Can a hacker open a bank account using a video of my face?

The fear that a fraudster could take a video from your social media profile and use it to open a financial account is a prevalent concern in an age of rising digital crime. News stories about AI-powered impersonation have left many consumers wondering if a simple video of their face is enough to bypass a bank's security. For enterprise and government identity architects, this question goes deeper, touching on the core principles of remote identity proofing and the technological safeguards that separate legitimate users from sophisticated attackers. The reality is that modern identity verification systems are fortified with layers of defense, making the prospect of using a simple video to create a fake face open bank account fraud scenario exceedingly difficult.

"A 2024 survey by Regula found that 49% of businesses in banking and fintech have already encountered fraud schemes using deepfakes, with average losses approaching $450,000 per incident."

Understanding presentation and injection attacks

The threat of a criminal using a fake face to open a bank account falls into a category of biometric security threats known as Presentation Attacks. A Presentation Attack is an attempt to subvert a biometric system by presenting a fake or "spoof" artifact to the sensor. This is distinct from a more complex "injection attack," where data is injected directly into the system, bypassing the camera or sensor entirely.

Simply holding a printed photo or playing a video on a screen are the most common types of presentation attacks. These are known as Level 1 and Level 2 attacks under the ISO/IEC 30107 standard, which provides the framework for Presentation Attack Detection (PAD) testing. For a financial institution to have a compliant and secure eKYC (electronic Know Your Customer) process, its identity verification system must be able to thwart these attempts.

Sophisticated liveness detection technology acts as the gatekeeper. It is designed not just to recognize a face, but to verify that it is a live, three-dimensional person present at the moment of capture. It achieves this by analyzing data that is invisible to the naked eye, ensuring that what the camera sees is a real human and not a digital or printed replica.

Attack Vector	Description	Common Detection Methodologies
Printed Photo (2D)	A static, high-resolution photograph of the victim presented to the camera.	Texture analysis, analysis of light reflection and diffusion, detection of print artifacts, color space analysis.
Video Replay (2D)	A video of the victim played back on a digital screen (phone, tablet, laptop).	Moiré pattern detection, screen bezel detection, analysis of light emissions from pixels, depth analysis.
3D Mask	A physical silicone or resin mask of the victim's face worn by the attacker.	3D depth sensing, analysis of subtle skin movements and color changes from blood flow (rPPG), thermal imaging.
Deepfake/Injection Attack	A digitally generated or altered video stream injected into the application, bypassing the physical camera.	API-level analysis, device integrity checks, cryptographic verification of the camera feed, behavioral biometrics.

How liveness technology defeats replay attacks

When a fraudster attempts to use a replayed video to open an account, liveness detection algorithms analyze a range of indicators to spot the forgery. These systems are built to recognize the subtle differences between a live human face and a recording.

• Texture and Depth: A live human face has a unique 3D shape and skin texture. Liveness systems that use stereoscopic or depth-aware cameras can immediately distinguish between a flat screen and a real, three-dimensional head.
• Light and Reflection: A digital screen emits light, whereas a human face reflects it. Advanced systems can analyze the properties of the light in the video feed to determine its source. The way light reflects off skin is fundamentally different from how it reflects off a glossy or matte screen.
• Moiré Patterns: When a camera records a digital screen, it often creates a tell-tale interference pattern known as a Moiré pattern. These wavy or distorted lines are a strong signal of a replay attack.
• Physiological Cues: The most advanced systems, known as passive liveness detectors, can detect subtle physiological signs of life. By analyzing minute, involuntary changes in skin color, these systems can detect a user's heartbeat from the video feed, a technique known as remote photoplethysmography (rPPG). A recording has no heartbeat.

Industry applications in financial services

For the financial sector, robust PAD is not just a technical requirement but a regulatory one. Global standards for Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) require banks to perform rigorous identity verification.

### eKYC and Customer Onboarding

The primary application of liveness detection is during remote account opening. To prevent fake face open bank account fraud, banks must ensure the person creating the account is who they say they are and is physically present. This protects both the institution from fraud losses and the consumer from identity theft.

### high-risk transactions

Beyond onboarding, liveness checks can be deployed to secure high-risk activities, such as large fund transfers, changes of address, or adding new payees. Re-verifying liveness at these critical points ensures the legitimate account holder is the one performing the action.

Current research and evidence

The field of Presentation Attack Detection is a constant arms race between security researchers and malicious actors. Research and testing standards provide the framework for evaluating the effectiveness of liveness detection solutions.

Leading the standardization efforts are the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). The ISO/IEC 30107 standard is the globally recognized benchmark for PAD testing, and vendors are evaluated by accredited third-party labs. Researchers like Stephanie Schuckers at Clarkson University have been instrumental in developing the testing methodologies that underpin these standards.

More recently, research has focused heavily on defending against AI-generated threats. A report on the "Deepfake Offensive Toolkit" by Sensity AI demonstrated how easily some verification systems could be fooled by injection attacks, highlighting the need for defenses that go beyond on-device camera analysis. This is where API-level injection detection becomes critical, ensuring the data stream itself has not been hijacked or replaced.

The future of liveness detection

As fraudsters adopt generative AI to create more realistic deepfakes, the defense is shifting towards passive and multimodal biometrics. Unlike active liveness, which requires users to blink, smile, or turn their head, passive liveness is frictionless. It verifies the user is real and present through a brief, seamless video capture, analyzing physiological data like rPPG without asking the user to perform any special actions. This improves user experience and reduces drop-off rates during onboarding while providing a higher level of security against advanced spoofs. The future will involve layering these passive checks with device integrity analysis and behavioral biometrics to create a comprehensive defense against even the most sophisticated fake face open bank account fraud attempts.

Frequently asked questions

Q: What is a presentation attack? A: A presentation attack is an attempt to fool a biometric system by presenting a fake artifact, such as a photo, video, or 3D mask, to the sensor. The goal is to impersonate a legitimate user.

Q: Can a simple photograph of my face fool a bank's security scan? A: No. Modern identity verification systems use liveness detection that analyzes texture, depth, light reflection, and other properties to easily distinguish a flat, static photo from a live person. This is one of the most basic presentation attacks to prevent.

Q: What is the difference between active and passive liveness detection? A: Active liveness detection requires the user to perform an action, like smiling or turning their head, to prove they are live. Passive liveness detection is frictionless, verifying the user is a live human via a short, seamless video selfie by analyzing data like subtle skin color changes from blood flow (rPPG).

Q: How does deepfake detection work during bank onboarding? A: Deepfakes are typically deployed via injection attacks, bypassing the camera. Detecting them requires a different approach than standard presentation attack detection. It involves securing the API, verifying device integrity, and ensuring the video stream is coming directly from the device camera in real-time, often using cryptographic signing.

Circadify is at the forefront of developing next-generation defenses against biometric fraud, providing enterprise-grade solutions for passive liveness and injection attack detection. To learn more about integrating these capabilities to protect your platform and users, explore our integration guide at circadify.com/solutions/fraud-detection.