One of the major disruptions in the banking sector has been the introduction of online-only usually app based Neobanks, these banks do not offer any physical branches, but still offer a full range of banking services including full personal accounts with withdrawals and deposits, debit cards and currency exchange. These banks have been extremely successful in Europe with the largest Revolut boasting a revenue of $2.2bn, and 45 million customers. These neobanks are often challenger banks, looking to access markets that have been under-served by traditional banks or have new technology and features such as allowing businesses to turn their phone into a point-of-sale machine. The introduction of Neobanks has been met with some challenges, Revolut, for example, has only just received its UK banking license and is now in a transitory stage to becoming a full bank despite being founded in 2015, almost a decade ago. One serious challenge that app-based fintech orgs of all sizes has had to face is how to meet Know Your Customer regulations.

Know Your Customer

‍

Know Your Customer or KYC is an industry standard in the financial sector, and it’s an important part of customer due diligence, in many countries it is required by law. The intention behind KYC checks is to ensure that a customer has not been involved in illegal activity like money laundering and to evaluate the risk that a customer may pose. In a traditional retail bank with a physical branch usually A customer is asked to bring in a range of identification documents, some of which may contain their address, their date of birth or ID numbers, this can then be matched with the person in the branch and checked for legitimacy. In an app-based bank this process is usually replaced with taking photos of various forms of ID such as a passport and driving license and while there are some innovations such as apps that read the NFC chip in a passport, not every user will have a passport and not every country has adopted e-passports.

‍

In a typical verification process for a new banking user an individual will be asked to provide 2 forms of government issued ID (one of which contains their address) and a utility or tax bill that confirms the address, and the photo on the ID is matched to the individual in person. In an online bank this step is usually replaced with a selfie instead. On the surface this seems like a great idea - it allows us to take advantage of the fact we all have high quality cameras in our pockets and reduces the need to rent costly retail space. However this combined with the lax account creation requirements makes it a prime target for attackers. There’s 2 key motivations for this attack,  to create accounts from identities that don’t exist and to verify transactions made after an account compromise. It’s worth noting here that these techniques are not new and are actively discussed on hacking forums as tutorials, but regardless verification bypasses are big business and often sold via dark web marketplaces. This technique will involve setting up an emulated device, replacing the camera with a virtual camera and using a picture or video of the victim. 

‍

Let me take a selfie (and use it to create a bank account)

First we will need to setup a virtual camera, the easiest way to do this is using the free software Open Broadcaster Software (OBS), a popular tool for live streaming and creating videos. When you start OBS simply add an image to the scene, adjust and press “Start Virtual Camera”. To find our image (or video) we can use a website like LinkedIn to find our victim and a good headshot, as below. We can adjust it as necessary, increasing or decreasing the size, or adding an extra background to make the image look more realistic.

We then need to setup our emulator, we will use Genymotion, which works well with security tools and offers a widget to change the camera input. We create a basic android device of a Samsung A series device, but any device will work here. When we access the media injection, initially it will be set up as our webcam, but by selecting the OBS virtual camera we can then trick the phone's camera into believing that this is our camera feed. To make this more realistic we can even change the front and back cameras individually. The camera feed will then function as normal, allowing us to take photos or start up an application.

However, to register new accounts you need a piece of documentation as well, getting an image of someone’s legitimate passport or driving license is difficult, and would usually require luck or a high degree of social engineering. As these forms of ID cost money, traditional banks must offer a fee-free basic bank account, accepting a letter from a GP, council, hostel in place of proof of ID. For app-based banks this is not the case and they are required to show photographic ID. However, fake passports and driving licenses are nothing new and the Home Office offers documentation on how to exam these documents, but often this requires examining the passport in person to properly review watermarks, ultraviolet marks, the feel of raised markings, and color changing elements when the document is tilted. Which are all difficult to verify with just a photograph.

From photos to videos

The limitation of this technique is its reliance on a static image, more sophisticated approaches to identity verification require a video, usually of the head turning, such as this example from Certum. While a video can be loaded in a virtual camera in much the same way, it’s much harder to find a video of a victim turning their head left and right. However it is not impossible to replicate this.

‍

As generative AI video improves, it may be possible to generate a video from a static headshot, particularly if the background is very plain. However, like many AI generated images, AI generated videos contain artifacts, with strange hair movements, backgrounds which do not make sense, with lines that abruptly stop, or books that suddenly disappear and in many cases the video becomes a fever dream of colors, movement and morphing elements. However, this easy detection will not last forever with AI video generation still in its infancy, some organizations look towards adding additional elements like voice, but this too can be cloned using off-the-shelf tools. So what can organizations do?

‍

‍

KYC of the future?

While it can be easy for any financial institution to simply require in person document checks, these challenger or neo-banks are disrupting the industry and many customers prefer an app-based bank to typical banking, or aren’t served well by existing banks. Whether that be because they are in a rural area without a high-street bank nearby, or because they want features like being able to separate their money into virtual saving pots, as traditional banks struggle to keep up these newer banks have a lot to offer their customers. Fraud is still an ongoing discussion in the UK, as the government introduces new rules to refund fraud victims up to £85,000, half of which can come from the financial institution of the fraudster and banks placing holds on funds for 4 days for suspicious payments

‍

The UK government publishes a large amount of guidance for identity verification, and what information can be used to verify someone’s identity. Many of these solutions involve requiring additional information such as having a user first photograph their passport and then scan it with their phone. As machine readable passports use RFID most phones can read passport data, and passports can contain biometric data as well as the details visible on the passport. This is often used for immigration apps, such as applying for a US ESTA or the UK ID Check app. 

‍

Many organizations choose to use a third-party vendor to help manage their identity checks, these specialize in Anti-Money Laundering (AML) checks and ensure that these checks are compliant with industry regulations and legal requirements. While many of these are digital, some do offer in-person ID verification such as the Post Office, with most of the UK only 10 miles from a post office this can be an accessible option for many. When using a third-party you should also be aware of the risks, and ensure that contracts are in place in case of security incidents, that you have some visibility of data between your application and the third-party and that the third-party is compliant with any compliance requirements.

‍

In the case of transaction verification such as the fraudulent transactions from BBC Panorama where we demonstrated these techniques. In our testing we found the vast majority of the time we did not need to verify with a selfie and instead a code was sent to our phone number via SMS. This makes this process susceptible to sim swapping, where your sim is cloned in order to receive verification codes or simply social engineering where the victim is asked to send verification codes. A selfie can be helpful to prevent these attacks, on the surface a selfie requires the attacker to be in the same room as the victim, but as we have seen it can be bypassed using virtual cameras. Additionally linking a traditional account to a neobank to easily top-up the neobank should be optional. This is often what is targeted as people keep larger amounts in their traditional bank account, and there are limited protections on this top up process.

‍

One of the most important factors to remember is that fraud does not stop at KYC verification, creating an account or verifying a single transaction. Once an attacker has an account they are going to use it, whether that’s to scam individuals, move money out of a linked bank account to a secondary account, or to accept high-risk crypto payments. Instead of focusing on simply verification of identity, it is important to have ongoing protection, blocking transactions that are suspicious, freezing accounts, and in some cases doing geolocation or IP blocking, while this can be annoying for genuine users, for those that are scammed this is a valuable lifeline. While scammers will place pressure on victims, stressing urgency and that actions must be taken immediately, this may offer vital thinking time for victims. Fraud is never just about a single incident, it is ongoing, behavioral clues that leave breadcrumbs for teams to follow. 

‍