Online scams have always been a concerning issue, but since the 2020 covid-19 pandemic we have witnessed a large increase in criminal activities such as frauds, illegal transactions and identity thefts, which are becoming extremely sophisticated and hard to detect for any organization operating online.
As the illegal use of deepfakes rises, adopting due diligence procedures in order to protect customers is now a priority for governments, financial institutions and businesses.
To prevent and reduce illegal transactions, national government agencies in every country require a practice known as KYC (Know Your Customer), specifically created to verify an individual’s identity online.
The number of interactions requiring KYC are numerous and involve almost every kind of financial transaction, from opening a bank account to purchasing a flight ticket.
Common steps in KYC solutions
KYC methods used by most businesses operating globally entail few different steps. Usually the system includes ID verification, in which the user has to show an identification document. Face Matching, consisting in checking the correspondence of ID document photos with live face images obtained through selfies, and Liveness, which consists in matching the user’s identity with that of the person in front of a camera by making him performing actions (active liveness) or simply verifying it by analyzing elements like depth and reflection (passive liveness).
Spoofing KYC With Deepfakes
Most businesses who rely on KYC methods are unaware that in spite of their efforts to avoid online scams, not well designed ID verification, Face Matching and Liveness (both active and passive) can still not provide sufficient security.
As technology evolves, deepfakes can easily spoof KYC systems and be increasingly dangerous. Moreover, fraudsters don’t need to invest a great amount of money to be highly effective in their attacks. As demonstrated in our new report, sometimes all they need are inexpensive special phones available on the market for a few hundred dollars, able to hijack the mobile camera and inject pre-made deepfake models, as happened in a giant scam against China’s taxation system in 2021.
Our Innovative Approach
As known in academic studies, open-source face recognition models are widely exposed to deepfake attacks.
Therefore, a highly effective KYC system must include solutions that run at the same pace of the menaces we encounter. The first step to achieve this objective is to identify the weaknesses of the most common KYC methods currently used by dozens of companies and millions of customers around the globe.
This has been the main focus of our latest report, in which we have developed the industry-first Deepfake Offensive Toolkit (DOT), performing penetration testing on KYC verification systems. With this kind of innovative approach, we can use a powerful tool internally with a Red Team approach to improve our own identity services, developing superior security solutions.
Spotting Biometric KYC Vulnerabilities
As we explain in detail in the report, with the help of DOT we developed a protocol in four steps, testing penetration into commercially deployed KYC systems and verifying their real effectiveness. Our toolkit was essential to simulate deepfake digitally injected attacks and the results were quite surprising.
Specifically, most of the services for ID verification and face matching commonly available are defenseless to face swaps; also, the most common Active and Passive Liveness detection, widely used KYC techniques worldwide, can easily be spoofed by deepfakes able to reproduce in real time faithfully facial landmark movements.
Based on these results, we were able to elaborate a game changing approach. Our identity verification solution employs deepfake detection algorithms in every step of the process.For more information on how fight back Deepfakes KYC spoofing attempts, contact us at: firstname.lastname@example.org