Mobile KYC liveness verification: what identity teams are missing

TL;DR: Readily available face-swapped imagery injection can evade mobile KYC liveness checks, creating a practical path to impersonation and fraudulent account access in financial services, banking, and cryptocurrency, according to iProov’s MITRE ATLAS case study. The finding underscores that identity verification now needs continuous, attack-aware controls, not static proof-of-presence tests.

NHIMG editorial — based on content published by iProov: Deepfake Injection Evades Mobile KYC Liveness Verification

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams harden mobile KYC against deepfake injection attacks?

A: They should combine liveness testing with camera integrity checks, device validation, and fraud telemetry.

Q: Why do facial verification controls fail when synthetic media is easy to generate?

A: They fail because many deployments assume the attacker will struggle to create convincing input or alter the camera stream.

Q: What should organisations measure to know if KYC liveness is actually working?

A: They should measure resistance to replay, face-swap, and camera-substitution attempts, not just pass rates in normal user sessions.

Practitioner guidance

• Test liveness controls against injection attacks Require red-team validation for face-swapped video, virtual camera substitution, and replay-style attacks before accepting a biometric onboarding flow as production-ready.
• Validate camera and feed provenance Add device integrity checks, camera-source validation, and telemetry correlation so a liveness verdict is not based only on the visible image stream.
• Treat KYC as an identity lifecycle control Connect onboarding assurance to recovery, privilege assignment, and account monitoring so a false acceptance does not become durable access.

What's in the full article

iProov's full analysis covers the operational detail this post intentionally leaves for the source:

• Step-by-step attack procedure showing how the red team assembled the face-swap and virtual camera chain
• The procedure overview published for MITRE ATLAS case study documentation
• Why active liveness implementations remain vulnerable in banking, financial services, and cryptocurrency onboarding
• How CEN 18099 changes testing expectations for vendors and evaluators

👉 Read iProov's MITRE ATLAS case study on deepfake injection and mobile KYC →

Mobile KYC liveness verification: what identity teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →