TL;DR: Readily available face-swapped imagery injection can evade mobile KYC liveness checks, creating a practical path to impersonation and fraudulent account access in financial services, banking, and cryptocurrency, according to iProov’s MITRE ATLAS case study. The finding underscores that identity verification now needs continuous, attack-aware controls, not static proof-of-presence tests.
NHIMG editorial — based on content published by iProov: Deepfake Injection Evades Mobile KYC Liveness Verification
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams harden mobile KYC against deepfake injection attacks?
A: They should combine liveness testing with camera integrity checks, device validation, and fraud telemetry.
Q: Why do facial verification controls fail when synthetic media is easy to generate?
A: They fail because many deployments assume the attacker will struggle to create convincing input or alter the camera stream.
Q: What should organisations measure to know if KYC liveness is actually working?
A: They should measure resistance to replay, face-swap, and camera-substitution attempts, not just pass rates in normal user sessions.
Practitioner guidance
- Test liveness controls against injection attacks Require red-team validation for face-swapped video, virtual camera substitution, and replay-style attacks before accepting a biometric onboarding flow as production-ready.
- Validate camera and feed provenance Add device integrity checks, camera-source validation, and telemetry correlation so a liveness verdict is not based only on the visible image stream.
- Treat KYC as an identity lifecycle control Connect onboarding assurance to recovery, privilege assignment, and account monitoring so a false acceptance does not become durable access.
What's in the full article
iProov's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step attack procedure showing how the red team assembled the face-swap and virtual camera chain
- The procedure overview published for MITRE ATLAS case study documentation
- Why active liveness implementations remain vulnerable in banking, financial services, and cryptocurrency onboarding
- How CEN 18099 changes testing expectations for vendors and evaluators
👉 Read iProov's MITRE ATLAS case study on deepfake injection and mobile KYC →
Mobile KYC liveness verification: what identity teams are missing?
Explore further
Mobile KYC is no longer a single-point trust decision. This case study shows that identity verification now faces a compound attack chain, not just a spoofed face. Once image source, video stream, and device camera can all be manipulated, the control is validating presentation quality rather than identity truth. Practitioners should read this as a warning that onboarding assurance must be treated as a layered trust problem, not a one-time biometric event.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: Who is accountable when a fraudulent identity passes remote verification?
A: Accountability usually sits across fraud operations, identity governance, and the business owner that accepted the onboarding risk. If the verification control was not tested against realistic injection scenarios, the gap is procedural as well as technical. Governance teams should define who can approve exceptions and who owns remediation.
👉 Read our full editorial: AI-driven deepfake attacks expose mobile KYC liveness gaps