. ACM Computing Surveys, 2022. (Summary)

———

Read the Norwegian version of this article at forskning.no