TL;DR: Device farms and emulator-based attacks can automate mass account creation, inject video streams, and distort onboarding economics in fintech, crypto, and superapps, according to Oz Forensics. The governance gap is no longer face verification alone, but whether identity systems can detect synthetic device behaviour before costly biometric processing begins.
At a glance
What this is: The article explains how device farms and emulators industrialise synthetic identity fraud by automating onboarding, bypassing face-centric checks, and inflating acquisition costs.
Why it matters: This matters to IAM, fraud, and identity verification teams because the control boundary is shifting from liveness alone to device integrity, workflow placement, and fraud economics.
👉 Read Oz Forensics' analysis of device-farm fraud and emulator attacks at scale
Context
Device farms and emulators turn identity onboarding into a scale problem rather than a single-user fraud problem. In digital banking, micro-lending, superapps, and crypto exchanges, the failure mode is not just fake accounts entering the system, but synthetic traffic consuming verification capacity, subsidies, and review time before risk teams can intervene.
For identity verification teams, the real question is whether controls can separate a real device from a virtualised or automated one before biometric checks run. That is where identity governance intersects with fraud prevention: onboarding controls, device integrity checks, and liveness assurance now form one control chain rather than separate layers.
This pattern is increasingly typical in high-growth onboarding funnels, especially where conversion pressure encourages lighter checks and faster registration paths.
Key questions
Q: How should identity teams stop device-farm fraud before biometric checks run?
A: The most effective pattern is to validate device integrity before any biometric or liveness workflow starts. That means detecting emulators, rooted devices, virtual cameras, and automation signatures at the top of the onboarding flow. If suspicious sessions are rejected early, the organisation avoids paying verification costs for synthetic users and reduces the chance that fraud teams only see the abuse after the account is already created.
Q: Why do emulators create a larger fraud problem than single fake accounts?
A: Emulators turn fraud into a scale problem. A single operator can run many simultaneous onboarding sessions, automate retries, and feed synthetic video into identity checks at volume. That can distort registration metrics, exhaust review capacity, and pollute downstream risk models, which is why the control challenge is environment trust rather than isolated account review.
Q: What do security teams get wrong about liveness detection in onboarding?
A: They often treat liveness as proof that the capture source is trustworthy. In practice, injection attacks can send clean video into the app layer, so the biometric engine may see a legitimate face while the device and capture path remain untrusted. Liveness is useful, but it is not a substitute for device-level integrity controls.
Q: Who is accountable when synthetic identity fraud inflates onboarding growth?
A: Accountability should sit across identity verification, fraud operations, and product growth leadership because the harm is both security-related and financial. If synthetic users consume biometric spend, manual review time, or incentives, the issue is not only fraud prevention. It is also governance of the onboarding workflow and the metrics used to judge success.
Technical breakdown
How device farms and emulators automate onboarding at scale
Device farms are collections of physical phones controlled by automation, while emulators are software environments that mimic mobile devices on general-purpose servers. Both allow attackers to run many concurrent onboarding sessions, which makes account creation industrial rather than manual. When paired with scripted behaviour, rotating network paths, and disposable identities, they can flood registration flows with accounts that look operationally normal. The core technical point is that scale changes the defender's economics. Even weakly convincing sessions can become profitable when they are multiplied thousands of times.
Practical implication: build controls that detect abnormal session volume, device sameness, and automation patterns before identity verification begins.
Why face-centric liveness checks miss injection attacks
Presentation Attack Detection checks whether a captured face looks real by examining optical artifacts such as blur, depth, or glare. Injection attacks bypass that layer by placing a pre-recorded or AI-generated stream directly into the app or virtual camera pipeline, so the biometric engine sees clean video rather than a physical spoof. That means the system may correctly answer 'is this a face?' while failing to answer the more important question 'is this a real capture from a real device?'. The trust boundary has moved from the camera lens to the device and software layer.
Practical implication: require device integrity checks in front of biometric processing, not after it.
How fraud economics create a hidden tax on growth
The article's strongest point is that fraud here is not limited to account abuse after onboarding. Every synthetic session can consume biometric API calls, cloud processing, manual review, and marketing incentives before it is rejected. That produces a hidden tax on growth that can distort CAC, retention, and risk models at the same time. For banks and fintechs, the control problem is therefore both security and financial governance. If the workflow pays to verify bots, the organisation has already lost margin even when downstream fraud controls eventually stop the account.
Practical implication: measure fraud controls by avoided processing cost as well as prevented account creation.
Threat narrative
Attacker objective: The attacker wants to create and monetise large numbers of synthetic identities while shifting verification, incentive, and processing costs onto the target organisation.
- Entry begins with automated sessions generated through device farms or emulators that imitate legitimate mobile onboarding at scale.
- Credential or session abuse follows when virtual camera injection and scripted workflows feed synthetic video into identity verification flows.
- Impact occurs when fake users collect incentives, open fraudulent accounts, or pollute credit and growth models with non-human behaviour.
NHI Mgmt Group analysis
Synthetic identity fraud is now a device governance problem, not only a biometric one. The article shows that face matching alone does not address the real attack surface when the capture environment itself can be virtualised or automated. In identity programmes, the trust boundary has moved earlier in the workflow, before liveness and well before account approval. Practitioners should treat device integrity as a first-class identity control.
Fraud at onboarding creates governance debt because security teams end up paying to verify non-customers. The operational cost is not just fraudulent accounts, but wasted biometric calls, cloud compute, and manual review cycles. That makes the issue visible to finance and risk leaders as well as IAM and IDV teams. The named concept here is verification trust gap: a state where verification logic answers the wrong question because the device and capture layer were never validated. Practitioners should re-map controls to the device, not just the face.
High-growth identity programmes are especially exposed when conversion targets outrun control design. The article's examples in digital lending, crypto, and superapps show that growth metrics can be directly manipulated by synthetic traffic. That means governance must include business telemetry, fraud economics, and risk signalling, not only security policy. The organisations most at risk are usually the ones that optimise onboarding speed without instrumenting environment integrity. Practitioners should align fraud, IAM, and product teams around shared control thresholds.
Independent validation matters because injection detection claims are easy to overstate in identity security markets. The article uses certification language to argue for evidence over assertion, which is a useful discipline across digital identity and fraud tooling. For practitioners, this means preferring controls that can be benchmarked against recognised standards and tested in deployment conditions. Security leaders should demand proof that a control detects the environment before biometric processing starts.
The identity security market should expect more convergence between fraud detection and IAM governance. Device-based onboarding abuse sits at the boundary of identity verification, access control, and risk management, so siloed ownership will continue to fail. Where identity systems approve accounts, the question is no longer only who the user claims to be, but whether the session origin is trustworthy. Practitioners should plan for unified policy across IDV, fraud, and lifecycle governance.
What this signals
Verification trust gap: organisations that still separate identity verification from device integrity are leaving a gap that adversaries can industrialise. The practical shift is to treat the onboarding device, network path, and capture pipeline as part of the identity control plane, not as an external dependency.
The governance implication is broader than biometrics. When growth metrics can be manipulated by synthetic traffic, fraud, product, and identity teams need shared thresholds for environment trust, incentive abuse, and review escalation. That is where IAM, fraud, and risk reporting converge in a way that affects board-level reporting.
For teams building future controls, the right reference point is not just liveness accuracy but workflow placement. If a control runs after expensive verification, it is already compensating for a weaker upstream model, which is why device-first screening belongs in the onboarding path before identity decisions are made.
For practitioners
- Implement device integrity checks before liveness Place emulator, rooted-device, and virtual-camera detection ahead of biometric processing so suspicious sessions are blocked before any expensive verification is triggered. This reduces wasted API spend and prevents bots from reaching the most costly part of the onboarding workflow.
- Instrument onboarding for synthetic traffic patterns Track repeated device fingerprints, abnormal session concurrency, repeated retry patterns, and mismatch between registration velocity and downstream retention. These signals help identify device-farm behaviour even when single sessions look normal.
- Separate fraud cost from conversion reporting Report biometric spend, manual review hours, and incentive leakage alongside conversion metrics so business leaders can see the hidden tax on growth. That gives security and product teams a shared basis for deciding where friction is justified.
- Validate vendor claims against deployment conditions Test detection performance on real device stacks, network paths, and low-end handsets rather than relying only on lab certification language. The relevant question is whether the control stops automation in your actual onboarding flow.
- Align identity and fraud ownership around the same workflow Create a single control model for identity verification, account risk, and onboarding security so device-farm abuse cannot sit between team responsibilities. Shared escalation paths matter when the same abuse pattern affects both security and unit economics.
Key takeaways
- Device farms and emulators turn synthetic identity fraud into a scale and cost problem, not just a verification problem.
- The clearest failure mode is a verification trust gap, where the system validates a face without validating the device and capture path.
- Practitioners should move device integrity checks in front of biometric processing and judge controls by the fraud cost they remove, not only by accounts blocked.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST SP 800-63 and NIST CSF 2.0 set the technical controls, and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | The article centres on digital identity assurance and biometric onboarding risk. |
| GDPR | Art.32 | Biometric onboarding and identity data processing raise security and confidentiality obligations. |
| NIST CSF 2.0 | PR.AC-4 | The article is about controlling access decisions at onboarding based on trust signals. |
| MITRE ATT&CK | TA0009 , Collection; TA0010 , Exfiltration | Synthetic onboarding abuse supports account creation, incentive abuse, and downstream theft patterns. |
Ensure biometric workflows have appropriate security, minimisation, and access controls for personal data.
Key terms
- Device Farm: A device farm is a collection of physical smartphones or tablets that attackers control through automation to run many onboarding sessions at once. In fraud campaigns, it provides scale, repeatability, and a way to mimic real mobile behaviour while evading controls that only look at a single device.
- Emulator: An emulator is software that imitates a mobile device on desktop or server infrastructure. It lets attackers script large numbers of parallel sessions, inject media into identity flows, and present synthetic behaviour that can look normal unless the organisation checks the execution environment as well as the user.
- Injection Attack Detection: Injection attack detection is the process of identifying when video, sensor data, or other capture inputs are inserted into an app rather than produced by a real device and camera. It focuses on the integrity of the capture path, which is essential when liveness checks alone cannot prove physical presence.
- Verification Trust Gap: A verification trust gap exists when an identity system validates the presented evidence but fails to validate the device or capture environment that generated it. In practice, this lets synthetic sessions pass far enough to consume cost, skew metrics, or reach downstream risk logic.
What's in the full article
Oz Forensics' full article covers the operational detail this post intentionally leaves for the source:
- Exact injection attack detection checks for virtual camera drivers, emulator environments, rooted devices, and video metadata anomalies
- How the certified liveness and injection detection layers are positioned together across the onboarding workflow
- Deployment considerations for on-premise biometric processing in sovereignty or low-latency environments
- The article's practical framing of how device-based fraud changes acquisition cost, review load, and incentive leakage
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, secrets management, and identity lifecycle controls. It is designed for practitioners who need to connect identity decisions to real operational risk across modern security programmes.
Published by the NHIMG editorial team on 2026-02-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org