FaceTec biometric liveness detection spoof bounty program expands to five levels and $100k
FaceTec has expanded its biometric spoof bounty program with two new levels and increased funding to further advance the company’s presentation attack detection (PAD) technology for greater security. The spoof bounty program has successfully defended more than 35,000 spoof attacks in the nine months since it was launched according to the company announcement.
Level 4 and 5 on the Liveness.com PAD Artifact/Bypass Attack Vector Scale have been added to the program, and the reward money available increased to $100,000, to enable FaceTec to be informed of unknown vulnerabilities in its liveness artificial intelligence system by white hat hackers and patch them before they can be exploited by malicious actors. The spoof bounty program was originally launched for three PAD attack levels with $30,000 in possible payouts last October.
In an email, FaceTec CEO Kevin Alan Tussy told Biometric Update that while end users may not be aware of them, Level 4 and 5 attacks have been targeting businesses, and are now the favorite attack vector for professional cybercriminals. A government in Latin America was recently forced to shut down a digital identity app when fake identities were found shortly after its launch, despite the app being protected with liveness detection that had been found to conform to Level 1 and 2 PAD standards by an independent testing lab. FaceTec is now in talks with that government to provide its liveness detection technology.
FaceTec 3D Face Authentication has been trained with tens of millions of spoof attacks over seven years of intensive development, FaceTec says, with both digital and physical spoof artifacts, including high-resolution photos and videos, deepfakes, mannequin heads and realistic masks.
“Shedding light on an industry that has been hiding behind its ‘black boxes’ for decades hasn’t been easy, but two years ago we started pushing for third-party Liveness testing so purchasers could make fully educated decisions. We hoped the testing labs would evolve as the threats have, but unfortunately they have not kept up, and, recently, unscrupulous liveness vendors are exaggerating their security levels dramatically,” comments Tussy in the press release. “With the world in the midst of a pandemic, this is not the time to be gaming testing, hyping phony PAD credentials, and selling inferior Liveness Detection that will endanger the digital security of companies, governments, and end-users.”
The company launched Liveness.com last year to promote the concept of biometric liveness detection as the way to stop identity theft while retaining privacy, and Tussy argues that the market would be best served by the transparency of every biometric liveness vendor instituting their own spoof bounty program for Level 1 to 5 attacks.
Tussy says FaceTec hopes NIST will take up the management of spoof bounty programs to raise the bar past where it has been set by for-profit testing labs.
“As the PAD (Presentation Attack Detection) testing system currently works, once a standard is published, a for-profit testing organization reviews it and determines if testing against it is a viable business for them,” he explains. “But if the tests look like they will be too hard for vendors to pass, then the testing lab will probably narrow the scope until they can make it a viable business.”
This could lead to lower security requirements even before the protocol has been approved and the lab accredited by another third party to test for it, by which point the field will have changed significantly. ISO/IEC 30107-3 was published in 2017, and therefore does not refer to deepfake puppets among spoof artifact definitions.
“We will see 3D Liveness Detection become the standard, and 2D gimmicky Liveness, like blink and smile, will fade away as 2D AI has been proven to be less than adequate against emerging threats like deepfake puppets and Level 5 Camera Bypasses,” Tussy says in the email. “We’ll see fewer ‘Perpetual License’ Liveness products and more Liveness as a Service offerings. For example, FaceTec’s software is not a one-time-purchase, because we are continually tuning the AI to address new threats as they emerge, fortifying our AI models to address new threats within a few days and then quickly pushing an update out to our customers.”