A critical vulnerability in mobile Know Your Customer (KYC) processes — driven by the rapid evolution of generative AI — has been formally documented by MITRE ATLAS ™, following a security exercise conducted by biometric identity firm iProov.
In a newly published case study, MITRE ATLAS, the global knowledge base for AI security and adversarial threats, detailed how face-swapped imagery injection attacks can bypass widely used mobile identity verification systems. The findings underscore mounting risks for financial services, banking, and cryptocurrency platforms that rely on remote onboarding and authentication.
The attack scenario was demonstrated by iProov’s in-house Red Team and accepted into MITRE ATLAS alongside contributions from major technology and cybersecurity firms including Microsoft, NVIDIA, IBM, Intel, Cisco, Palo Alto Networks, Kaspersky, CrowdStrike, and Trend Micro.
iProov: Deepfakes expose cracks in mobile identity checks
According to the case study, attackers can exploit weaknesses in active liveness detection, a common safeguard in mobile KYC flows.
These systems typically analyze facial movement and image artifacts — signals that sophisticated AI-generated deepfakes can now convincingly replicate.
The research showed that by substituting a smartphone’s native camera feed with a virtual camera application, attackers can evade device-level security controls and inject live deepfake video into the verification process.
“This case study confirms a high-risk vulnerability in remote identity verification,” MITRE ATLAS said, noting that the attack leverages readily available tools rather than highly specialized infrastructure.
Red team exercise demonstrates real-world impact
Led by Dr. Panos Papadopoulos, head of the iProov Red Team, the exercise targeted mobile KYC processes commonly used by banks, fintech platforms, and cryptocurrency apps.
The team gathered publicly available identity data and facial images, then used generative AI software to create real-time deepfake videos. Using open-source broadcasting tools and an Android virtual camera application — running on genuine, non-rooted devices — the deepfake feed was injected into a live KYC session.
The result: the liveness system was successfully bypassed, allowing the attacker to authenticate under a fictitious identity.
According to iProov, such an attack could enable criminals to open fraudulent accounts or gain access to sensitive financial services, potentially leading to significant losses.
AI-driven identity attacks accelerating
Industry experts warn that this type of attack is becoming more common as generative AI tools grow more powerful and accessible.
“We’ve seen an explosion in attack vectors relating to identity verification over the last 12 months, largely driven by advances in generative AI and the wide availability of low-cost tools,” said Andrew Newell, chief scientific officer at iProov. “The pace of evolution is only ever likely to increase, making it essential that organizations examine their defenses against these new tactics without delay.”
MITRE Labs vice president Doug Robbins said the inclusion of the case study highlights the importance of open collaboration across the AI and cybersecurity ecosystem.
“When organizations openly share data and expertise, we collectively enhance the security and resilience of AI-enabled systems,” Robbins said.
Push for stronger biometric standards
The publication also reinforces the growing importance of rigorous testing standards for biometric systems. iProov pointed to the recent European standard CEN 18099, which establishes advanced testing protocols specifically designed to detect injection attacks — marking a significant shift in how liveness technologies are evaluated.
For financial institutions and fintech providers, the findings serve as a warning against relying on legacy or non-compliant liveness solutions as digital onboarding volumes continue to rise.
Call for industry-wide collaboration
MITRE said the case study is intended to help security teams, regulators, and AI developers better understand real-world attack paths and strengthen internal red-teaming efforts.
The organization continues to encourage collaboration among government, industry, and academia to shape future frameworks for AI security, threat mitigation, robustness, and privacy.
As digital identity becomes a cornerstone of financial inclusion and digital banking, the report underscores a stark reality: without stronger standards and continuous verification, AI-powered fraud may outpace existing defenses.
