Rohan Pinto (14:32)

I think the reliance on biometric security should increase given the time period that we are in right now with the exponential increase of deepfakes and AI generated content. Because deepfakes in itself, they can mimic facial features, they can mimic voice patterns, they can even mimic iris scans, thereby having the ability for an attacker to bypass a biometric authentication or verification system. So I think it is pretty crucial for any organization that works with biometrics to not discount the fact that deepfakes are being used extensively, especially given the whole North Korean hackers actually being able to secure themselves jobs in the U.S. department of Defense by using deepfakes. So it is pretty crucial that every organization that looks at biometrics to increase or enhance your security posture does consider looking at methodologies and processes to thwart deepfakes as well.

Dave Bittner (15:46)

You know, I think like a lot of people, the most frequent interaction I have with this sort of thing is on my mobile device. I have an iPhone. I use face ID to log in, and it works remarkably well. And then I'll go to the airport and they might ask me to have my face scanned. I was at a theme park recently and they used facial ID instead of tickets to get into the theme park. I'm curious, what is the state of the art these days? What is happening at the highest level with this sort of technology? I know you and your colleagues there get very high marks for the products that you all provide. Where do we stand?

Rohan Pinto (16:29)

We got to remember one thing. When we talk in terms of systems or mobile devices or even kiosks at a theme park, using face ID to authenticate an individual, we got to remember that the authenticity is what matters, because end of the day, face ID is local to the mobile, and you can actually have multiple individuals register their face ID on the same device. So face ID in itself is not sufficient to thwart deepfakes. When you look at mobile apps or kiosks that rely on systems that purely base identification or presence of an individual is not sufficient, because what face ID and touch ID does is that it identifies presence. It does not actually bind the identity of the user to the actual authentication mechanism. For example, on my mobile device, I have my face registered, and I also have my son's face registered, which means that if I now use face ID to access or authenticate into any corporate system, you have very low assurance that it's actually Rohan Pinto that's logging or accessing the system, because it could be any face ID that is registered on that device. So at One Cosmos, we have approached the entire biometric aspect of authentication and security from a completely different angle. We have something called as live id, which means that we verify the authenticity of the individual in real time by doing a lot of forensics in real time with the face that is being presented. Also match that particular face to the face that was actually registered during the onboarding event to ensure that it is not just cryptographically signed like what face ID does, but also asserts the fact that this is a live individual by doing a liveness check at the time of authentication to have additional assurance that there is an actual identity that that is tied to that particular authentication attempt, regardless of the form of biometrics that are used. I hope that.

Dave Bittner (19:00)

Well, I mean, let's dig into some of the details of that. When you say a live individual, I mean, are we looking for things like eye movement, Are we looking for things like a heartbeat? What sets me apart from say, a highly accurate silicone mask?

Rohan Pinto (19:17)

Yeah, absolutely. So when it comes up to silicon masks, again, we do a lot of forensics on the face itself. I'll give you an example. I'll run through a couple of examples. For example, we just don't look at the face. We look at the depth between the ears and the nose, the distance between the eyes, the position of the iris, the angle from which you're looking at the shadows, the depth patterns, and even we do some infrared as well to ensure that the person is a living, breathing individual. However, this might not thwart a silicon mask in the equation, but it does enable us to identify that the person on the other end of the line is a living, breathing individual, regardless of whether the user is using a silicon mask or not. Now that combined with other passive detection techniques to analyze whether it is a deep fake, whether there is noise in the equation, whether there is granularity in the clarity of the image that is being captured, whether the camera being used is a default camera of the device or is being overridden by a third party video streaming service. A combination of a multitude of these elements enable us to have a very high level of accuracy when it comes up to identifying the individual.

Dave Bittner (20:49)

Well, and it sounds like, I mean, I think you captured one of the key points here, and perhaps it's a point of misunderstanding for a lot of folks, which is that this is a multi layered thing. Right. It's not just the biometrics. There are many other factors that you and the other folks who do this kind of thing. Thing rely on.

Rohan Pinto (21:10)

Absolutely. It's a combination of biometric factors and it could also include behavioral analytics. And what I mean by behavioral analytics is that let's say the user is authenticating into a system, he's typing in his user ID and password, and once he authenticates into the system, the user performs certain actions. So we also have the ability to detect the user's Behavioral patterns, typing patterns, voice and face, and a combination of them increases our accuracy level to reduces the success rate of spoofing attempts.

Dave Bittner (21:45)

How do you make sure that you're not introducing undue friction with these sorts of systems?

Rohan Pinto (21:52)

Yes, that's a very interesting question, because when it comes up to the friction, it's one of the elements that could actually thwart a user from using biometrics. So we try to make it as simple as possible when it comes up to user experience. And we have a lot of focus within our organization on enhancing the user experience. So we do not want the user to go through a multitude of steps to prove who he or she claims to be. We want the user to be able to authenticate using Face id, like what they always do, except that the camera being launched for Face ID is not the default device camera, but actually the camera that gets triggered from within our mobile application itself. So from a user experience perspective, the user does exactly what the user does on a day to day basis, which is look at his phone and log in. But what we do additionally with that 2 second or a 1 second video that is captured, or a sequence of frames from the images that are captured, the keystrokes that are captured, the voice analytics that are captured and sent to our analysis engine to give us real time results is all transparent to the user experience. So from a user experience perspective, all the user does is picks up his phone. The mobile app would tell the user to smile, maybe look left or look right, or maybe even blink, you know, a few simplistic actions that do not confuse the user. And the complexity is all on the passive scanning side. On the server side.

Dave Bittner (23:28)

What are your recommendations for organizations that are looking into this sort of thing? How do they decide how to align the degree of complexity here versus their own appetite for risk?

Rohan Pinto (23:44)

Yeah, so risk is another important factor out here, right? Because various organizations have got various risk thresholds that they would like to adhere to. So let's factor in risk in addition to the kind of tool sets that an organization would need to use. Now, either an organization can go out and use tool sets provided by valid third parties or third party organizations, be it Microsoft or Google or Apple by themselves, or even third parties like Plaid or even Twilio offer services that do liveness detection as such, but one cosmos per se, we offer the entirety as a singular platform that the customer can use, where the customer can choose to use things like liveness detection, micro expression analysis. They could evolve alongside a lot of sophisticated generative models that we use for deepfake detection as well. So the integration of the security aspect of an organization's infrastructure could be as simple as making an API call over to us. We carry on with the user journey from there on. Ensure that the biometrics are authentic, ensure that it is not deep fake, ensure that there are no silicon masks used. We ensure that micro expression analysis is also done. Run through a whole bunch of AI models that enable us to determine whether this is AI generated content or otherwise before we can return back not just a success of the authentication attempt, but also a risk threshold that the consuming organization can adjust based on their own risk thresholds or appetite.

Dave Bittner (25:36)

I see. All right, well Rohan, I think I have everything I need for our story here. Is there anything I missed? Anything I haven't asked you that you think it's important to share?

Rohan Pinto (25:47)

Well, I think one of the most important things that everybody talks about is what are the mitigation strategies for, you know, for deepfake detection or for using deepfakes. So one thing that I would what I tell everybody is that you got to ensure that liveness detection is enabled and not rely on a static biometric authentication mechanism just like face id, because face ID does liveness detection on the edge. And you would need to do a combination of both liveness detection on the edge as well as on the server side. Additionally add behavioral analytics onto it which is keystrokes or gate or traditional biometric verification systems as well. And on top of it, also ensure that you've got data governance rules in place so that you're using products and technologies that are based on standards and not something that's just available off of the Internet.

Dave Bittner (26:46)

That's Rohan Pinto, CTO of 1 Cosmos. And finally, cybersecurity sleuths at Sophos have unraveled a curious caper. Over 130 open source GitHub projects booby trapped with backdoors, all courtesy of a mystery dev known only as ischhfd83. The plot kicked off when a user questioned the safety of Sakura Rat, a so called malware tool that was less weapon, more whoopee cushion. Upon inspection, researchers found the code discreetly downloaded, extra malware mid compilation, targeting not businesses, but in a karmic twist, other hackers and wannabes. What followed was a journey through a thicket of copy pasted chaos, automated commits, copycat accounts and layers of obfuscation cloaking nasties like lumastealer. Sophos suspects this is part of a broader distribution as a service racket. They conclude the digital supply chain's underbelly remains as shady as ever. And if you're downloading free hacking tools from strangers on GitHub, well, maybe you're the mark. And that's the Cyberwire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until the end of August. There's a link in the show Notes. Please do check it out. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites. And they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The DeleteMe team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.