Can a scammer fake my face to open a bank account?
Learn how criminals use synthetic identities and fabricated faces to open bank accounts, and why liveness detection that reads blood flow is the new security standard.
The widespread adoption of digital banking and remote services has brought incredible convenience, but it has also opened a new and unsettling frontier for financial crime. Many people now wonder if a stolen selfie, a viral video clip, or a sophisticated AI-generated "deepfake" could be used by a scammer to impersonate them and open a financial account. The concern is no longer hypothetical. As identity verification moves from in-person checks to automated, remote processes, the fundamental challenge is to prove that the face on the screen belongs to a living, present person and not a digital fabrication.
"Unsecured U.S. credit product losses due to synthetic identity fraud were projected to reach $2.42 billion in 2023."
- Aite-Novarica Group (now Datos Insights)
The mechanics of synthetic identity fraud for account opening
The most pervasive and challenging form of this threat is not simple identity theft, but a more complex method known as synthetic identity fraud. Unlike traditional identity theft where a fraudster uses one person's stolen data, a synthetic identity is a carefully constructed, largely fictional persona. Criminals combine real, stolen information-most often a valid Social Security number-with fabricated details such as names, birth dates, and addresses. The SSNs often belong to individuals who don't actively use credit, such as children or recent immigrants, making the fraud harder to detect.
The process of using synthetic identity fraud to open account access is patient and methodical. Fraudsters "incubate" these synthetic identities over months or even years:
- They add the identity to various databases and directories.
- They apply for low-risk credit, like a secured credit card.
- They make small purchases and diligently pay the bills to build a positive credit history.
Once the synthetic identity has a "seasoned" and legitimate-looking credit file, the fraudster can strike. They apply for larger lines of credit, auto loans, or personal loans with no intention of paying them back. For financial institutions, the challenge is that the "person" applying seems real to traditional background checks and credit reporting agencies. When the time comes for the visual identity verification step in a remote account opening, the fraudster uses a presentation attack-a fake artifact presented to the camera-to match the name on the synthetic profile. This is not the SSN holder's face; it's a fabricated face, often generated by AI, that completes the illusion of the synthetic person.
Presentation attack methods compared
To defeat remote identity verification, criminals use a range of presentation attacks. The technology to counter these attacks must be able to differentiate between a live human and a sophisticated fake.
| Attack Vector | Description | Conventional Liveness Detection | rPPG-Based Liveness Detection |
|---|---|---|---|
| 2D Photo/Video Replay | Presenting a printed photo or a video of the victim on another screen. | Often effective, but can be fooled by high-resolution screens and videos. | Highly effective. Detects the complete lack of blood flow and physiological signals. |
| 3D Silicone/Resin Mask | A hyper-realistic mask molded to look like a person. | Can fool some systems that only look for 3D shape and texture. | Highly effective. The mask material does not have the light absorption properties of human skin and shows no pulse. |
| Deepfake/Synthetic Video | An AI-generated video showing a fabricated person speaking or moving. | Ineffective. Blinking or head movement requests can be performed by the AI. | Highly effective. The AI-generated video cannot replicate the subtle, consistent skin color changes caused by a real human pulse. |
Industry Applications
The threat of synthetic identities paired with AI-generated faces requires a new security paradigm across the financial industry.
For banks and neobanks
For any financial institution, the account opening process is the primary defense against fraud. Integrating physiological liveness detection into the Know Your Customer (KYC) process protects the bank from significant credit losses and reputational damage. It ensures that a real, living human is creating the account, invalidating the core of the synthetic identity fraud model.
For KYC and identity verification platforms
Identity verification providers are moving beyond just document and database checks. Their value increasingly lies in providing assurance that the user is physically present and real. Offering robust presentation attack detection that can stop deepfakes and other synthetic media is becoming a critical competitive differentiator. Incorporating rPPG-based liveness adds a layer of biological proof that is extremely difficult to spoof.
For Fintechs
Fintech platforms, prized for their low-friction onboarding, are prime targets for fraud. The speed of their automated processes can be exploited by criminals using synthetic identities at scale. A passive, software-based liveness solution that uses rPPG can provide a high degree of security without adding cumbersome steps or compromising the user experience that is core to the fintech value proposition.
Current research and evidence
The security standard for Presentation Attack Detection (PAD) is ISO/IEC 30107-3. This framework helps organizations classify and test against different attack types. However, the rapid advancement of generative AI is creating attack vectors that challenge traditional PAD approaches.
Research from institutions like the University of Oulu has focused on using remote photoplethysmography (rPPG) as a robust defense. A 2021 study by Liu, He, and colleagues demonstrated that analyzing the subtle skin color variations caused by blood circulation-the rPPG signal-is a powerful method for detecting presentation attacks. Deepfakes and masks do not have a human cardiovascular system and therefore cannot reproduce this physiological signal authentically. While older "active" liveness methods ask a user to blink or turn their head-actions that a deepfake can easily mimic-rPPG is a passive analysis of a biological process, making it inherently more secure.
The future of liveness detection
The future of identity verification is a technological arms race. As AI tools for creating synthetic media become more powerful and accessible, the methods for detecting them must evolve. Security is moving from what a person knows (passwords) or has (a phone) to who they are (biometrics). But as we've seen, even standard biometrics like a face can be faked. The next layer is proving a person is biologically alive and present. The analysis of involuntary physiological signals like the human pulse represents the frontline in this new security landscape, offering a way to validate life itself, not just an image of it.
Frequently asked questions
What is synthetic identity fraud? Synthetic identity fraud is a type of fraud where criminals create a new, fake identity by combining a real, stolen Social Security number with fabricated personal information like a fake name and date of birth. They use this new identity to build credit and then defraud financial institutions.
Can a deepfake pass a liveness test? It depends on the test. A deepfake can easily fool simple "active" liveness tests that ask for a blink or a head turn, as these actions can be programmed into the AI-generated video. However, they cannot pass advanced passive liveness tests that analyze physiological signals like blood flow.
How does blood flow detection stop fake faces? Blood flow detection, using a technology called remote photoplethysmography (rPPG), analyzes the tiny, involuntary changes in skin color caused by the pulse. A photo, a mask, or an AI-generated deepfake video lacks a real, beating heart and cardiovascular system, and therefore cannot replicate this biological signal, allowing the system to identify the face as fake.
The threat posed by AI-generated faces and carefully crafted synthetic identities is one of the defining security challenges for the digital economy. Traditional methods of identity verification are no longer sufficient to combat this evolving landscape of fraud. Circadify is at the forefront of addressing this problem, developing technology that verifies biological presence as a new foundation of trust. To learn more about how physiological biometrics can secure your account opening process, explore our solutions for fraud detection at circadify.com/solutions/fraud-detection.