KYC AML Guide: the Clock shows the average reeding time of the blog12 min Read


KYC AML Guide: the Clock shows the average reeding time of the blogMarch 22, 2024

How Scammers Bypass Face ID Verification?

Identity verification services are gaining in popularity, with the IDV market expected to grow by more than 13% over the next five years. Although remote authentication makes it easier to access services that require users to verify their identity, attackers are looking for opportunities to disrupt the system. In 70% of cases, people tried to use screenshots, physical and digital masks, manipulated pictures as well as deepfakes and 3D models. As deepfakes continue to increase and regulatory scrutiny increases, companies must ensure that their facial recognition systems work flawlessly. In this blog post, we will explore the techniques scammers employ to bypass face ID verification and discuss effective strategies to fortify your defenses against such attacks.

Belal Mahmoud

KYC Product Consultant

Let’s say you open your banking application, and it prompts you to validate with Face ID. You hold up your telephone, and in no time, it perceives your face and grants you access to your account. It’s a speedy and helpful approach to dealing with your funds safely. However, there are dangers of cybercriminals tracking down ways of bypassing the face ID. As per estimates, facial scams have resulted in losses close to US$200,000. This emphasizes the need for effective KYC measures to counterfeiting fraudulent activities. Some of the methods that cybercriminals use to bypass face ID are as follows

Method 1: Face Spoofing

Using spoofing techniques scammers can make synthetic faces using advanced techniques to fool the system. Face Spoofing usually falls under the category of presentation attacks. This is a feature of facial recognition, which involves obtaining unauthorized biometric data directly or indirectly from the Internet or through hacking systems. Presentation attacks can occur in two ways: static 2D attacks or static 3D attacks.

Static 2D presentation attacks are based on two-dimensional objects such as pictures, documents, or masks. A face recognition system with minimal storage is vulnerable to well-designed 2D media. Advanced 2D attacks use a smartphone or tablet to display a series of images and create the illusion of real motion. For example, a 2D image is enough to fool the Samsung Galaxy S10 front-end system, and a pre-recorded video is enough to fool USAA Bank’s security software.

Static 3D attacks enhance deception by using 3D-printed masks, images, or face models. This allows fraudsters to bypass reliable identification systems based on multiple points or movements of facial data. Some static 3D combat uses robots that can create unique facial expressions. Currently, static 2D attacks are common spoofing attacks to bypass face ID due to the complexity of performing 3D attacks. However, as technologies such as 3D printing and robotics advance, organizations must implement security measures against these two types of attacks.

A Use of Pictures

In the age of social media, fraudsters can take a photo of almost anyone and use it to create a fake face. Therefore, if facial biometric technology does not verify certain characteristics of the image, fraudsters can use only the social media image to compromise devices and accounts. Similarly, fraudsters can access people’s bank accounts or personal information. For example, Andrew Halayko, a professor at Manitoba teacher, ended up accidentally engaging in a cryptocurrency scam when scammers utilized his picture by searching for “old white guy” on Google. His picture is used to make a fake CEO profile for the organization Centra Tech. His story is now featured in a new Netflix documentary called Bitconned.

Youtube link:

B Use of Video

You’d think it’s impossible to cheat the system when verification technology asks users to make random gestures like frowning or blinking. Unfortunately, this is not the case, because movements can be pre-recorded and some surveillance systems do not recognize pre-recorded videos. For example, as reported by CNN, a finance worker at a multinational firm pays out $25 million to a fraudster after having a video call with a fake chief financial officer.

As reported by Biometrics Update, fraudsters can use a technique called “camera injection” to insert fake videos into the system and trick biometrics and liveness detection devices. Camera injection occurs when fraudsters bypass charge-coupled device (CCD) cameras to insert pre-recorded content, real-time video streams, or content that is entirely generated using deepfake technology. If criminals bypass the verification process, they can cause serious harm by stealing identities, creating fake accounts, or conducting fraudulent transactions.

C Use of Deep Fakes

Since the start of the pandemic, the FBI has reported a 300 percent increase in cybercrimes. Almost 20% of crimes are caused by remote users inadvertently breaching security. Deep fakes use machine learning to create a fake persona or impersonate a real person using their photos and videos. Recently, a man in China sent a scammer $622,000 after making a video call he thought was with a friend. Meanwhile, any company dealing with remote customers is vulnerable to deepfakes.

Group IB researchers have distinguished another Trojan called GoldPickaxe, capable of stealing facial biometric information to make deepfake videos utilized for bypassing banking logins. This malware principally targets victims in Thailand and Vietnam.

This infographic shows the different types of deep fakes which can be used to bypass face ID verification.

D Use of Masks

There are silicone masks that are so realistic that it is impossible to tell when an impersonator is wearing them. Silicone masks can work if biometric technology doesn’t monitor skin texture, blood flow, and other characteristics. In this way, the criminals betrayed the French defense Minister and managed to steal €55 million. They did this by phoning presidents, wealthy businessmen, and charity leaders via Skype, saying they needed money to rescue kidnapped terrorists.

Also Read: What is Facial Morphing and How can KYC Solutions Prevent Morphing Attacks?

Method 2: Bypassing

Face spoofing or impersonation is not the only approach to bypass face ID. Instead, criminals exploit weaknesses in biometric systems, such as duplicating or replacing biometric data. Fraudsters use different methods, such as manipulating the phone’s camera, displaying pre-recorded videos, or using deep fake technology. In addition, if data transmissions on the Internet do not have good privacy they can be intercepted. Additionally, servers can be compromised with hacking techniques. There are three important areas of vulnerability in any liveness technology that hackers can target:

  • The device used for the liveness check.
  • The person’s biometric information is transferred to a server with an Internet connection.
  • The server is used to verify biometric data.

Also Read: How to prevent identity theft with KYC?

How to Prevent Criminals from Bypassing Face ID?

It is important to implement strong security solutions to prevent bypassing face ID. The ENISA report outlines the good practices for remote identity proofing and bypassing face ID verification scams. Here are some effective strategies:

1 Multi-Factor Authentication (MFA):

Use a multifactor authentication method that combines facial expressions with other factors, such as a password. This adds security, making it difficult for fraudsters to bypass the system.

2 Liveness Detection Technology:

Apply advanced liveness detection technology to distinguish between real and fake faces. This technology analyzes factors such as eye movement, skin texture, and blood pressure to ensure the accuracy of the scanned face.

Also Read: The Role of Liveness Detection in Anti-Spoofing

3 Anti-Spoofing Algorithm:

Advanced algorithms should be deployed that detect and counter various spoofing methods, including 2D photos, masks, or fake photos. These algorithms need to be continuously updated and refined to keep up with the spoofing techniques.

4 Biometric Data Encryption:

During the authentication process encrypts the captured biometric data to prevent unauthorized access. Strong encryption algorithms and secure transmission systems must be used to protect data while it is stored and in transit.

5 Real-Time Monitoring:

Implementation of real-time monitoring of the facial verification system to detect suspicious or inappropriate activity. This includes monitoring access logs, user behavior, and system activity to detect and respond to attempts to bypass face ID.

6 Stay Up to Date:

Regularly update the facial recognition system with the latest security improvements and fixes. This protects against known vulnerabilities and ensures that the system remains compatible with new techniques to bypass face ID.

7 User Education:

It is very important to educate users about the importance of facial biometric security and the dangers of bypassing attempts. Encourage users not to share their biometric data, use strong passwords, and raise awareness about phishing or social engineering attacks.

Choose a Liveness Solution that Keeps Hackers Out with KYC AML Guide

It is very important to choose a liveness solution to prevent fraudsters from bypassing face IDs. you can choose the right liveness solution by ensuring the solution can recognize real faces and phony stuff like masks or screens. It ought to check things like how deep a face looks such as eye reflection, skin texture, and blood flow. Test the solution by closing your eyes during authentication, using a photo, or by fooling with masks or fake video. A good solution should spot these stunts. Also, get some information about how they safeguard your information. They ought to utilize super strong encryption to prevent hackers from taking or altering your data.

At KYC AML guide we provide top-notch KYC technology buying consultancy to help you choose the best face verification software.


KYC AML Guide: the Facebook share KYC AML Guide: the Linkedin share KYC AML Guide: the Twitter share
Belal Mahmoud
KYC AML Guide: the Linkedin share

Belal possess over 8 years experience in the KYC Identity Verification industry. He has consulted KYC solutions for over 20 new economy companies at DIFC and ADGM while ensuring a seamless technical integration and helped in jurisdictional compliance audits.