KinCode

• 

  Initial setup for protection

• 

  checking with family to validate the call

• 

  Ready with verify in case of scam

• 

  Home Screen

• 

  Generating gemeni question for memory questions

• 

  Memory question screen

• 

  Protection setup and ready for memory questions

• 

  Parent and Family screen in single view

Inspiration

AI voice cloning has turned a 3-second clip from social media into a weapon. Scammers now call a grandparent in a perfect copy of their grandchild's voice — "I'm in jail, wire bail money, don't tell anyone" — and these "grandparent scams" stole over $2 billion from Americans in a single year.

Every instinct says: build a deepfake detector. But we realized that's a losing arms race — detection will always eventually be beaten by a better generator. So we asked a different question: how do banks actually stop fraud? They don't try to spot every fake. They verify through channels the attacker doesn't control, and they slow the money down. We built KinCode on that same principle — for families instead of banks.

What it does

KinCode is a real-time family safety net against AI impersonation scams. An adult child sets it up for their parent in minutes. When a suspicious call comes in:

1. ONE-TAP VERIFICATION — The parent taps a giant "VERIFY THIS CALL" button. An alert fires instantly to the real family member's phone, on a channel the scammer can't touch. They tap "I'm safe / not calling" and the parent's screen flashes RED ("SCAM — HANG UP") or GREEN ("Verified") in under 3 seconds.

2. RELIABLE ALARM — The family member's phone alerts them with a loud repeating alarm, vibration, and a notification — even when the KinCode tab is in the background, so they don't have to stare at the screen.

3. AI MEMORY CHALLENGE — If the family member doesn't respond, Gemini generates private verification questions from the family's shared memories ("What was our first dog's name?"). A cloned voice can't answer them.

4. COOLING-OFF CIRCUIT-BREAKER — Because scams work by manufacturing urgency, a "Freeze" button starts a visible 10-minute safety pause and can loop in the whole family — so a second human is in the loop before any money moves. This is the feature that actually saves the money.

5. AI SCAM-TACTIC ANALYZER — Paste what the caller said and Gemini names the manipulation tactics used (false urgency, isolation, false authority, financial pressure) in plain English.

It's a Progressive Web App with large-text accessibility, read-aloud, and a built-in scam-call simulator so anyone can experience the threat — and the defense — firsthand.

How we built it

• Frontend: Vite + React 19, vanilla CSS dark theme (Outfit font), built mobile-first as an installable PWA.
• Real-time backend: Firebase Realtime Database — the verification round-trip uses onValue listeners for sub-3-second sync between two phones over the internet, with security rules scoped per family.
• AI layer: Google Gemini 2.5 Flash, called through a Vercel serverless function so the API key never ships to the browser. Gemini generates the memory challenges and analyzes scam tactics; both have graceful fallbacks if the API is unavailable.
• Alerting: Web Audio API for the alarm tone (no audio file needed), the Vibration API, and the Notification API — all working while the tab is open in the background.
• Deployment: Vercel (GitHub-connected) for a live URL and serverless functions.
• We used AI coding agents (GitHub Copilot, Antigravity) and Lovable to accelerate scaffolding.

Challenges we ran into

• Avoiding the detection arms race. The hard design decision was to NOT build a deepfake detector. We had to architect protection around things the attacker fundamentally can't access — a second device and private family memories — rather than trying to tell real audio from fake.
• Browser audio restrictions. Browsers block sound until a user gesture, so a background-tab alarm can be silently muted. We added an explicit "Enable Sound Alerts" step that primes the audio context on a tap, plus a "Test Alarm" button so families confirm it works before it matters.
• Keeping the API key secure. Calling Gemini directly from React would expose the key in the browser bundle. We moved it behind a serverless proxy so it stays server-side.
• Defending our own AI. When analyzing a pasted scam message, we had to make sure the message is treated as data, not as instructions to our classifier.

Accomplishments that we're proud of

• A working, real-time two-phone demo that syncs in under 3 seconds over the internet.
• A genuinely fresh angle: protecting the individual and their money, not just detecting a fake — the same philosophy banks use, applied to families.
• The cooling-off circuit-breaker, which targets the actual mechanism of financial loss (urgency), not just the call.
• Real accessibility for the people most targeted: large text, read-aloud, giant tap targets, plain language.
• Honest security: scoped database rules, a server-side key proxy, and a threat model we can defend under questioning.

What we learned

• The best security solutions change the battlefield instead of fighting the attacker head-on. You win by removing the attacker's access, not by out-detecting them.
• Friction can be a feature. Banks deliberately slow transactions down; we applied the same idea to defeat manufactured urgency.
• The most vulnerable users need the simplest interface — one giant button beats a dashboard.
• AI is most valuable where the problem is stable (naming manipulation tactics, generating memory questions), not where it's an arms race (detecting synthetic audio).

What's next for KinCode

• True background push via Firebase Cloud Messaging so alerts arrive even when the app is fully closed.
• Real authentication to replace the pairing code, and an end-to-end encrypted memory store.
• A scam-intelligence network: anonymized, shared scam patterns so every family in the network protects every other family.
• Integration with phone carriers / call screening so verification can trigger automatically on an incoming call.
• Multi-language support for immigrant families, who are frequently targeted.

Built With

• firebase
• firebase-realtime-database
• gemini-api
• google-gemini
• javascript
• pwa
• react
• serverless
• vercel
• vite
• web-audio-api
• web-speech-api