iProov joins leading cybersecurity and technology organizations with contributions in the fight against AI-driven threats
Today, iProov, the world’s leading provider of science-based biometric identity verification solutions, announced that an attack scenario demonstrated by the iProov in-house Red Team has been published by MITRE ATLAS™, the global knowledge base advancing AI security, threat mitigation, robustness, and privacy. The case study confirms a critical, high-risk vulnerability in the remote identity verification Know Your Customer (KYC) process, exposing users worldwide.
iProov’s contribution, which includes a procedure overview, demonstrates how readily available face-swapped imagery injection attacks can evade mobile KYC. The case study places iProov alongside contributions from leading cybersecurity and technology leaders, including Microsoft, NVIDIA, IBM, Intel, Cisco, Palo Alto Networks, Kaspersky, CrowdStrike, and Trend Micro, all working collaboratively to shape future defense tools and frameworks.
“The strength of MITRE ATLAS lies in the breadth and quality of the community that supports it. Contributions from across industry, academia, and government—ranging from red-team findings to operational threat insights—are essential to advancing the accuracy and completeness of the MITRE ATLAS knowledge base. When organizations openly share data and expertise, we collectively enhance the security and resilience of AI-enabled systems and the nation,” said Doug Robbins, vice president, MITRE Labs.
“We’ve seen an explosion in attack vectors relating to identity verification over the last 12 months, largely driven by advances in generative AI and the wide availability of low cost tools,” said Andrew Newell, Chief Scientific Officer, iProov. “The publication of this latest MITRE ATLAS case study is part of the vital process of identifying and documenting such methodologies. The pace of evolution is only ever likely to increase, making it essential that all organisations examine their own defences against these new tactics without delay.”
This case study validates the critical importance for organizations to seek vendors that have been tested against the recent European standard CEN 18099, which establishes rigorous testing protocols against injection attacks and represents a significant advancement in remote identity verification security standards.
Understanding the Vulnerabilities
This validation by MITRE underscores a critical security gap in the financial services, banking, and cryptocurrency sectors, where remote identity verification is mandatory for user onboarding and authentication.
The research demonstrates why active liveness solutions are particularly vulnerable:
● Active liveness detection relies on analyzing image artifacts and user movement, which sophisticated AI-generated deepfakes can now convincingly replicate.
● Substituting a mobile device’s camera with a virtual camera application allows attackers to bypass device-level security controls.
Attack Summary and Industry Impact
The security exercise conducted by the Head of iProov Red Team, Dr. Panos Papadopoulos, specifically targeted the crucial identity verification process known as Know Your Customer (KYC), commonly used by mobile applications in financial services, banking, and cryptocurrency.
The attack procedure involved several complex steps:
- Reconnaissance and Resource Development: iProov Red Team collected user identity information and high-definition facial images from online sources. They obtained Faceswap, a desktop application that uses generative AI to swap faces in a video in real time.
- Tool Acquisition: They then used Open Broadcaster Software (OBS) to stream a video. Crucially, they acquired Virtual Camera: Live Assist, an Android application that allows users to replace the device’s default camera feed with a video stream, and it operates successfully on genuine, non-rooted Android devices.
- Deepfake Generation: Using the gathered victim images, the Red Team used Faceswap to produce live deepfake videos that mimicked the victims’ appearances.
- Initial Access and Evasion: During the identity verification stage on a financial services application, the team streamed the deepfake video feed using OBS and the Virtual Camera app. This method successfully evaded the liveness system.
- Impersonation: This evasion allowed Dr. Panos Papadopoulos to authenticate under a fictitious identity, demonstrating that adversaries could gain access to a victim’s privileged systems or create fake accounts on banking or cryptocurrency apps, resulting in significant financial harm.
The Importance of Continuous Verification and Advanced Standards
iProov’s contribution, published by MITRE ATLAS, provides independent, third-party validation of critical vulnerabilities in mobile KYC identity verification systems. This research validates the importance of moving beyond vulnerable non-compliant liveness. The recent European standard CEN 18099, which establishes rigorous testing protocols for liveness detection, represents a significant advancement in biometric security standards.
Call to Collaboration
The work conducted by the iProov Red Team informs security analysts and AI developers across industries about realistic threats to AI-enabled systems, enabling more informed threat assessments and effective internal red teaming. MITRE encourages collaboration across government, industry, and academia to help shape future tool and framework developments in AI security, threat mitigation, robustness, privacy, and other critical aspects of AI assurance.
