7 Signs of a Presentation Attack Fraud Teams Miss
A research view of the spoofing artifacts behind presentation attack detection, from printed photos to mask and replay attacks, and the signals teams overlook.
Fraud teams reviewing failed identity sessions tend to look for the obvious: a blurry image, a mismatched document, a velocity spike from one IP address. The harder problem sits one layer beneath that, in the physics of how a fake face reaches a camera. A printed photo, a silicone mask, and a phone held up to a webcam each leave a distinct fingerprint, and presentation attack detection is the discipline of reading those fingerprints before a fraudulent session clears the gate. The signals are subtle, frequently invisible to a human reviewer, and routinely missed by systems tuned only for face matching rather than for the liveness of the subject in front of the lens.
The international standard for biometric spoof testing, ISO/IEC 30107-3:2023, classifies presentation attacks into three escalating levels of sophistication, from basic printed photos at Level 1 to custom silicone masks and deepfakes at Level 3, and measures defenses using the Attack Presentation Classification Error Rate (APCER).
What presentation attack detection actually looks for
Presentation attack detection is the automated process of separating a bona fide presentation, a real human in front of the sensor, from an artifact built to impersonate one. Researchers Christoph Busch and colleagues, who contributed to the ISO/IEC 30107 series, frame the problem around a presentation attack instrument: the physical or digital object a fraudster substitutes for a live face. The instrument leaves traces because no reproduction of a human face is perfect. Paper has a texture. Screens emit light in patterns. Masks hold heat and reflect light differently from living skin. The seven signs below are the artifacts that detection systems are built to surface, and the ones manual review most often misses.
A useful starting point is to map each common attack class to the trace it leaves and the layer of defense that catches it.
| Attack type | Spoofing attack sign | Primary trace | ISO 30107-3 level |
|---|---|---|---|
| Printed photo | Flat texture, no depth | Paper grain, missing 3D geometry | Level 1 |
| Screen replay | Moire interference | Pixel grid beat pattern | Level 1-2 |
| Cut-out photo mask | Edge discontinuity | Boundary seams, eye holes | Level 1 |
| Video replay | Missing physiological signal | No blood-flow color shift | Level 2 |
| 3D paper or resin mask | Uniform reflectance | Specular highlights, flat heat | Level 2-3 |
| Silicone mask | Skin elasticity mismatch | Rigid micro-movement | Level 3 |
| Deepfake injection | Temporal inconsistency | Frame-to-frame artifacts | Level 3 |
The seven signs in detail
- Texture flatness. A printed photo reflects light uniformly across its surface. Live skin scatters light through subsurface tissue. Detection models trained on texture descriptors flag the missing micro-variation that paper cannot reproduce.
- Moire patterns. When a camera photographs a screen, the device pixel grid interferes with the sensor grid to produce a wavy interference pattern. As the 2023 review in Electronics by researchers surveying PAD advances notes, moire artifacts remain one of the most reliable indicators of a screen replay attack.
- Specular reflection. Glass and glossy print produce concentrated bright spots when light hits them. The distribution of those highlights differs sharply from the diffuse reflection of a human face.
- Absent blood flow. Remote photoplethysmography, or rPPG, reads the faint periodic color change in skin caused by the cardiac pulse. A photo, mask, or replayed video carries no live pulse signal, which makes this one of the strongest signs of fake face fraud.
- Edge discontinuity. Cut-out masks and held photos create unnatural boundaries where the artifact meets the background or the attacker's own skin around eye and mouth holes.
- Depth absence. A two-dimensional surface lacks the geometry of a real face. Depth-aware systems detect the missing parallax as the head or camera moves.
- Temporal inconsistency. Injected video and deepfake streams often show frame-to-frame flicker, warping at the face boundary, and lighting that fails to track head motion in a physically plausible way.
Why fraud teams miss these signs
The gap is rarely a lack of effort. It is a structural mismatch between what review tools display and what the attack disturbs. A fraud analyst sees a still frame and a match score. The moire pattern that gives away a replay attack lives in the frequency domain, not in a thumbnail. The missing pulse signal that exposes a printed mask is a time-series measurement, not a visible feature. Three patterns recur across investigations.
- Match-only pipelines. Systems that confirm a face matches a document but never test for liveness will happily approve a high-quality photo of the correct person.
- Active liveness fatigue. Challenge-response prompts that ask users to blink or turn their head can be defeated by a video replay that contains the same motion, and they push real users to abandon onboarding.
- Single-frame analysis. Replay and deepfake artifacts emerge across frames. A pipeline that scores one captured image discards the temporal evidence entirely.
Passive approaches change this equation. By analyzing the natural signal already present in a standard camera feed, including subsurface texture and rPPG-derived blood flow, a system can verify a real human without asking the user to perform any action, which removes both the friction and the attack surface that scripted challenges create.
Industry Applications
Financial onboarding
Banks and fintech platforms running remote account opening face the full catalog of photo and mask attacks because the payoff, a funded account or a loan, is immediate. Detection tuned to texture and pulse signals intercepts the printed-photo and replay attempts that dominate volume fraud.
Government ID verification
Public-sector identity proofing programs operate under standards such as NIST SP 800-63A and increasingly request evidence of presentation attack detection aligned to ISO/IEC 30107-3. The threat model here skews toward higher-effort Level 2 and Level 3 instruments, including 3D and silicone masks, because credentials carry long-term value.
Identity platform providers
Vendors embedding verification into their own products inherit their customers' threat surface. For them, replay attack detection and deepfake injection resistance are table stakes, since a single bypass propagates across every downstream tenant.
Current research and evidence
The research base has matured quickly. The ISO/IEC 30107-3:2023 standard formalized APCER and the Bona Fide Presentation Classification Error Rate (BPCER) as the paired metrics for evaluating any defense, forcing vendors to report both the attacks they let through and the legitimate users they wrongly reject. A 2023 comprehensive review of face presentation attack detection published on arXiv catalogs the shift from hand-crafted texture features toward deep learning models that fuse multiple cues, texture, motion, and physiological signal, to generalize across unseen attack types.
The same literature is candid about the limits. Models trained on one dataset often degrade against attack instruments they have never seen, a generalization gap that researchers surveying recent PAD advances in Electronics (2023) identify as the central open problem. Physiological methods such as rPPG draw attention precisely because a pulse signal is difficult to fake across an entire video, but they demand sufficient frame rate and lighting to read reliably. The practical consensus is that no single sign is sufficient; layered detection that combines several of the seven signals raises the cost of a successful attack far faster than any one method alone.
The Future of presentation attack detection
Three directions are taking shape. First, defenses are converging on multi-signal fusion, where texture, depth, motion, and blood flow are scored together so that defeating one cue is not enough to pass. Second, the attack side is shifting from physical artifacts toward digital injection, where a synthetic stream bypasses the camera entirely, which pushes detection toward signal-integrity and provenance checks alongside classic spoof analysis. Third, evaluation is standardizing: buyers increasingly demand independent testing against ISO/IEC 30107-3 rather than vendor self-assertion, with APCER and BPCER reported at named operating points. The trajectory favors passive, physiology-aware systems that read the involuntary signs of a living person, because those signals are the hardest for an attacker to manufacture and the lightest for a real user to provide.
Frequently asked questions
What is the difference between presentation attack detection and liveness detection? Liveness detection is the broad goal of confirming a real, live person is present. Presentation attack detection is the formal, standards-based discipline, defined under ISO/IEC 30107-3, of detecting and classifying the specific artifacts used to spoof a biometric system. PAD is how liveness is measured and tested.
Which presentation attack is most common? Volume fraud is dominated by Level 1 attacks: printed photos and screen replays, because they are cheap and fast to produce. Higher-effort 3D and silicone masks appear where the target value justifies the preparation cost, such as government credentials or high-limit financial accounts.
Can active challenge-response prompts stop replay attacks? Not reliably. A pre-recorded video can contain the same blink or head turn the prompt requests, and scripted challenges add friction that increases legitimate user drop-off. Passive methods that read texture and blood-flow signals avoid both weaknesses.
How is presentation attack detection performance measured? Through two paired metrics from ISO/IEC 30107-3: APCER, the rate at which attacks are wrongly accepted, and BPCER, the rate at which genuine users are wrongly rejected. A credible evaluation reports both at a stated operating point rather than a single headline number.
Circadify is building passive presentation attack detection that reads the involuntary signs of a live human, including subsurface texture and rPPG blood-flow signals, without asking users to blink or turn their heads. CISO and fraud teams evaluating enterprise defenses against photo, mask, and replay attacks can review the technical approach in our integration guide for fraud detection.