sata_production - stock.adobe.co

How iProov is fending off deepfake fraud

Facial biometrics and controlled illumination can detect liveness, verify identities and help prevent deepfake attacks

Long before deepfakes became a concern over their ability to steal identities and spread false information, Andrew Bud had already started working on a way to detect the liveness of imagery.

Having seen cyber attacks on customers of a mobile payment processing company he started earlier in his career, Bud knew there was going to be a new type of attack where criminals would pretend to be someone else to make fraudulent transactions.  

The engineer and serial entrepreneur spent a year thinking about how to solve the problem in a way that would be easy and inclusive, but also “secure so that people who wanted to steal a million pounds a week wouldn’t be able to break through”.

He eventually formed iProov, whose biometric offering works by illuminating a user’s face with a series of flashes in different colours before streaming the resulting imagery to backend servers to be analysed. “The sequence of colours reflected off the face, coupled with the complexity of ambient light, tells us that we’re looking at a real person present right now,” said Bud. “A recording or pre-prepared deepfake will have the wrong sequence.”

He said that while attackers have tried to use a variety of deepfake and artificial intelligence techniques to create fake imagery of their victims, “it’s such a strange problem we’ve set for them that they don’t know what [the right image] looks like, and that’s very important”.

The company also employs human analysts to identify attempted fraud using the data it has amassed on millions of transactions per day. The analysts study the attackers’ techniques and put in place new tests in real time to deal with the latest modes of attacks.

“Our system is constantly changing,” said Bud. “There are times when we’re updating our detection software every day to deal with the evolving attack scenario, and because we look at all attacks worldwide, there’s no way attackers can lurk unseen and use one place as a laboratory before attacking somewhere else.”

Read more about cyber security in APAC

Today, iProov is used by the Singapore government to verify and authenticate users of the Singpass digital identity platform, as well as the UK’s National Health Service and financial services giant UBS in electronic know-your-customer (eKYC) use cases.

Bud said other use cases include situations where employees have to “iProov themselves to access enterprise systems”, particularly where they’re not allowed, for some reason, to have personal devices with them, such as on trading floors and in secure facilities.

The service is also enabling seamless travel on the Eurostar by enabling passengers to link their passport, face and ticket so that on the day of travel they can just walk through a designated SmartCheck biometric corridor at the St Pancras International station in London to confirm their identity.

With a global customer base, iProov has to make sure its technology works on a wide range of devices, from the latest high-end Apple and Android devices to low-cost smartphones with dimmer screens and lower-quality cameras. “When we come across metadata suggesting that we’ve got a problem with a particular phone, we will buy the phone to study it and amend our software to make sure that we can support it,” said Bud.

Despite hundreds of millions of transactions that iProov has processed last year, he claimed the number of successful attacks was “zero to vanishingly small”.

Still, the company is not resting on its laurels, and continues to keep pace with the fast-moving threat landscape, including the growing number of face swap deepfake attacks that allow threat actors to control the actions of an outputted face at will and in real time.

It also employs a red team that studies the latest literature from universities and research institutions while generating novel deepfakes to help with the development of new detection methods. “When those deepfakes do appear in the wild, we would have developed new tests for them, and over the years, we’ve invented and deployed dozens of tests that don’t change the user experience at all,” said Bud.

Read more on Identity and access management products