Deepfake Injection Attacks vs Presentation Attacks
A security comparison of presentation attacks and deepfake injection attacks, why both bypass liveness, and how injection attack detection closes the gap.
Identity verification fraud has split into two distinct disciplines, and most defensive programs are still built to stop only one of them. A fraudster can hold a printed photo, a replayed video, or a silicone mask in front of a camera, or they can skip the physical world entirely and feed a synthetic video stream straight into the verification pipeline. The first is a presentation attack. The second is an injection attack, and effective injection attack detection has become the deciding factor in whether an identity platform actually holds up against modern deepfake fraud. For CISO teams and identity platform providers, understanding where these two attack classes diverge is no longer academic. It dictates which controls belong in the architecture and which gaps an auditor or an attacker will find first.
Injection attacks surged roughly 9x in 2024, driven by a 28x spike in virtual camera exploits, while native virtual camera attacks alone rose 2,665% year over year, according to security reporting summarized in the 2024 Liveness Detection Security Report (FaceTec, 2024) and iProov threat analysis (2024).
Injection attack detection starts with a clear threat distinction
The cleanest way to separate the two attack types is to ask one question: did the fake reach the system through the camera, or around it? A presentation attack presents a fraudulent artifact to a genuine sensor. The camera is real, the lens captures light, and the spoof is something physical staged in front of it. An injection attack bypasses the sensor completely. The attacker uses a virtual camera driver, a manipulated SDK, an intercepted API call, or a hardware capture device to insert a pre-rendered or real-time deepfake into the data stream, so the system believes it is receiving a live capture when it is processing an entirely synthetic file.
This distinction matters because the two attacks fail for different reasons and require different countermeasures. Presentation attack detection, formalized under ISO/IEC 30107, evaluates whether the thing in front of the camera is a live human or an artifact. It looks for screen glare, moire patterns, paper texture, mask edges, and the absence of natural physiological signals. None of those defenses inspect the integrity of the data channel itself. An injected deepfake never produces screen glare because there is no screen, and it never shows paper texture because there is no paper. That is precisely why injection attack detection has emerged as a separate control layer rather than a feature of traditional liveness.
The economics reinforce the urgency. Businesses faced average losses near $500,000 per deepfake-related incident in 2024, deepfakes now account for roughly 40% of all biometric fraud, and high-quality video deepfakes evade human reviewers at alarming rates, with detection accuracy measured as low as 24.5% in controlled testing.
| Dimension | Presentation Attack | Deepfake Injection Attack |
|---|---|---|
| Attack surface | Physical space in front of a real camera | Software or hardware data channel feeding the system |
| Common methods | Printed photo, screen replay, video on a tablet, silicone or 3D mask | Virtual camera driver, SDK hooking, API interception, hardware video capture |
| What the sensor sees | A genuine capture of a fraudulent object | A fabricated stream presented as a genuine capture |
| Primary defense | Presentation attack detection (ISO/IEC 30107-3) | Injection attack detection, virtual camera detection, channel integrity checks |
| Telltale signals | Screen glare, moire, paper texture, mask seams | Missing device metadata, virtual camera enumeration, frame timing anomalies |
| Scalability for attacker | Limited, requires physical setup per attempt | High, scriptable and repeatable at volume |
| Detection standard maturity | Established (ISO/IEC 30107 family) | Emerging (ISO/IEC NP 25456 in development) |
Why both attack classes must be stopped together
A frequent and dangerous assumption is that a system certified for presentation attack detection is therefore safe against deepfakes. It is not. The two controls protect different parts of the verification chain, and an attacker only needs the unguarded one. The following points explain why a complete program treats them as parallel requirements rather than substitutes.
- A presentation attack control verifies authenticity at the lens but assumes the data after the lens is trustworthy. Injection breaks that assumption.
- Camera feed spoofing through virtual camera software is scriptable, meaning a single working method can be replayed thousands of times with different synthetic identities.
- Injection lets attackers use the highest-fidelity deepfakes available, because they no longer have to survive being filmed off a screen, which normally degrades quality and reveals artifacts.
- Presentation attacks remain common in lower-effort fraud, so removing that defense to chase injection risk simply reopens an old door.
- Regulatory and audit frameworks increasingly expect coverage of both, and a gap in either invites both fraud loss and compliance findings.
The practical takeaway for identity platform providers is that liveness and injection defense are complementary. Virtual camera detection and channel integrity verification sit alongside, not inside, classical presentation attack detection.
Industry Applications
Financial Services and eKYC
Banks and eKYC platforms absorb the largest share of deepfake fraud attempts, with 53% of financial professionals reporting deepfake scam attempts in 2024. Account opening flows are the most exposed surface because they combine high payout with fully remote, unsupervised capture. Injection attacks are especially attractive here since an automated script can attempt many synthetic identities against a single onboarding endpoint. Layering injection attack detection over existing liveness lets these platforms preserve a passive, low-friction flow while closing the channel that automated deepfake fraud depends on.
Government and remote identity proofing
Public agencies issuing credentials or enabling citizen self-service operate under high-assurance mandates and cannot rely on physical supervision. For these programs, camera feed spoofing represents a structural risk because the verification session runs on a device the agency does not control. Virtual camera attacks let an adversary present a deepfake of a real citizen or a wholly synthetic persona without ever staging a physical artifact, which means presentation-only defenses leave a measurable gap in the proofing chain.
Identity platform providers
Vendors who embed verification into other companies' products carry the heaviest burden, because their SDK is the exact component injection attackers target. Hooking an SDK or intercepting its API calls is a direct route to bypassing liveness. Providers that build injection attack detection and tamper resistance into the capture layer differentiate on security posture, and increasingly find that enterprise buyers require evidence of both presentation and injection coverage during procurement.
Current research and evidence
The standards body response confirms that injection is now treated as a distinct discipline. ISO/IEC 30107-4:2024, published in February 2024, extended presentation attack detection testing profiles to mobile devices, while a separate emerging standard, ISO/IEC NP 25456, is in development specifically to address biometric injection attack detection. The separation of these efforts signals that the field no longer considers injection a subcategory of presentation attacks.
Academic and industry research in 2024 has converged on virtual camera detection as a complementary layer. Work catalogued on arXiv on detecting video injection in remote biometric systems describes enumerating camera devices, validating capture provenance, and analyzing frame timing to distinguish a physical sensor from an injected stream. Security analyses such as the overview from scip AG (2024) document both software-based vectors, including virtual camera programs and SDK breakpoints, and hardware-based vectors using adapters connected to camera ports, underscoring that injection is not a single technique but a family of them.
The fraud telemetry supports the standards activity. Signicat reported that deepfake-driven fraud attempts rose 2,137% over three years and now represent roughly 1 in 15 fraud cases, while Entrust documented a deepfake attempt occurring every five minutes in 2024 alongside a 244% year-over-year increase in digital document forgeries. The 2024 surge in virtual camera exploits is the clearest evidence that attackers are migrating from staging physical spoofs toward injecting synthetic streams at scale.
The future of injection attack detection
Three trends will shape the next several years. First, defense will move toward provenance and channel integrity. Rather than only judging whether a face looks live, systems will verify that the pixels originated from a genuine device sensor and arrived without interception, treating the capture pipeline as part of the trust boundary. Second, passive physiological signals gain importance precisely because they are difficult to fabricate consistently inside an injected stream. Approaches that read subtle, involuntary human signals from ordinary video raise the cost of producing a convincing fake without adding user friction. Third, standards convergence around the ISO/IEC 30107 family and the forthcoming injection-focused work will let buyers demand independent evidence for both attack classes, ending the era when a single liveness certification implied total coverage.
For security leaders, the strategic shift is to stop thinking of liveness as one checkbox. The mature posture treats presentation attack detection and injection attack detection as two required, measurable controls, each tested against its own threat model.
Frequently asked questions
What is the core difference between a presentation attack and an injection attack? A presentation attack shows a fraudulent object, such as a photo, replayed video, or mask, to a real camera. An injection attack bypasses the camera entirely and feeds a synthetic video stream into the system through software or hardware. One spoofs the sensor; the other spoofs the data channel behind it.
Does presentation attack detection stop deepfake injection? No. Presentation attack detection inspects what appears in front of the lens and looks for artifacts like screen glare or paper texture. An injected deepfake never passes through a physical lens, so those signals are absent. Stopping injection requires a separate control layer focused on channel integrity and virtual camera detection.
Why are injection attacks growing faster than presentation attacks? Injection is scriptable and repeatable. Once an attacker has a working virtual camera or SDK bypass method, they can run it against thousands of synthetic identities automatically, and they can use the highest-quality deepfakes because the fake never has to survive being filmed off a screen. Reporting attributed roughly a 9x rise in injection attacks during 2024.
Are there standards that cover injection attack detection? Presentation attack detection is governed by the ISO/IEC 30107 family, including the 30107-4:2024 mobile profile. Injection attack detection is newer, with ISO/IEC NP 25456 in development specifically to address biometric injection attacks. Until it matures, buyers should request independent evidence covering both attack classes.
Circadify is building toward this combined defense model, pairing passive liveness that reads genuine human signals with controls aimed at the injection channel that deepfake fraud now exploits. Security leaders evaluating where their current stack leaves gaps can review the integration guide and run a detection assessment at circadify.com/solutions/fraud-detection.