iProov – Bredemarket

Additional Ingenium Injection Attack Detection Testing…Result

There are numerous independent testing laboratories, holding testing certifications from various entities, that test a product’s conformance to the requirements of a particular standard.

For presentation attack detection (liveness), organizations such as iBeta and BixeLab test conformance to ISO 30107-3.

Vendors who submit their products to iBeta may optionally choose to have the results published; iBeta publishes these confirmation letters here.
In a similar manner, BixeLab publishes its confirmation letters here.

For injection attack detection, Ingenium tests conformance to CEN/TS 18099:2025, as well as testing that exceeds the requirements of that standard.

Unfortunately, I was unable to locate a central source of all of Ingenium’s testing results. So I had to hunt around.

Known Ingenium Injection Attack Detection Testing Results

Biometric Vendor	Ingenium Injection Attack Detection Test Level	Notes
FaceTec	2	Ingenium letter on FaceTec website
iProov	4	Bredemarket blog post “Injection Attack Detection, CEN/TS 18099:2025, and iProov“

And…that’s all I could find.

Ingenium’s testing is relatively new, as is the whole idea of performing injection attack detection testing in general, so it shouldn’t be surprising that vendors haven’t rushed to get independent confirmation of injection attack capabilities.

But they should.

A brief reminder on Ingenium’s five testing levels

I’ve mentioned this before, but it’s worth exploring in more detail, since I only discussed Level 4. Here’s a complete list of all five of Ingenium’s testing evaluation tiers:

Level 1: CEN Substantial: This tier is equivalent to the CEN TS 18099:2025 ‘substantial’ evaluation level. A Level 1 test requires 25 FTE days and includes a focus on 2 or more IAMs and 10 or more IAI species. It’s a great starting point for assessing your system’s resilience to common injection attacks.

Level 2: CEN High: Exceeding the substantial level, this tier aligns with the CEN TS 18099:2025 ‘high’ evaluation level. This 30-day FTE evaluation expands the scope to include 3 or more IAMs and a higher attack weighting, providing a more rigorous test of your system’s defenses.

Level 3: This level goes beyond the CEN TS 18099:2025 standard to provide an even more robust evaluation. The 35-day FTE program focuses on a higher attack weighting, with a greater emphasis on sophisticated IAMs and IAI species to ensure a more thorough assessment of your system’s resilience.

Level 4: A 40-day FTE evaluation that further exceeds the CEN TS 18099:2025 standard. Level 4 maintains a high attack weighting while specifically targeting the IAI detection capabilities of your system. Although not a formal PAD (Presentation Attack Detection) assessment, this level offers valuable insights into your system’s PAD subsystem resilience.

Level 5: Our most comprehensive offering, this 50-day FTE evaluation goes well beyond the CEN TS 18099:2025 requirements. Level 5 includes the highest level of Ingenium-created IAI species, which are specifically tailored to the unique functionality of your system. This intensive testing provides the deepest insight into your system’s resilience to injection attacks.

Oh, and there’s a video

As I was publicizing my iProov injection attack detection post, I used Grok to create an injection attack detection video. Not for the squeamish, but injection attacks are nasty anyway.

Grok.

Injection Attack Detection, CEN/TS 18099:2025, and iProov

Most identity and biometric marketing leaders know that their products should detect attacks, including injection attacks. But do the products detect attacks? And do prospects know that the products detect attacks? (iProov prospects know. Or should know.)

I’ve mentioned injection attack detection a couple of times on the Bredemarket blog, noting its difference from presentation attack detection. While the latter affects what is shown to the biometric reader, the former bypasses the biometric reader entirely.

But I haven’t mentioned how vendors can secure independent confirmation of their injection attack defenses.

European Committee for Standardization (CEN)

Here’s part of what ID Tech Wire said a year ago.

“A new European technical standard, CEN/TS 18099:2025, has been published to address the growing concern of biometric data injection attacks. The standard provides a framework for evaluating the effectiveness of identity verification (IDV) vendors in detecting and mitigating these attacks, filling a critical gap left by existing regulations.”

Being a baseball hot dogs apple pie guy, I had never heard of CEN. Now I have.

“CEN, the European Committee for Standardization, is an association that brings together the National Standardization Bodies of 34 European countries.

“CEN provides a platform for the development of European Standards and other technical documents in relation to various kinds of products, materials, services and processes.”

And before you say that them furriner Europeans couldn’t possibly understand the nuances of good ol’ Murican injection attacks, look at all the countries that follow biometric interchange guidance from the American National Standards Institute (ANSI) and the National Institute of Standards and Technology (NIST).

So CEN is good.

But let’s get to THIS standard.

More on CEN/TS 18099:2025

The Biometric Data Injection Attack Detection standard can be found at multiple locations, including the aforementioned ANSI. From the current 2025 version:

“This document provides an overview of:

– Definitions of biometric data injection attacks;

– Use cases for injection attacks with biometric data on essential hardware components of biometric systems used for enrollment and verification;

– Tools for injection attacks on systems using one or more biometric modalities.

This document provides guidance for:

– Injection Attack Instrument Detection System (defined in 3.12);

– adequate risk mitigation for injection attack tools;

– Creation of a test plan for the evaluation of an injection attack detection system (defined in 3.9).”

Like (most) good standards, you have to buy it. Current Murican price is $99.

You can see how this parallels the existing standard for presentation attack detection testing.

Which brings us to iProov…and Ingenium

iProov is a company in the United Kingdom. This post does not address whether the United Kingdom is part of Europe; I assigned that thankless task to Bredebot. But iProov does pay attention to European stands, according to this statement:

“[iProov] announced that its Dynamic Liveness technology is the first and only solution to successfully achieve an Ingenium Level 4 evaluation and the CEN/TS 18099 High technical specification for Injection Attack Detection, following an independent evaluation by the ISO/IEC 17025-accredited, Ingenium Biometric Laboratories. Ingenium Level 4 builds on the requirements outlined in CEN/TS 18099, providing an increased level of assurance with an extended period of active testing and inclusion of complex, highly-weighted attack types.”

Ingenium’s injection attack detection testing is arranged in five levels/tiers. The first two correspond to the “substantial” and “high” evaluation levels in CEN/TS 18099:2025. The final three levels exceed the standard.

Level 4:

“Level 4: A 40-day FTE evaluation that further exceeds the CEN TS 18099:2025 standard. Level 4 maintains a high attack weighting while specifically targeting the IAI detection capabilities of your system. Although not a formal PAD (Presentation Attack Detection) assessment, this level offers valuable insights into your system’s PAD subsystem resilience.”

Because while they are technically different, injection attack detection and presentation attack detection are intertwined.

Does your product detect attacks?

And if you adopt a customer focus, the customer doesn’t really care about the TYPE of attack. The customer ONLY cares about the attack itself, and whether or not the vendor detected and prevented it.

Identity/biometric marketing leaders, does your product offer independent confirmation of its attack detection capabilities? If not, do you publicize your own self-assertion of detection?

Because if you DON’T explicitly address attack detection, your prospects are forced to assume that you can’t detect attacks at all. And your prospects will avoid you as dangerous and gravitate to vendors who DO assert attack detection in some way.

And you will lose money.

Regardless of whether you are in the United States, United Kingdom, or the European continent…losing money is not good.

So don’t lose money. Tell your prospects about your attack detection. Or have Bredemarket help you tell them. Talk to me.

Biometric product marketing expert. This is NOT in the United Kingdom.

Postscript: Non iProov injection attack detection here.

Nearly $3 Billion Lost to Imposter Scams in the U.S. in 2024

(Imposter scam wildebeest image from Imagen 3)

According to the Federal Trade Commission, fraud is being reported at the same rate, but more people are saying they are losing money from it.

In 2023, 27% of people who reported a fraud said they lost money, while in 2024, that figure jumped to 38%.

In a way this is odd, since you would think that we would better detect fraud attempts now. But I guess we don’t. (I’ll say why in a minute.)

Imposter scams

The second fraud category, after investment scams, was imposter scams.

The second highest reported loss amount came from imposter scams, with $2.95 billion reported lost. In 2024, consumers reported losing more money to scams where they paid with bank transfers or cryptocurrency than all other payment methods combined.

Deepfakes

I’ve spent…a long time in the business of determining who people are, and who people aren’t. While the FTC summary didn’t detail the methods of imposter scams, at least some of these may have used deepfakes to perpetuate the scam.

The FTC addressed deepfakes two years ago, speaking of

…technology that simulates human activity, such as software that creates deepfake videos and voice clones….They can use deepfakes and voice clones to facilitate imposter scams, extortion, and financial fraud. And that’s very much a non-exhaustive list.

Creating deepfakes

And the need for advanced skills to create deepfakes has disappeared. ZD NET reported on a Consumer Reports study that analyzed six voice cloning software packages:

The results found that four of the six products — from ElevenLabs, Speechify, PlayHT, and Lovo — did not have the technical mechanisms necessary to prevent cloning someone’s voice without their knowledge or to limit the AI cloning to only the user’s voice.

Instead, the protection was limited to a box users had to check off, confirming they had the legal right to clone the voice.

Which is just as effective as verifying someone’s identity by asking for their name and date of birth.

(Not) detecting deepfakes

And of course the identity/biometric vendor commuity is addressing deepfakes also. Research from iProov indicates one reason why 38% of the FTC reporters lost money to fraud:

[M]ost people can’t identify deepfakes – those incredibly realistic AI-generated videos and images often designed to impersonate people. The study tested 2,000 UK and US consumers, exposing them to a series of real and deepfake content. The results are alarming: only 0.1% of participants could accurately distinguish real from fake content across all stimuli which included images and video… in a study where participants were primed to look for deepfakes. In real-world scenarios, where people are less aware, the vulnerability to deepfakes is likely even higher.

So what’s the solution? Throw more technology at the problem? Multi factor authentication (requiring the fraudster to deepfake multiple items)? Injection attack detection? Something else?

People for Sale

News about iProov. According to Metropoler, the company discovered a dark web group in Latin America.

The group is

“amassing a substantial collection of identity documents and corresponding facial images, specifically designed to defeat Know Your Customer (KYC) verification processes. Rather than traditional theft, these identities may have been obtained through compensated participation, with individuals willingly providing their image and documentation in exchange for payment.”

To uncover such fraudulent activity, a mere government ID to selfie comparison is not enough, since both are from a real person. You need more sophisticated checks such as liveness detection, which iProov offers. You can find iProov’s ISO 30107-3 Presentation Attack Detection Level 2 confirmation letters on iBeta’s page.

But why?

Why would anyone sell their identity, either legitimately (to the World ex Worldcoin folks) or illegitimately (to this dark web outfit)?

Sadly, desperation. If you have a basic need to eat, who cares who is using your ID and what they’re doing with it?

How Identity and Biometrics Firms Can Use Blogging to Grow Their Business

(Updated blog post count 10/23/2023)

Identity and biometrics firms can achieve quantifiable benefits with prospects by blogging. Over 40 identity and biometrics firms are already blogging. Is yours?

Four reasons for blogging
Over 40 identity firms that are blogging
How your identity firm can start blogging
Get in touch with Bredemarket

Four reasons for blogging

My recent post “The Secret to Beating Half of All Fortune 500 Marketers and Growing Your Business” lists 14 quantifiable benefits from the fresh content from blogging, derived from an infographic at Daily Infographic. Here are the most important four:

Awareness: the average company that blogs generates 55% more website visitors.
Lead generation: B2B marketers that use blogs get 67% more leads than those who do not.
Conversions: marketers who have prioritized blogging are 13x more likely to enjoy positive ROI.
Conversions (again): 92% of companies who blog multiple times per day have acquired a customer from their blog.

Data source: Daily Infographic, https://www.dailyinfographic.com/state-of-blogging-industry

Blogging adds value.

Over 40 identity firms that are blogging

These firms (and probably many more) already recognize the value of identity blog post writing, and some of them are blogging frequently to get valuable content to their prospects and customers.

Is your firm on the list? If so, how frequently do you update your blog?

Acre Security blog
Alloy articles
Anonybit blog
Arkose Labs blog
AuthenticID blog
Aware blog
Bayometric blog
BioCatch blog
Black Ink Tech blog
Bureau blog
Cerby blog
Clearview AI blog
Duo blog
Fingerprints blog
Frontegg blog
HAWK:AI insights
HID Global blog
IDEX Biometrics blog
Incode Technologies blog
Incognia blog
Integrated Biometrics articles
Integrity (Aristotle) blog
iProov blog
Jumio blog (identity, technical)
M2SYS blog
Mantra Softeh blog
Mitek Systerms blog
NeuroID blog
Next Biometrics insights
Okta blog
Onfido blog
Oosto blog
Pangiam blog
Persona blog
Precise Biometrics blog
Quicklaunch blog
Rank One Computing blog
Regula Forensics blog
Sardine blog
Sky Biometry blog
Socure blog
Strata blog
Telesign blog
Transmit Security blog
Veridas blog (English, Spanish)
Veridium blog
Veridos topics & trends (English, French, Spanish)
Veriff blog
Wicket blog

How your identity firm can start blogging

If you need help writing blog posts so that your identity/biometrics firm stands out, I, John E. Bredehoft of Bredemarket, can help.

My identity blog post writing experience benefits firms who identify individuals via fingers, faces, irises, DNA, driver’s licenses, geolocation, and many other factors and modalities. I truly am a biometric content marketing expert and an identity content marketing expert.

A few more things about my blogging offering:

I’ve written more than 500 business blog posts.
I can create blog content that has an immediate business impact, is easy to reshare, and is easy to repurpose as other content.
I ask you critical questions before I start blogging, to ensure you get the right content.
I collaborate with you throughout the process to ensure the blog post is on target and meets your goals.

By Unknown author – postcard, Public Domain, https://commons.wikimedia.org/w/index.php?curid=7691878

In most cases, I can provide your blog post via my standard package, the Bredemarket 400 Short Writing Service. I offer other packages and options if you have special needs.

Get in touch with Bredemarket

Authorize Bredemarket, Ontario California’s content marketing expert, to help your firm produce words that return results.

To discuss your identity/biometrics blog post needs further, book a meeting with me at calendly.com/bredemarket. On the questionnaire, select the Identity/biometrics industry and Blog post content.

Monitoring the #connectid hashtag

I have a long history with hashtags.

A LONG history.

Fires and parades

How long?

Back on October 23, 2007, I used my then-active Twitter account to tweet about the #sandiegofire. The San Diego fire was arguably the first mass adoption of hashtags, building upon pioneering work by Stowe Boyd and Chris Messina and acted upon by Nate Ritter and others.

From https://twitter.com/oemperor/status/358071562. Frozen peas? Long story.

The tinyurl link directed followers to my post detailing how the aforementioned San Diego Fire was displacing sports teams, including the San Diego Chargers. (Yes, kids, the Chargers used to play in San Diego.)

So while I was there at the beginning of hashtags, I’m proudest of the post that I wrote a couple of months later, entitled “Hashtagging Challenges When Events Occur at Different Times in Different Locations.” It describes the challenges of talking about the Rose Parade when someone is viewing the beginning of the parade while someone else is viewing the end of the parade at the same time. (This post was cited on PBWorks long ago, referenced deep in a Stowe Boyd post, and cited elsewhere.)

Hashtag use in business

Of course, hashtags have changed a lot since 2007-2008. After some resistance, Twitter formally supported the use of hashtags, and Facebook and other services followed, leading to mass adoption beyond the Factory Joes of the world.

Ignoring personal applications for the moment, hashtags have proven helpful for business purposes, especially when a particular event is taking place. No, not a fire in a major American city, but a conference of some sort. Conferences of all types have rushed to adopt hashtags so that conference attendees will promote their conference attendance. The general rule is that the more techie the conference, the more likely the attendees will use the conference-promoted hashtag.

I held various social media responsibilities during my years at MorphoTrak and IDEMIA, some of which were directly connected to the company’s annual user conference, and some of which were connected to the company’s attendance at other events. Obviously we pulled out the stops for our own conferences, including adopting hashtags that coincided with the conference theme.

A tweet https://twitter.com/JEBredCal/status/1124159756157849600 from the last (obviously celebratory) night of IDEMIA’s (Printrak’s) 40th conference in 2019. Coincidentally, this conference was held in San Diego.

And then when the conference organizers adopt a hashtag, they fervently hope that people will actually USE the adopted hashtag. As I said before, this isn’t an issue for the technical conferences, but it can be an issue at the semi-technical conferences. (“Hey, everybody! Gather around the screen! Someone used the conference hashtag…oh wait a minute, that’s my burner account.”)

A pleasant surprise with exhibitor/speaker adoption of the #connectID hashtag

Well, I think that we’ve finally crossed a threshold in the biometric world, and hashtags are becoming more and more acceptable.

As I previously mentioned, I’m not attending next week’s connect:ID conference in Washington DC, but I’m obviously interested in the proceedings.

So I turned to Twitter to check if anyone was using a #connectID hashtag in advance of the event. (Helpful hint: hashtags cannot include special characters such as “:” so don’t try to tweet #connect:ID; it won’t work and will appear as #connect.) Using the date-sorted search https://twitter.com/search?q=%23connectid&src=typed_query&f=live, I was expecting to see a couple of companies using the hashtag…if I was lucky.

I was pleasantly surprised to see that nearly two dozen exhibitors and speakers were using the #connectID hashtag (or referenced via the hashtag) as of the Friday before the event, including Acuity Market Intelligence, Aware, BIO-key, Blink Identity, Clearview AI, HID Global, IDEMIA, Integrated Biometrics, iProov, Iris ID, Kantara, NEC and NEC NSS, Pangiam, Paravision, The Paypers, WCC, WorldReach Software/Entrust, and probably some others by the time you read this, as well as some others that I may have missed.

And the event hasn’t even started yet.

At least some of the companies will have the presence of mind to tweet DURING the event on Tuesday and Wednesday.

Will yours be one of them?

But company adoption is only half the battle

While encouraging to me, adoption of a hashtag by a conference’s organizers, exhibitors, and speakers is only the beginning.

The true test will take place when (if) the ATTENDEES at the conference also choose to adopt the conference hashtag.

According to Terrapin (handling the logistics of conference organization), more than 2,500 people are registered for the conference. While the majority of these people are attending the free exhibition, over 750 of them are designated as “conference delegates” who will attend the speaking sessions.

How many of these people will tweet or post about #connectID?

We’ll all find out on Tuesday.

connect:ID 2021 is coming

I have not been to an identity trade show in years, and sadly I won’t be in Washington DC next week for connect:ID…although I’ll be thinking about it.

I’ve only been to connect:ID once, in 2015. Back in those days I was a strategic marketer with MorphoTrak, and we were demonstrating the MorphoWay. No, not the Morpho Way; the MorphoWay.

Perhaps you’ve seen the video.

Video by Biometric Update. https://www.youtube.com/watch?v=mqfHAc227As

As an aside, you’ll notice how big MorphoWay is…which renders it impractical for use in U.S. airports, since space is valuable and therefore security features need a minimum footprint. MorphoWay has a maximum footprint…just ask the tradespeople who were responsible for getting it on and off the trade show floor.

I still remember several other things from this conference. For example, in those days one of Safran’s biometric competitors was 3M. Of course both Safran and 3M have exited the biometric industry, but at the time they were competing against each other. Companies always make a point of checking out the other companies at these conferences, but when I went to 3M’s booth, the one person I knew best (Teresa Wu) was not at the booth. Later that year, Teresa would leave 3M and (re)join Safran, where she remains to this day.

Yes, there is a lot of movement of people between firms. Looking over the companies in the connect:ID 2021 Exhibitor Directory, I know people at a number of these firms. Obviously people from IDEMIA, of course (IDEMIA was the company that bought Safran’s identity business), but I also know people at other companies, all of whom who were former coworkers at IDEMIA or one of its predecessor companies:

Aware.
Clearview AI.
GET Group North America.
HID Global.
Integrated Biometrics.
iProov.
NEC.
Paravision.
Rank One Computing.
SAFR/RealNetworks.
Thales.
Probably some others that I missed.

And I know people at some of the other companies, organizations, and governmental entities that are at connect:ID this year.

Some of these entities didn’t even exist when I was at connect:ID six years ago, and some of these entities (such as Thales) have entered the identity market due to acquisitions (in Thales’ case, the acquisition of Gemalto, which had acquired 3M’s biometric business).

So while I’m not crossing the country next week, I’m obviously thinking of everything that will be going on there.

Incidentally, this is one of the last events of the trade show season, which is starting to wind down for the year. But it will ramp up again next spring (for you Northern Hemisphere folks).

Bredemarket remembers the Southern Hemisphere, even though Bredemarket only does business in the United States. https://www.youtube.com/watch?v=HtZCQiN3n50

Regardless of where you are, hopefully the upcoming trade show season will not be adversely impacted by the pandemic.