FaceTec – the renowned provider of FaceTec 3D Face Authentication – is known as a pioneer in biometric liveness detection. It’s flagship technology made headlines over recent years around the cause of the transparent evaluation of presentation attack detection (PAD) in the biometrics industry. Early in the company’s crusade, third party lab testing was the benchmark, but as the fraud threats continued to mount in the wake of accelerating digital transformation, the company turned to a more proactive evaluation tactic: a spoof bounty.
First announced a year ago as a three-level bounty program with the potential to pay up to 30,000, FaceTec upped the ante this summer, adding two more levels and increasing the payouts to a potential total of $100,000. To dig in to the rational behind the enhanced spoof bounty program, FindBiometrics interviewed FaceTec CEO Kevin Alan Tussy. In part one of our two-part conversation, Tussy contrasts the bounty with lab testing, reflects on lessons learned during initial days of the program, and lays out the new attack vectors encompassed by the five-level jackpot.
Read part one of FindBiometrics’ Interview with Kevin Alan Tussy, CEO, FaceTec:
Peter Counter, Editor in Chief, FindBiometrics: Nearly a year ago, FaceTec launched the first-ever global spoof bounty program. It was quite a bold idea at the time, yet recently you announced you were raising the bounty total substantially to $100K and adding new levels. There’s a lot to unpack here, but let’s start with this: why a spoof bounty?
Kevin Alan Tussy, CEO, FaceTec: Our spoof bounty program is the most effective and transparent way to prove our security in the real-world. And while we’ve helped drive awareness around sanctioned PAD (Presentation Attack Detection) testing in the past, the way standards bodies and for-profit testing labs are structured encourages them to keep the bar low and testing scopes narrow. While they rely on outdated standards because it takes years to update the official, supporting documentation. Meanwhile, in the real-world the tech is being deployed on new platforms like web browsers, and new threats evolve much, much faster than the testing can.
Fully articulating, digital deepfake puppets can be created from a single 2D photo with free software in five minutes now, so why not test those? And, what about attacks that bypass the camera altogether? What if a hacker can tamper with the biometric data as it’s being sent to the server? These are all questions that the current PAD lab tests aren’t able to answer. The bottom line is that if you are going to have confidence in a Liveness solution, you should have a solid basis for that confidence. Our spoof bounty program is the source of ours because it’s hard proof that we’ve rebuffed tens-of-thousands of real-world attacks and are constantly standing ready to address the next threat that emerges.
My question to the for-profit testing labs is, why not test these scalable digital attack vectors? And why no disclaimers around the fact that deepfake puppets and Level 4 and 5 bypasses weren’t tested at all? These are all very scalable attack methods that can compromise an entire biometric security implementation if they aren’t addressed up front. Threats have evolved over the last two years, and in my opinion these for-profit testing lab conformance letters should now be required to have disclaimers in bold red letters warning that they don’t test for deepfake puppets or Level 4 and 5 bypasses.
We don’t have to wait for lagging standards bodies or be lulled into deploying vulnerable Liveness by for-profit labs testing conformances. The answer to all the obfuscation from legacy solutions is, absolutely, to deploy public Spoof Bounty Programs.
FindBiometrics: How did the initial spoof bounty program work out, and what did you learn?
FaceTec: We used the cyber-security industry’s tried and true bug bounty framework as our guide, and over the last nine months we’ve paid exactly two bounties. We quickly tuned the decisioning thresholds slightly differently and became even stronger from them. So far, FaceTec’s 3D Liveness AI has rebuffed more than 37,000 attacks and we’ve learned a tremendous amount in the process. We now have a real-world, Level 1-5 accuracy proven to +99.997 percent with sessions performed on tens-of-thousands of different devices. Having direct insight into variations on old attack vectors and seeing new attack vectors before they become leveraged by hackers is a big advantage for our team. We get better at blocking threats while maintaining the intuitive UI and low False Reject Rate that FaceTec is famous for.
Once we’d passed all of the available NIST lab PAD tests with certified, 100 percent scores, we knew we still had to keep pushing FaceTec’s security further, so we released the Level 1-3 spoof bounties last year. Like Mike Tyson once said, “Everybody has a plan until they get hit,” and in biometric security it’s no different. So as new threats emerged and our web browser UI became more popular, it became obvious that we needed to add the Level 4 and 5 threat vector bounties to ensure security. We then decided to increase the program to $100,000 to motivate even more attackers to hit us as hard as they could, so now we get attacked 24 hours a day from all over the world, including Russia and China. These highly motivated, innovative individuals work against us in the short term, but in the long run make us better and our end-users more secure.
FindBiometrics: You’ve upped the bounty dollars across PAD Levels 1, 2, and 3 – which clearly shows increasing confidence in your tech – but we’ve never heard of Levels 4 or 5 before your announcement. What was the reasoning behind adding the two additional attack vectors, particularly since no PAD testing organization even seems to have Levels 4 or 5 on their radar?
FaceTec: Since we aren’t limited by pledged allegiance to fossilized PAD standards, or held hostage by committees of morally compromised financial contributors, when it came time to publish new threat levels based on our experience over the last six years, we just made the call and added Levels 4 and 5. And it was the right call because every threat must be addressed before Liveness can provide secure remote identity verification.
The Level 4 and 5 threat vector levels were developed by our management and are published on Liveness.com and SpoofBounty.com.
Level 4 covers Biometric Template Tampering, basically editing the biometric data in transit after breaking the encryption. Level 5 covers Camera Hijacking and Video Stream Tampering.
The reason these levels are so important is that simple spoof artifacts like photos and videos are easy to create, but they don’t scale very well. Skilled hackers are not going to spend a lot of time creating physical artifacts one at a time. In Level 4 and Level 5 attacks, hackers use code to set breakpoints, change variable/register values, recompile binaries, inject scripts, supply virtual cameras, inject pre-recorded media files, and/or try to break our encryption.
Learn more about the $100,000 spoof bounty program in part two of our interview with FaceTec CEO Kevin Alan Tussy.