Automated \u201cliveness tests\u201d used by banks and other institutions to help verify users\u2019 identity can be easily fooled by deepfakes, demonstrates a new report. <\/p>\n

Security firm Sensity, which specializes in spotting attacks using AI-generated faces, probed the vulnerability of identity tests provided by 10 top vendors. Sensity used deepfakes to copy a target face onto an ID card to be scanned and then copied that same face onto a video stream of a would-be attacker in order to pass vendors\u2019 liveness tests. <\/p>\n

Liveness tests generally ask someone to look into a camera on their phone or laptop, sometimes turning their head or smiling, in order to prove both that they\u2019re a real person and to compare their appearance to their ID using facial recognition. In the financial world, such checks are often known as KYC, or \u201cknow your customer\u201d tests, and can form part of a wider verification process that includes document and bill checks. <\/p>\n

\u201cWe tested 10 solutions and we found that nine of them were extremely vulnerable to deepfake attacks,\u201d Sensity\u2019s chief operating officer, Francesco Cavalli, told The Verge<\/em>. <\/p>\n

\u201cThere\u2019s a new generation of AI power that can pose serious threats to companies,\u201d says Cavalli. \u201cImagine what you can do with fake accounts created with these techniques. And no one is able to detect them.\u201d <\/p>\n

Sensity shared the identity of the enterprise vendors it tested with The Verge<\/em>, but it requested that the names not be published for legal reasons. Cavalli says Sensity signed non-disclosure agreements with some of the vendors and, in other cases, fears it may have violated companies\u2019 terms of service by testing their software in this way.<\/p>\n

Cavalli also says he was disappointed by the reaction from vendors, who did not seem to consider the attacks significant. \u201cWe told them \u2018look you\u2019re vulnerable to this kind of attack,\u2019 and they said \u2018we do not care,\u2019\u201d he says. \u201cWe decided to publish it because we think, at a corporate level and in general, the public should be aware of these threats.\u201d<\/p>\n

The vendors Sensity tested sell these liveness checks to a range of clients, including banks, dating apps, and cryptocurrency startups. One vendor was even used to verify the identity of voters in a recent national election in Africa. (Though there\u2019s no suggestion from Sensity\u2019s report that this process was compromised by deepfakes.) <\/p>\n

Cavalli says such deepfake identity spoofs are primarily a danger to the banking system where they can be used to facilitate fraud. \u201cI can create an account; I can move illegal money into digital bank accounts of crypto wallets,\u201d says Cavalli. \u201cOr maybe I can ask for a mortgage because today online lending companies are competing with one another to issue loans as fast as possible.\u201d <\/p>\n