Executive Summary

BixeLab conducted an independent assessment of NAB’s end-to-end remote identity verification system, supplied by Daon. The evaluation covered:

  • Presentation Attack Detection (PAD)
  • Document Authenticity Detection (DAD)
  • Injection Attack Resistance
  • Biometric Impostor Resilience

Key Positive Outcomes

  • Β 
  • βœ… Injection Attack Detection: All biometric injection attacks using a virtual camera were successfully blocked during the liveness check.
  • βœ… Biometric Impostor Testing: 20 out of 21 biometric impostor attempts were denied.
  • 🚧 1 case is currently under investigation
  • . βœ… Bona Fide User Performance: 83% success rateΒ (148 out of 178 participants were successfully verified). βœ… Remote PAD Performance: BPCER: 1.1%, demonstrating strong resistance to fraudulent face presentations.

Identified Issues & Risks

Presentation Attack Vulnerabilities ⚠ APCER: 1.6%

  • 9/560 presentation attacks bypassed PAD
  • 4 Level A (printed selfie)
  • 5 Level C (live face morph)

Document Authenticity Weaknesses ⚠ 6.2% false acceptance rate (51/825 fraudulent document attempts).
⚠ Expired documents DFAR: 14.7% (elevated risk).
⚠ Glossy-paper copies & altered cards bypassing checks.

False Rejects for Genuine Documents ⚠ DFRR: 26.7% (lab), 11.2% (remote with retries).
⚠ High rejection rates impacting user experience.

System Errors Impacting User Experience

  • 30/193 remote testers encountered document-related system errors.
  • 2 participants faced face-related errors.
  • 10 results excluded due to watchlist mismatches/conflicting logs.

Limited Biometric Impostor Testing

  • Initial results suggest no major vulnerabilities.
  • Recommendation: Conduct large-scale β€˜cross-match’ testing.
  • Ensure robustness across diverse demographic groups.

Recommendations & Next Steps

1. Enhance Document Authenticity Detection

πŸ“Œ Improve detection for glossy paper copies & altered physical cards.
πŸ“Œ Strengthen expired document detection (reduce 14.7% DFAR).

2. Expand Biometric Impostor Testing

πŸ“Œ Conduct large-scale cross-match testing for enhanced security.

3. Establish Continuous Performance Monitoring

πŸ“Œ Implement annual & upgrade-triggered re-testing.
πŸ“Œ Track in-service performance vs. test results.

4. Develop a Permanent Test Environment

πŸ“Œ NAB should establish a dedicated testing environment.

5. Improve Output Transparency

πŸ“Œ Develop a clear understanding of system outputs & risk interactions.

Conclusion

BixeLab commends NAB’s proactive approach in commissioning this evaluation.
By addressing identified gaps, NAB can:

βœ” Strengthen identity verification security.
βœ” Improve user experience for genuine customers.
βœ” Stay ahead of evolving threats.

Text