Daniel Flowe
- In a recent piece of investigative journalism, Joseph Cox described using a fake ID created with AI tools to pass KYC checks performed by a prominent document and biometric verification provider
- His experience indicates that when used alone, content-based identity verification measures, such as document and biometric verification, and facial liveness, are insufficient
- To combat AI-enabled identity fraud, content-based identity verification should be supplemented by data-based identity verification, where user-supplied images of identity documents and biometrics are verified against authoritative sources
Aza Raskin, Co-Founder of the Humane Technology Project and former Google Design Ethicist, recently spoke about the impact of generative AI on identity verification and said, “this is the year all content-based verification breaks.” A recent piece of investigative journalism, written by Joseph Cox at 404 Media, suggests that Aza may just be right.
Last year, Cox detailed his attempt to breach his own bank’s security system using a generative AI tool and a 3-second clip of his own voice. Spoiler alert: he was successful and gained full control over his own accounts with a voice recording almost anyone could have accessed [1].
In the latest article, Joseph dives deep into an underground website named OnlyFakes that generates fake IDs for just $15. He provided the service a passport photo of himself and an entirely fabricated set of personal information. The system generated a realistic looking signature to match the fabricated personally identifiable information (PII), and, within a few minutes of paying the required fee, he had a front and back image of a hyper realistic ID card that appeared to be lying on a carpeted floor. The photo on the ID matched his face – but the ID was otherwise completely synthetic.
More concerningly, he was easily able to use his new fake ID card to pass KYC checks performed by a prominent document and biometric verification provider, and then establish an account at a popular crypto exchange under his new, synthetic identity. FinCEN’s recent Financial Trend Analysis on identity-related fraud revealed how attackers frequently use impersonation tactics to move funds illicitly, and also showed how often money service businesses, such as crypto exchanges, are targeted by fraudsters.
AI algorithms are advancing at an unprecedented pace. They can create incredibly realistic fake images, videos and audio recordings, and can be used to generate believable synthetic identities. Aza Raskin says that generative AI’s capabilities are increasing not exponentially – but on a double exponential. And he points out, in a podcast on the TED network, that the ratio of AI developers to those working on AI safety is 30:1. This highlights a potentially sizeable gap between those driving AI forward, for better or worse, and those committed to establishing guardrails that promote safe use of AI tools. Financial institutions are particularly at risk. FinCEN’s FTA says that “financial institutions and other victims appeared to have more difficulty identifying impersonation when they lack an authoritative source to compare identity documentation and evidence.”
Joseph’s story and experience underscore the following: while document and biometric-based methodologies of IDV are valuable and important parts of a comprehensive approach to preventing money laundering and terrorist financing, they’re inadequate as a standalone means of proofing identities.
What we need is to enhance content-based identity verification with data-based identity verification, where user-supplied images of identity documents and biometrics are verified against authoritative sources. In this example, no matter how believable the fake ID was that OnlyFakes generated, the synthetic PII was not present in any reliable systems of record. A simple data-based verification would have prohibited this fraudulent attempt, as well as many others, to open accounts in their tracks. No one should be able to bypass KYC processes and defeat a top provider of AML technology in minutes for the cost of a movie ticket. We need more reliance on authoritative data-based identity verification to reduce these risks.
[1] Source: Vice Media
Legal Disclaimer
Republication or redistribution of LSE Group content is prohibited without our prior written consent.
The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.
Copyright © 2024 London Stock Exchange Group. All rights reserved.
The content of this publication is provided by London Stock Exchange Group plc, its applicable group undertakings and/or its affiliates or licensors (the “LSE Group” or “We”) exclusively.
Neither We nor our affiliates guarantee the accuracy of or endorse the views or opinions given by any third party content provider, advertiser, sponsor or other user. We may link to, reference, or promote websites, applications and/or services from third parties. You agree that We are not responsible for, and do not control such non-LSE Group websites, applications or services.
The content of this publication is for informational purposes only. All information and data contained in this publication is obtained by LSE Group from sources believed by it to be accurate and reliable. Because of the possibility of human and mechanical error as well as other factors, however, such information and data are provided "as is" without warranty of any kind. You understand and agree that this publication does not, and does not seek to, constitute advice of any nature. You may not rely upon the content of this document under any circumstances and should seek your own independent legal, tax or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the publication and its content is at your sole risk.
To the fullest extent permitted by applicable law, LSE Group, expressly disclaims any representation or warranties, express or implied, including, without limitation, any representations or warranties of performance, merchantability, fitness for a particular purpose, accuracy, completeness, reliability and non-infringement. LSE Group, its subsidiaries, its affiliates and their respective shareholders, directors, officers employees, agents, advertisers, content providers and licensors (collectively referred to as the “LSE Group Parties”) disclaim all responsibility for any loss, liability or damage of any kind resulting from or related to access, use or the unavailability of the publication (or any part of it); and none of the LSE Group Parties will be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, howsoever arising, even if any member of the LSE Group Parties are advised in advance of the possibility of such damages or could have foreseen any such damages arising or resulting from the use of, or inability to use, the information contained in the publication. For the avoidance of doubt, the LSE Group Parties shall have no liability for any losses, claims, demands, actions, proceedings, damages, costs or expenses arising out of, or in any way connected with, the information contained in this document.
LSE Group is the owner of various intellectual property rights ("IPR”), including but not limited to, numerous trademarks that are used to identify, advertise, and promote LSE Group products, services and activities. Nothing contained herein should be construed as granting any licence or right to use any of the trademarks or any other LSE Group IPR for any purpose whatsoever without the written permission or applicable licence terms.
