What is CEN/TS 18099? A guide to the injection attack detection standard
For years, the dominant threat against remote identity verification was the presentation attack: someone holding a printed photo up to a camera, wearing a mask, or playing a pre-recorded video on a phone screen. The industry responded with increasingly sophisticated anti-spoofing technology and vision-based detection models, and the standards to test their effectiveness followed.
But many of today’s most sophisticated fraudsters don’t bother with the camera at all. Instead, they bypass it and inject a photo or video directly into the verification data stream. This approach is advantageous for fraudsters because it can be harder to detect, and it’s easier for attackers to test new techniques.
Until recently, the industry lacked a standardized framework for injection attack detection, or IAD. Existing standards, like ISO/IEC 30107, focused primarily on presentation attacks and sensor-based spoofing. CEN/TS 18099 establishes the first framework for assessing how effectively identity verification systems detect injection attacks. A global standard, ISO/IEC 25456, is also under development.
Why do injection attacks require a new evaluation framework?
The techniques used to detect presentation attacks and injection attacks are fundamentally different.
Presentation attacks attempt to trick the system by showing it something fake, such as a printed photo, a screen playing a video, or a mask. Anti-spoofing systems are therefore designed to analyze what the camera sees. They look for clues such as natural movement, depth, lighting, and other physical characteristics.
Injection attacks manipulate the data stream, so simply analyzing the image or video won’t necessarily provide insights. For example, attackers might inject content from identity theft victims, and the real image or video can legitimately pass image analysis. But fraudsters who want to scale attacks may prefer to use AI-generated or manipulated content, which is why detecting injection attacks can also be important for preventing GenAI fraud.
What is CEN/TS 18099?
CEN/TS 18099, approved in October 2024 by the European Committee for Standardization (CEN), is the first dedicated standard for biometric data injection attack detection. CEN is one of the primary organizations responsible for developing technical standards across Europe, with membership spanning the national standards bodies of European countries, including AFNOR (France), DIN (Germany), and UNE (Spain).
The CEN/TS 18099 standard provides a common framework for defining, testing, and evaluating a verification system’s resistance to injection attacks. It separates what attackers do into two distinct concepts:
Injection attack methods (IAMs): How an attacker gains the ability to inject data into the pipeline
Injection attack instruments (IAIs): What is actually injected, e.g., a deepfake video, a synthetically generated face, a manipulated image sequence, or a stolen video.
Examples of IAMs | Virtual camera, video capture card, mobile device emulator, function hooking, man-in-the-middle |
Examples of IAIs | Face reenactment, morphed images, face swap, synthetic images, recorded selfie |
A resilient system can block the pathway (IAM) before the IAI is delivered. Systems that only attempt to detect the content after it enters the pipeline will miss more fraudulent attempts.
The standard defines three evaluation tiers:
Level 1 (Basic): No IAIs or IAMs are required. Compliance is demonstrated by issuing a statement that the minimum technical requirements have been met.
Level 2 (Substantial): Requires testing with at least 10 different IAIs and two different IAMs.
Level 3 (High): The highest evaluation level defined in the standard, requiring testing with at least 15 different IAIs and at least three different IAMs.
Testing must also account for bona fide presentation classification error rate (BPCER) — meaning a system can't achieve compliance by becoming so aggressive that it blocks legitimate users.
CEN/TS 18099 is especially important for the digital ID landscape in Europe
Injection attack detection is important for organizations around the world, but the CEN/TS 18099 standard is also part of an ongoing European effort to build a trusted, continent-wide digital identity ecosystem.
Under eIDAS 2.0, the EU introduced the European Digital Identity Wallet that will let residents use their digital identities across Member States. Issuing credentials for these wallets must happen remotely, at a high assurance level. And CEN/TS 18099 is one of several standards and frameworks used to validate those capabilities.
How Persona detects injection attacks
Persona is a configurable identity platform built to detect various types of fraud, including injection attacks. Persona does this by layering detection methods, including:
Environmental detection evaluates the device, camera, and session context from each submission. Injection attacks frequently leave artifacts in the capture and delivery process, and detecting these artifacts can flag injection attempts.
Multi-frame capture analysis examines motion across frames to detect unnatural stability and consistency, which may indicate an injected stream.
Device, app, and runtime integrity checks to verify that media originates from a genuine, untampered application running on a legitimate device.
Dynamic, risk-based verifications allow organizations to automatically block or step up users who might be injecting content.
Learn more about how to stop injection attacks, AI-based fraud, and the latest fraud trends.
FAQs
What needs to be achieved for Level 3 CEN/TS 18099 certification?
Toggle description visibility
Level 3 CEN/TS 18099 is the highest certification within the recognized standard’s baseline. To achieve Level 3, a system must endure at least 30 days of active "full-time equivalent" testing. Moreover, at least 3 IAMs and 15 IAIs must be included in the evaluation. Success requires robust defenses against individual attacks and the diverse ways those attacks can be combined.
How can you detect injection attacks?
Toggle description visibility
The CEN/TS 18099 standard focuses on injection attack methods (IAMs), or how an attacker injects data, and injection attack instruments (IAIs), or what’s being injected. A comprehensive defense layers different methods to detect IAMs and IAIs. These could include: capture integrity, media forensics, liveness detection, device/session signals, and backend pattern analysis.
Is injection attack detection the same thing as deepfake detection?
Toggle description visibility
No, injection attack detection (IAD) and deepfake detection are two distinct types of fraud detection. IAD focuses on detecting whether an attacker injects content into a verification flow rather than using a legitimate camera. Fraudsters who use injection attacks can inject synthetic content, like a deepfake selfie, and legitimate content, like an image of a real person or a selfie from an identity theft victim.
Deepfake detection focuses on determining if the submitted content is a deepfake. Fraudsters regularly inject deepfakes into selfie verifications, so IAD can help detect deepfakes, especially ultra-realistic ones that might evade visual detection models. But fraudsters can also take a picture of another screen showing a deepfake to submit the deepfake via a presentation attack.
