Proof of Concept
In today’s digital-first banking and financial services environment, eKYC (electronic Know Your Customer) processes have become crucial for secure and convenient customer onboarding and verification. While eKYC has streamlined identity verification, the emergence of eKYC spoofing—where identity verification is manipulated via deepfakes, synthetic identities, and other AI-driven forgeries—presents a significant vulnerability. This POC aims to understand the mechanics of eKYC spoofing attacks and explore innovative technologies to strengthen defenses against them.
Objective: The goal of this POC is to assess the feasibility of using advanced technologies to mitigate the risks associated with eKYC spoofing. The POC also aims to simulate potential attack vectors to better understand weaknesses in existing eKYC processes.
Challenge
The primary challenge addressed by this POC is the sophisticated threat of eKYC spoofing, where attackers use advanced tools to bypass conventional identity verification measures. Traditional methods relying on static image matching or basic liveness checks are becoming increasingly ineffective against these advanced spoofing techniques. Key issues include:
Financial Risks: Unauthorized transactions and account access leading to substantial financial losses.
Reputational Damage: Loss of customer trust due to potential high-profile breaches.
Regulatory Compliance: Potential fines and penalties due to failure in maintaining secure digital verification processes.
Approach and Methodology
Simulation of eKYC Spoofing Vulnerabilities
To thoroughly understand the potential for eKYC spoofing, we utilized the DeepFaceLive GitHub repository, and integrated OBS Studio for virtual camera functionality.
After configuring OBS Studio with streaming platforms like Zoom and Google Meet, we selected the “OBS Virtual Camera” option, which mimics a physical webcam. This setup allowed us to feed a virtual camera stream from OBS, powered by DeepFaceLive, directly into the video platform.
Using a single photo with DeepFaceLive, the software generated a real-time video feed that made the person on camera appear as the individual in the image, creating a highly convincing illusion of identity. This demonstrated how easily face-swapping could deceive video-based eKYC systems, exposing critical vulnerabilities. To illustrate the risk, we documented the setup in a demonstration video, showing how such technology can be used to bypass identity verification systems effectively.
Technology Solutions that can eliminate such threats:
AI-Powered Facial Recognition: AI algorithms capable of detecting micro-expressions and identifying unnatural patterns in facial movements, which deepfakes often fail to replicate.
Behavioral Biometrics: Behavioral markers (e.g., keystroke patterns, mouse interactions) as secondary authentication factors, providing a more dynamic security layer.
Enhanced Liveness Detection: Biometric techniques, such as eye movement tracking and pulse detection, to confirm real-time interaction with the user.
Blockchain for Immutable Verification: Using blockchain to create a tamper-resistant ledger of identity checks, thereby complicating the forging of documents and reducing manipulation risks.
Potential Impact
AI-Driven Facial Recognition: Improved detection of deepfake anomalies, reducing unauthorized access risks.
Behavioral Biometrics: Provided an additional security layer by analyzing user interaction patterns.
Enhanced Liveness Detection: Effective in live detection but needs refinement for diverse conditions.
Blockchain for Verification Integrity: Created a tamper-resistant record, boosting compliance and data integrity.
Real-Time Threat Simulation: Highlighted the need for adaptive, real-time defenses against spoofing threats.
Conclusion and Next Steps
eKYC spoofing presents a growing risk that demands proactive and sophisticated countermeasures. This POC lays the foundation for a multi-layered defence strategy, leveraging AI, behavioural biometrics, and blockchain. As the project progresses, further testing and industry collaboration will ensure that these findings can be refined and adapted for real-world applications. The next phase of this POC will focus on scalability testing and evaluating integration feasibility within existing banking infrastructures.
Fintech