Can’t HackHer

Inspiration

Deepfake scams, account takeovers, and social engineering attacks have surged with increased accessibility of gen AI — and the tools banks give customers to fight back haven't kept pace. We kept asking: why does fraud detection only kick in after money moves? Why does "security" mean harassing every customer with One-Time-Passwords and bank calls to validate transfers, even in a high-stakes, time-sensitive concert ticket lottery?

What it does

Our app is a risk-gated biometric payment gateway that sits between a user and their money, asking one question per transaction: Does this actually need a challenge?

Every payment gets a real-time risk score and is judged using the transaction details and, if deemed necessary, a short video of the account owner.

How we built it

Gemini 2.0 Flash analyzes the transaction — amount, recipient familiarity, device history, velocity — and returns a risk percentage. Routine payments sail through instantly with zero friction.

When something looks off, we freeze the funds and issue a 3-second face video challenge. That challenge runs three independent ML layers simultaneously:

Deepfake Detection — analyzes frame-by-frame edge artifacts, skin-tone color anomalies, texture irregularities, and temporal inconsistency across frames. AI-generated faces flicker; real ones don't.

Optical Flow Liveness — measures non-rigid facial micro-motion. Reads the user's actual heartbeat from their webcam by detecting sub-pixel green channel oscillations in the skin caused by blood volume changes. A deepfake doesn't have a pulse.

Challenges we ran into

The bootstrapping trap. Our initial flagging logic was if len(triggers) > 0: challenge. But every first-time user has a new device and a new payee, so every single transaction triggered a challenge — including completely routine ones. We had to rethink the scoring entirely: new device or new payee alone no longer flags. Only high velocity, or high amount combined with novelty, triggers a challenge. And we seed demo users with realistic transaction history so Gemini has context to evaluate against.

Accomplishments that we're proud of

Five AI systems coordinated as one pipeline in under 3 seconds. Gemini 2.0 Flash (transaction risk + biometric decision), Presage SmartSpectra rPPG, for optical flow liveness, and Solana for blockchain, all run against the same video concurrently. The result is a single structured decision with confidence scores, reasons, and flawless bookkeeping.

What we learned

Biometric thresholds are deeply coupled to context. A liveness score of 0.4 means something completely different for a $10 transfer than for a $10,000 wire. Building a single threshold that works across the full amount and novelty space forced us to think in policy terms, not just ML terms.

What's next for Can’t HackHer

Real deepfake model weights. The FakeModel heuristic works well enough for demo but a proper EfficientNet-B4 or ViT fine-tuned on FF++ would push detection accuracy from "reasonable" to "production-grade." We have the pipeline; we just need the weights.

Built With

Submitted to

HackHERS 2026
- Winner [MLH] Best Use of Solana

Created by

1. Lead AI & ML Architect
Multi-Model Liveness Pipeline: Engineered the core backend pipeline that orchestrates five AI systems concurrently, including Deepfake Detection, rPPG (Remote Heartbeat Detection), and Optical Flow analysis.
1:1 Identity Verification (Face Matching): Implemented the advanced facial recognition engine using Qwen-VL and Gemini 1.5/2.0, enabling the system to compare a live 3D video scan against a stored 2D profile photo with sub-pixel geometric precision.
Dynamic Risk Reasoning: Authored the master "Gemini Judge" system prompt, replacing rigid numerical thresholds with LLM-based reasoning that dynamically evaluates risk relative to transaction size (e.g., being more lenient on a $10 transfer than a $10,000 wire).

2. Senior iOS Engineer
Mobile-First UX Overhaul: Led the complete redesign of the SecurePay iOS application using SwiftUI, moving from a mobile-web hybrid model to a high-performance native dashboard.
TrueDepth Camera Integration: Integrated Apple’s native AVFoundation and Vision frameworks to hook directly into the hardware's TrueDepth camera, ensuring biometric captures meet Apple’s HIG (Human Interface Guidelines) standards for FaceID.
Resilient Networking: Built the asynchronous network layer in Swift to handle local-network socket connections to the backend, enabling real-time video streaming for biometric challenges.

3. Full-Stack Systems Implementation
Video Processing Engine: Solved a critical engineering blocker by developing a custom OpenCV/NumPy decoding layer that handles varied video containers (WebM from the web, MOV from iOS) to ensure flawless backend frame-sampling.
Transaction Reliability: Refined the Python (FastAPI) backend to handle concurrent, non-blocking requests to OpenRouter and Google Generative AI, maintaining a total end-to-end verification time of under 3 seconds.
Web Frontend Enhancement: Upgraded the React/Vite web application with high-fidelity biometric capture components and detailed security score visualization (A-F grading system).

4. Security Policy & Logic
Anti-Spoofing Hardening: Implemented strict anti-spoofing filters that explicitly detect digital screen playback, printed photos, and wearable masks by cross-referencing mDNS, Optical Flow, and rPPG data.
Fraud Logic Tuning: Iteratively refined the transaction flagging logic to eliminate "bootstrapping traps," ensuring first-time users aren't erroneously blocked while maintaining a zero-trust posture for large transfers.

Varesh Patel
Aparajita Sarkar
Urvi Desai

Updates

Aparajita Sarkar started this project — Feb 22, 2026 09:56 AM EST

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.