Bypassing Face Verification Systems

Using GANs to create verified “catfish” profiles on Tinder and Bumble.

Verified profile on Tinder

Many of you may have paused mid-swipe wondering if the person you’re about to swipe right on is even a real person. Sure, if the profile is run by a bot it should fail verification, but can AI bypass this, successfully catfishing you on Tinder? Continue reading as we introduce the concept behind verification bypass and demonstrate how to create example images of various skin tones, hair types, and historically “masculine” or “feminine” facial features that successfully pass verification on Tinder and Bumble.

Face Verification Systems 101

Face verification techniques are used to check whether two faces belong to the same individual based on some distance metric (representing how different the faces are). In practice, this may be done using FaceNet to convert faces to embedding feature vectors which can then be compared. Faces of the same individual should have similar feature vectors (minimum distance in the feature vector latent space).

Face verification techniques are used in a number of prominent apps to ensure user authenticity. As we have seen previously, dating apps like Bumble and Tinder, for example, employ photo verification to confirm that a user on the platform is who they say they are. This works by requesting the user to take a picture using the in-app camera which is then compared to the user’s profile images.

Brainstorming the Attack

This motivates the question of whether it is possible to generate a face image A such that A is qualitatively different from another face image B, but with similar feature vectors such that it can pass verification.

Similar to perturbations in adversarial attacks, we can either perturb the feature vector slightly or perturb the actual image to generate a new but similar embedding. However, since feature vectors are highly dependent on the overall training data, reversing the embedding to the original face image is a hard problem. Additionally, small perturbations to the original face image do not always result in a qualitatively distinct new image. A potential solution to this problem is to perform guided synthesis in the latent space, however, this also does not guarantee diverse generation.

Generative Adversarial Networks — StarGAN

Essentially our goal is to generate diverse images in the target user’s latent space. We can achieve this objective by employing StarGAN v2, an image-to-image translation model that guarantees the diversity of generated images. Additionally, this model leverages reference images as style codes for source image translation almost as a naive guided synthesis method.

Custom Face Verification System

When experimenting with real-world applications, we only get one try per account to make the attack succeed. So, to maximize the probability of success, we first create a proof-of-concept face verification model based on a generic implementation of FaceNet and DeepFace that uses a pre-trained ConvNet Inception model to encode each input image into a 128-dimensional embedding vector.

The system relies on a database built on face images from the training subset of FairFace. To compare the feature vectors of two images, the distance induced by the Frobenius norm of an image is calculated against the intended user in the database. If the distance between any two feature vectors is less than the threshold (we use a threshold of 0.7), the corresponding images are assumed to be of the same person, and the verification passes; otherwise, the verification fails.

Experiment Results

To simulate guided generation, we experimented with varying reference images that differed in hair features, skin tone, and overall facial features.

Except for the last image, all of the pictures successfully pass verification in the custom model.

Gender Reversal

Now that we’ve successfully passed verification with “female” images, we can move on to generating more “masculine” images that still have similar feature vectors. We do this using multi-domain (female and male) image-to-image translation via male reference images in the StarGAN model. It is interesting to see that the middle image passes verification in the custom model while the other two images pass depending on the angle and lighting.

(Left) (Middle) (Right)

Future experiments could also involve guided image generation based on age.

Dating Apps

Even though face verification systems in the wild are completely black box, we presumed similar bypassing techniques would work. We tested our generated images on Bumble and Tinder’s face verification systems and were successfully able to pass verification. Verifying the switched gender images on Bumble took two attempts with changed lighting conditions. Fortunately for Tinder users, but unfortunately for us, Tinder’s face verification system rejected the switched gender photographs.

Verified profiles on Bumble

Conclusion

In this post, we show a brief summary of the methods and results from Face Verification Bypass and demonstrate that it is possible to generate images that have similar feature vectors which can be used to bypass face verification systems. For more details, please refer to the paper and the codebase.