• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Our Services
  • Contact Us
  • Newsletter
  • Top Nav Social Icons

FindBiometrics

FindBiometrics

Global Identity Management

  • Biometrics
    • What are Biometrics?
    • FAQ
    • Biometric Associations
    • Companies
    • Premier Partners
  • News
    • Featured Articles
    • Interviews
    • Thought Leadership
    • Podcasts
    • Webinars
    • Year in Review
  • Applications
    • Biometric Security
    • Border Control and Airport Biometrics
    • Consumer and Residential Biometrics
    • Financial Biometrics
    • Fingerprint & Biometric Locks
    • Healthcare Biometrics
    • Justice and Law Enforcement Biometrics
    • Logical Access Control Biometrics
    • Mobile Biometrics
    • Other Biometric Applications
    • Physical Access Control Biometrics
    • Biometric Time and Attendance
  • Solutions
    • Behavioral Biometrics
    • Biometric Sensors and Detectors
    • Facial Recognition
    • Biometric Fingerprint Readers
    • Hand Readers & Finger Scanners
    • Iris Recognition
    • Biometric Middleware and Software
    • Multimodal Biometrics
    • Physiological Biometrics
    • Smart Cards
    • Vein Recognition
    • Voice and Speech Recognition
  • Stocks
  • Events
  • Companies
  • Podcasts

Deep-Dive Into the $100K Biometric Spoof Bounty with FaceTec CEO Kevin Alan Tussy – Part 1

August 14, 2020

Breaking Down the $100K Biometric Spoof Bounty with FaceTec CEO Kevin Alan Tussy – Part 1

FaceTec – the renowned provider of FaceTec 3D Face Authentication – is known as a pioneer in biometric liveness detection. It’s flagship technology made headlines over recent years around the cause of the transparent evaluation of presentation attack detection (PAD) in the biometrics industry. Early in the company’s crusade, third party lab testing was the benchmark, but as the fraud threats continued to mount in the wake of accelerating digital transformation, the company turned to a more proactive evaluation tactic: a spoof bounty.

First announced a year ago as a three-level bounty program with the potential to pay up to 30,000, FaceTec upped the ante this summer, adding two more levels and increasing the payouts to a potential total of $100,000. To dig in to the rational behind the enhanced spoof bounty program, FindBiometrics interviewed FaceTec CEO Kevin Alan Tussy. In part one of our two-part conversation, Tussy contrasts the bounty with lab testing, reflects on lessons learned during initial days of the program, and lays out the new attack vectors encompassed by the five-level jackpot.

Read part one of FindBiometrics’ Interview with Kevin Alan Tussy, CEO, FaceTec:

Peter Counter, Editor in Chief, FindBiometrics: Nearly a year ago, FaceTec launched the first-ever global spoof bounty program. It was quite a bold idea at the time, yet recently you announced you were raising the bounty total substantially to $100K and adding new levels. There’s a lot to unpack here, but let’s start with this: why a spoof bounty?

Kevin Alan Tussy, CEO, FaceTec: Our spoof bounty program is the most effective and transparent way to prove our security in the real-world. And while we’ve helped drive awareness around sanctioned PAD (Presentation Attack Detection) testing in the past, the way standards bodies and for-profit testing labs are structured encourages them to keep the bar low and testing scopes narrow. While they rely on outdated standards because it takes years to update the official, supporting documentation. Meanwhile, in the real-world the tech is being deployed on new platforms like web browsers, and new threats evolve much, much faster than the testing can.  

Fully articulating, digital deepfake puppets can be created from a single 2D photo with free software in five minutes now, so why not test those? And, what about attacks that bypass the camera altogether? What if a hacker can tamper with the biometric data as it’s being sent to the server? These are all questions that the current PAD lab tests aren’t able to answer. The bottom line is that if you are going to have confidence in a Liveness solution, you should have a solid basis for that confidence. Our spoof bounty program is the source of ours because it’s hard proof that we’ve rebuffed tens-of-thousands of real-world attacks and are constantly standing ready to address the next threat that emerges.

My question to the for-profit testing labs is, why not test these scalable digital attack vectors? And why no disclaimers around the fact that deepfake puppets and Level 4 and 5 bypasses weren’t tested at all? These are all very scalable attack methods that can compromise an entire biometric security implementation if they aren’t addressed up front. Threats have evolved over the last two years, and in my opinion these for-profit testing lab conformance letters should now be required to have disclaimers in bold red letters warning that they don’t test for deepfake puppets or Level 4 and 5 bypasses.

We don’t have to wait for lagging standards bodies or be lulled into deploying vulnerable Liveness by for-profit labs testing conformances. The answer to all the obfuscation from legacy solutions is, absolutely, to deploy public Spoof Bounty Programs.

FindBiometrics: How did the initial spoof bounty program work out, and what did you learn?

FaceTec: We used the cyber-security industry’s tried and true bug bounty framework as our guide, and over the last nine months we’ve paid exactly two bounties. We quickly tuned the decisioning thresholds slightly differently and became even stronger from them. So far, FaceTec’s 3D Liveness AI has rebuffed more than 37,000 attacks and we’ve learned a tremendous amount in the process. We now have a real-world, Level 1-5 accuracy proven to +99.997 percent with sessions performed on tens-of-thousands of different devices. Having direct insight into variations on old attack vectors and seeing new attack vectors before they become leveraged by hackers is a big advantage for our team. We get better at blocking threats while maintaining the intuitive UI and low False Reject Rate that FaceTec is famous for.

Once we’d passed all of the available NIST lab PAD tests with certified, 100 percent scores, we knew we still had to keep pushing FaceTec’s security further, so we released the Level 1-3 spoof bounties last year. Like Mike Tyson once said, “Everybody has a plan until they get hit,” and in biometric security it’s no different. So as new threats emerged and our web browser UI became more popular, it became obvious that we needed to add the Level 4 and 5 threat vector bounties to ensure security. We then decided to increase the program to $100,000 to motivate even more attackers to hit us as hard as they could, so now we get attacked 24 hours a day from all over the world, including Russia and China. These highly motivated, innovative individuals work against us in the short term, but in the long run make us better and our end-users more secure.

FindBiometrics: You’ve upped the bounty dollars across PAD Levels 1, 2, and 3 – which clearly shows increasing confidence in your tech – but we’ve never heard of Levels 4 or 5 before your announcement. What was the reasoning behind adding the two additional attack vectors, particularly since no PAD testing organization even seems to have Levels 4 or 5 on their radar?  

FaceTec: Since we aren’t limited by pledged allegiance to fossilized PAD standards, or held hostage by committees of morally compromised financial contributors, when it came time to publish new threat levels based on our experience over the last six years, we just made the call and added Levels 4 and 5. And it was the right call because every threat must be addressed before Liveness can provide secure remote identity verification.

The Level 4 and 5 threat vector levels were developed by our management and are published on Liveness.com and SpoofBounty.com. 

Level 4 covers Biometric Template Tampering, basically editing the biometric data in transit after breaking the encryption. Level 5 covers Camera Hijacking and Video Stream Tampering. 

The reason these levels are so important is that simple spoof artifacts like photos and videos are easy to create, but they don’t scale very well. Skilled hackers are not going to spend a lot of time creating physical artifacts one at a time. In Level 4 and Level 5 attacks, hackers use code to set breakpoints, change variable/register values, recompile binaries, inject scripts, supply virtual cameras, inject pre-recorded media files, and/or try to break our encryption.

*

Learn more about the $100,000 spoof bounty program in part two of our interview with FaceTec CEO Kevin Alan Tussy.

Related News

  • Deep-Dive Into the $100K Biometric Spoof Bounty with FaceTec CEO Kevin Alan Tussy (Part 2)Deep-Dive Into the $100K Biometric Spoof Bounty with FaceTec CEO Kevin Alan Tussy (Part 2)
  • Cynopsis Picks FaceTec 3D Face Authentication for Biometric OnboardingCynopsis Picks FaceTec 3D Face Authentication for Biometric Onboarding
  • ID Talk Podcast: FaceTec CEO Kevin Alan Tussy on the State of Face Authentication and the $100K Spoof BountyID Talk Podcast: FaceTec CEO Kevin Alan Tussy on the State of Face Authentication and the $100K Spoof Bounty
  • FaceTec Offers Free Unlimited 2D Biometric Liveness Checks to All Customers and PartnersFaceTec Offers Free Unlimited 2D Biometric Liveness Checks to All Customers and Partners
  • INTERVIEW: FaceTec CTO Josh Rose Reveals the Human Element of Biometric InnovationINTERVIEW: FaceTec CTO Josh Rose Reveals the Human Element of Biometric Innovation
  • Sybil Resistance With Biometrics: Interview with Humanode Co-founder Dato Kavazi (pt.1)Sybil Resistance With Biometrics: Interview with Humanode Co-founder Dato Kavazi (pt.1)

Filed Under: Features, Interviews Tagged With: artificial intelligence, authentication, Biometric, biometrics, deepfakes, face biometrics, FaceTec, FaceTec 3D Face Authentication, interviews, Liveness Detection, PAD, spoof bounty

Primary Sidebar

Want To Deploy Biometric Access? Download This First:

The resources in this bundle will give you the know-how to choose the right biometric access for your organization.

Sponsored Links

facetec logo

FaceTec’s patented, industry-leading 3D Face Authentication software anchors digital identity, creating a chain of trust from user onboarding to ongoing authentication on all modern smart devices and webcams. FaceTec’s 3D FaceMaps™ make trusted, remote identity verification finally possible. As the only technology backed by a persistent spoof bounty program and NIST/iBeta Certified Liveness Detection, FaceTec is the global standard for Liveness and 3D Face Matching with millions of users on six continents in financial services, border security, transportation, blockchain, e-voting, social networks, online dating and more. www.facetec.com

TECH5 logo

TECH5 is an international technology company founded by experts from the biometrics industry, which focuses on developing disruptive biometric and digital ID solutions through the application of AI and Machine Learning technologies.

TECH5 target markets include both Government and Private sectors with products powering Civil ID, Digital ID, as well as authentication solutions that deliver identity assurance for various use cases. 

Learn more: www.tech5.ai

With its secunet border gears product portfolio and specialised consulting expertise, secunet supports police forces and security authorities in their sovereign tasks. Whether ABC gates, self-service kiosks or biometric middleware – each component helps to strengthen identity protection and to accelerate verification – in mobile and stationary scenarios.

Mobile ID World Logo

Mobile ID World is here to bring you the latest in mobile authentication solutions and application providers. Our company is dedicated to providing users with the best content and cutting edge information on technology, news, and mobile solutions for your mobile identity management needs.

Recent Posts

  • Facial Recognition in Policing, COVID Screening, and Consumer Tech: Identity News Digest
  • Police Biometrics, a Data Breach, and Card-focused Partnerships – Identity News Digest
  • Catch Up: The Latest Developments in Biometric Privacy Regulations
  • Highlighting Biometric Security, NC DMV Head Pushes for Mobile Driver’s License
  • NY Attorney General Takes Aim at Madison Square Garden: Identity News Digest

Biometric Associations

IBIA and fido

Tweets

Footer

  • About Us
  • Company Directory
  • Advertise With Us
  • Contact Us
  • Privacy Policy
  • Terms of Use
  • Archives
  • CCPA: Do not sell my personal info.

Follow Us

Copyright © 2023 FindBiometrics