How Yoti can help combat digital injection attacks

profile picture Matt Prendergast 3 min read
Closeup of fingers typing on laptop keyboard

As use of online verification grows, there inevitably follows increasing temptation for bad actors to develop ways to exploit the process. As a provider of verification services we must show businesses, regulators and governments that we have robust anti-spoofing technology, checks and processes. An emerging but rapidly growing threat for verification services are digital injection attacks.


What are injection attacks?

Injection attacks are a form of attack on remote verification services. Direct attacks are the most common attempt to spoof systems. Examples of direct attacks are:

  • Paper image
  • 2D and 3D masks 
  • Screen image
  • Video imagery

Direct attacks are an attempt to spoof a verification system that a person is real, older, or someone else altogether. Our facematch and liveness technologies use layers of anti-spoofing to determine that the person is real (not a picture or mask, for example) and that they are who they say they are. 

An injection attack is an indirect attack and attempts to bypass liveness detection. It involves injecting an image or video designed to pass authentication, rather than the one captured on the live camera. It is a rapidly emerging threat to digital verification services. Using free software and some limited technical ability, a bad actor is able to overwrite the image or video of the camera with pre-prepared images.


How can Yoti help prevent injection attacks?

We have developed a patent-pending solution that makes injection attacks considerably more difficult for imposters. It is a new way of adding security at the point an image is being taken for a liveness or facematch check. 

There are two parts to this. As well as obfuscating the code, Yoti adds a cryptographic signature key. As such, a potential hacker needs to both reverse engineer the obfuscation and infer or guess the cryptographic signature key.

Yoti frequently changes the obfuscation and the signature key. This means that if the hacker were to reverse engineer the obfuscated code, by the time they have done so, the signature key will have changed, and vice-versa.

There remain ways to spoof this (not that we’d say how) but it significantly adds to the effort, time, skill and cost of spoofing verification checks, moving bad actors on to less secure opportunities. 

If you’d like to learn more about our NIST approved liveness products, please do get in touch.

Related stories

Yoti MyFace Livness White Paper document preview

Yoti MyFace liveness white paper

Learn how Yoti’s liveness solution can help you defeat spoof attacks Liveness is an essential part of any verification or authentication process. It gives you reassurance that you are dealing with a real human. Read our latest white paper on liveness to learn how Yoti’s MyFace liveness solution can help defeat presentation attacks including: Paper image Mask  Screen image Video imagery Deep fake video Injection attacks Bot attacks   Key takeaways from the report Yoti’s MyFace solution is NIST Level 2 approved with 100% attack detection. Why liveness is important for verification and authentication. The difference between active and

2 min read
Woman scanning face with the iBeta ISO 30107-3 compliant MyFace software by Yoti

Yoti achieves iBeta NIST Level 2 for proprietary passive liveness technology, MyFace

MyFace has been awarded iBeta NIST Level 2 with 100% attack detection rate Yoti’s passive liveness technology can be used to strengthen age checks, prevent account takeover and protect against identity fraud MyFace white paper outlines performance and bias 2nd March 2023, London, UK – Digital identity company Yoti has announced its proprietary passive liveness technology, MyFace, is now compliant with iBeta ISO PAD Level 2. The technology achieved a 100% attack detection rate. MyFace verifies that a user is a real person, and not a presentation attack such as a printed or digital photo, video or mask –

5 min read
Man working at laptop in office setting

NIST approval explained

Many companies in the identity space talk of NIST certification. What does this mean for you as a user of identity services and what does it mean for your customers?   Who is NIST? NIST is the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce. NIST’s remit is to create and certify measures, standards and technology to enhance trade and productivity. Formed in 1901, their remit is to provide standards and certification for businesses. At first this included clocks and thermometers, all kinds of ‘weights and measures’.  But over time

3 min read