What happens when the ID photo isn’t real?


By Legal Futures Associate Kord

The SRA’s most recent AML report highlights a threat that only a few years ago would have seemed totally farfetched. But who among us now hasn’t heard of the looming spectre of deepfake identity fraud.

As firms move their onboarding online, one of the great advantages of in-person verification has been lost: you can no longer verify someone’s ID with your own eyes. You simply have to trust that what your client uploads to your verification platform is the real deal.

Widespread access to generative AI means that assumption no longer holds up.

Why image-based checks are losing

A convincing fake passport image, or a synthetic face that matches a stolen document, can now be produced cheaply and at speed; a static selfie can be generated or manipulated.

Even basic ‘liveness’ prompts are increasingly vulnerable to spoofing with video tools that simply did not exist when most onboarding workflows were designed.

This kind of verification still appears rigorous, but it no longer does the job for which it was intended.

Many firms still collect an image, match it to another image—probably by sight alone—and tick the necessary box. But if both images are fabricated, then the firm has just let a false identity pass by unchecked.

Worse still, it produces a clean audit trail for a client who never existed.

For a profession the SRA has identified as the highest risk for money laundering, that is serious exposure. A fraudulent client who clears onboarding is not a near miss; they are inside the firm’s systems, given legitimacy by the firm’s mistake.

From comparing images to reading documents

The strongest line of defence is to stop focusing on what a document looks like, and start reading the data encoded within it.

Passports today carry an NFC chip containing the holder’s verified details and biometric data—in this case, their face—secured by the issuing authority. Reading that chip directly, rather than photographing the page, confirms the document is genuine and unaltered, because the data itself is cryptographically signed.

While a fraudster might be able to manipulate an image of a passport page, they can’t reproduce a valid NFC chip.

Reading the chip and then pairing it with a biometric liveness check—matching an alive, present person to the verified data on the document—significantly reduces the risk of deepfake fraud.

Verification shifts from simply checking to see if two images match, towards matching them to unimpeachable data stored within the passport.

It’s a fundamentally harder problem for a fraudster to defeat.

Designing for the threat that exists now

The firms most exposed are those whose digital onboarding was designed for convenience first and verification second. But fraudsters are already ahead of the curve, so firms still relying on ‘good enough’ manual processes are increasingly getting caught out.

Kord verifies identity by reading the NFC chip in a client’s passport and matching it to the live applicant through biometric checks. It’s designed for an environment where a passing photo is no longer proof of anything.

The technology to fake an identity has moved on, and verification has to move with it.

Get in touch with Kord to find out more.

 

Associate News is provided by Legal Futures Associates.
Find out about becoming an Associate

Tags:




Loading animation