Bypassing KYC using deepfake

I am Harish SG, a security researcher who studies Masters in Cybersecurity at UT Dallas and AI security intern at Cisco,previously hunted on the Microsoft Bug Bounty Program and Google VRP

I am sharing this article for security awareness and educational purposes only and I am sharing only personal opinions and none of these are related to my work at Cisco

Hey guys! In this article I am gonna share how I was able to bypass kyc (Know Your Customer) used by some payment apps and micro banks using real time deepfake and how can those apps mitigate this risk or reduce the this risk

Disclaimer: I am not responsible if someone abuses this information in this blog against someone and I wrote this article to bring awareness among those app devs and people using those application

Lets started with article!

First created a deepfake using a real time deepfake website I am not gonna share the website but you guys can find that website online. I used that website to swap my face with elonmusk’s face and recorded a video of facial movement and took pic of the same

Then for experimenting my idea I need a application or web application which allows me upload video or selfie image for KYC verification. I found an micro banking app in phone which allows me to do this. then I reverse engineered the app and figured out the api that app using for verification so I decided to create demo account on that api provider test the api provider directly instead of the banking application

I figured out that API uses liveness detection and facial feature recognition to verify identity but basically if someone bypasses liveness detection he can easily fake his facial identity

Test result 1- Successfully Bypassed passive liveness detection

I found another similar API which has same kind of functionality so I decided to test that API

Test result 2- Successfully Bypassed passive liveness detection

I found another similar API which has same kind of functionality so I decided to test that API

Test result 3- failed to Bypass passive liveness detection

I also got to know some website uses deepfake detection along with liveness detection so I tested those websites using my custom made deepfake image and video

Test result 1 — Successfully bypassed deepfake detection

Test result 2— Successfully bypassed deepfake detection

Test result 3— Successfully bypassed deepfake detection

from the above experiment we can see that I was able to bypass multiple livess ness detection and deepfake detection APIs used in several applications lets try to find root cause for those issues predominantly most of liveness detectors and deepfake detectors use classifier algorithm while detecting deepfakes we should reduce bias in classifier model and also we should use multiple facial features and signals to detect fraud in the applications and from experiment we can conclude 3d liveness detections works better than 2d liveness detection. I also should verify using some kind of 2nd factor authentication along with facial authentication

Steps to secure application against deepfake

1. Awareness and Education: Educate your team and users about the existence and characteristics of deepfakes. Knowing how to identify potential deepfakes is the first step in mitigation.
2. Use of Detection Tools: Implement deepfake detection tools in your application. There are various AI-based solutions that can analyze videos and images to detect signs of manipulation. Regularly update these tools as deepfake technology evolves.
3. Data Authentication: Employ technologies like blockchain for data authentication. Blockchain can help in verifying the authenticity of the digital assets used in your application.
4. Robust Security Protocols: Implement strong security measures to prevent unauthorized access to your application. This includes regular security audits, using secure communication protocols, and employing encryption for data storage and transmission.
5. Legal and Policy Measures: Establish clear policies and legal frameworks around the creation and distribution of deepfakes. This can involve user agreements that prohibit the use of your application for creating or spreading deepfakes.
6. Community Vigilance: Encourage a community approach where users can report suspected deepfakes. This not only helps in quick identification but also raises community awareness
7. Collaboration with Other Entities: Work with other companies, academic institutions, and government bodies to stay ahead of deepfake technology. Collaboration can lead to the development of more effective detection and prevention strategies.
8. Regular Updates and Monitoring: Continuously monitor for new types of deepfakes and update your detection methods accordingly. Deepfake technology is constantly evolving, so staying updated is crucial.
9. User Verification: For applications where identity is crucial, implement strict user verification methods, such as biometric verification, to ensure that users are who they claim to be.
10. Transparency and Reporting: Be transparent about your efforts to combat deepfakes and report any identified deepfakes to relevant authorities. This helps in building trust and encourages a culture of responsibility.

Thank you for reading my article

Try hacking LLM : https://github.com/harishsg993010/DamnVulnerableLLMProject

Hacking into Bard : https://infosecwriteups.com/hacking-google-bard-24f9dfa7b455

Hacking into Facial Recognition system : https://medium.com/bugbountywriteup/hacking-into-facial-recognition-system-using-generative-ai-69a741077f0e

Hacking into tesla : https://medium.com/bugbountywriteup/how-i-hacked-1000-tesla-cars-using-osint-4cd837b8c530

Follow me on twitter: https://twitter.com/CoderHarish

Follow me on linkedin :https://www.linkedin.com/in/harish-santhanalakshmi-ganesan-31ba96171/