Tag Archives: deepfake

Underwriting the Ghost: Synthetic Borrowers Disappear Without Paying

When a lender receives a loan application, it endeavors to ensure that the applicant will pay the lender back.

But even with the proper controls, a certain percentage of loans go unpaid.

Especially if the applicant looks really good on paper, but isn’t…and doesn’t even exist because it’s a synthetic identity.

PYMNTS describes the threat from deepfake borrowers:

“Across the lending industry, a new category of fraud is emerging that combines deepfake video, cloned voices, synthetic identity creation, fabricated employment histories and AI-generated financial behavior into a single engineered persona. These synthetic borrowers are not merely fake identities in the traditional sense. They are algorithmically optimized consumers designed to survive onboarding checks, satisfy underwriting models and disappear once loans are funded.”

Disappearing borrowers is not a good thing.

Know your customer.

“Underwriting the Ghost.” Synthetic man gets the loan, then he disappears. Google Gemini/Lyria. Public Domain.

A Holistic Approach to Presentation, Deepfake, and Injection Attack Detection

A recent Joel R. McConvey Biometric Update article, which quotes heavily from a Finextra article by Victor Mendez, CMO and Co-founder of Verifyo, emphasizes that presentation attack detection (PAD, a/k/a liveness), deepfake detection, and injection attack detection (IAD) must not work in isolation, but in concert. (As a suite symphony?)

Mendez:

“[E]merging threats and cyber threats around remote proofing do not respect a single-control answer.

“Defend the camera with PAD. Defend the pipeline with IAD. Defend the document with cryptographic chip checks. Defend the decision with verifier-side signals and a reviewable evidence package. Where possible, replace the camera as the unit of evidence with an issuer-signed attestation.

“The institutions that survive the next two years of synthetic-media fraud are not the ones with the best liveness vendor. They are the ones with the best layered architecture and the best evidence trail.”

Or, to put it another way, multimodal (or multifactor if you prefer) attack detection.

Google Gemini.

If you offer multimodal/multifactor attack detection and want to communicate the benefits to your prospects, Bredemarket can help.

Stop losing prospects! Use Bredemarket content for tech marketers

The Continuing Adventures of Will and Chad

Technically Chad Smith engaged in identity fraud on Saturday Night Live when he started giving Will Ferrell’s monologue.

But no harm was done.

And while the face modality fooled many of us, the voice modality gave Chad away. Score one for multimodal authentication.

Clifford Stoll Was Wrong AND Right

A former coworker reshared the story of Clifford Stoll investigating an accounting error and discovering a Cold War spy network. But a few years later, Stoll was wrong about the emerging Internet…and also right.

Stoll shared his views in a 1995 Newsweek article that was an amusing read after the fact.

Replacing your daily newspaper?

For example:

“The truth is no online database will replace your daily newspaper…”

Stoll lived long enough to see the decline of printed newspapers in the early 21st century.

Electronic books?

Another one:

“How about electronic publishing? Try reading a book on disc. At best, it’s an unpleasant chore: the myopic glow of a clunky computer replaces the friendly pages of a book. And you can’t tote that laptop to the beach. Yet Nicholas Negroponte, director of the MIT Media Lab, predicts that we’ll soon buy books and newspapers straight over the Internet. Uh, sure.”

Let’s pick this one apart piece by piece.

  • A book on disc? What’s a disc?
  • Yes, to some the myopic glow of an electronic book isn’t the best experience, whether on light or dark mode. But a traditional printed book cannot be read at all when you turn the lights off.
  • Stoll assumed that you would always need a laptop to read an electronic book. He did not envision dedicated electronic reading devices that were smaller than a laptop…to say nothing of “smart” phones with an “app” called “Kindle.”
  • Speaking of Amazon Kindles, you CAN buy books straight over the Internet. And music also, from a company that is no longer called Apple Computer.

So Stoll was not perfect. But he anticipated some things that we still struggle with today.

Unedited data!

“What the Internet hucksters won’t tell you is tht the Internet is one big ocean of unedited data, without any pretense of completeness. Lacking editors, reviewers or critics, the Internet has become a wasteland of unfiltered data. You don’t know what to ignore and what’s worth reading.”

While many companies from Yahoo to Altavista to Google to Wikipedia to OpenAI have tried to solve this problem, it is not fully solved.

And then there’s the biggie.

Isolation!

“What’s missing from this electronic wonderland? Human contact. Discount the fawning techno-burble about virtual communities. Computers and networks isolate us from one another. A network chat line is a limp substitute for meeting friends over coffee. No interactive multimedia display comes close to the excitement of a live concert. And who’d prefer cybersex to the real thing?”

Today’s world is actually worse than the one Stoll envisioned. Not only have I conducted most of my interactions with people over chat boxes and screens. But in 2026 we are now interacting with “HAL 9000” non-person entities…and we may not even know that they aren’t human, but synthetic or deepfake identities.

Despite the benefits of remote interactions—they’ve kept me (and my former coworker) employed—Stoll’s warnings about this new world remain valid.

Wrong but right

So I wouldn’t laugh at Stoll’s derision over the emerging Internet. If you were alive in 1995, be honest: did you anticipate THIS?

Master Keys for Fingerprints and Voices

I swear I’ve written about “MasterPrints” before, but I can’t find any such article. Maybe I just discussed it internally at IDEMIA when I worked there in 2018.

Generative adversarial network produces a “universal fingerprint” that will unlock many smartphones

“Researchers at NYU and U Michigan have published a paper explaining how they used a pair of machine-learning systems to develop a “universal fingerprint” that can fool the lowest-security fingerprint sensors 76% of the time (it is less effective against higher-security sensors).

“The researchers used “generative adversarial networks” (GAN) to develop their attack: this technique uses a pair of machine learning systems, a “generator” which tries to fool a “discriminator,” to produce a kind of dialectical back-and-forth in that creates fakes that are harder and harder to detect.”

While this happened over seven years ago and is probably harder to implement with today’s technology, I was reminded of this when I ran across this Biometric Update article.

Voice morphing attack blends identities to bypass voice biometrics: study

“A new research paper explores a signal-level approach to voice morphing attacks that exposes vulnerabilities in biometric voice recognition systems.

“The abstract describes Time-domain Voice Identity Morphing (TD-VIM) as “a novel approach for voice-based biometric morphing” which “enables the blending of voice characteristics from two distinct identities at the signal level.” TD-VIM allows for seamless voice morphing directly in the time domain, allowing “identity blending without any embeddings from the backbone, or reference text.””

So it, um, sounds like we not only have MasterPrints, but also MasterVoices.

Two Footballs, Two Biscuits, Two Presidents: A Cybersecurity Nightmare.

Last year I wrote about a biscuit and a football, but I wasn’t talking about the snack spread on game day.

Google Gemini.

I was talking about the tools the United States President uses (as Commander-in-Chief) for identity verification to launch a nuclear attack.

But sometimes you have to pass the football. If the President is temporarily or permanently incapacitated in an attack, the Vice President also has a football and a biscuit. Normally the Vice President’s biscuit isn’t activated, but when certain Constitutional criteria are met it becomes operative.

Other than this built-in redundancy, the system assumes one football, one biscuit, and one President.

If you’re a cybersecurity expert, you know this assumption is the assumption of a fool.

  • It is not impossible to have duplicate functional footballs and duplicate functional biscuits.
  • And it is not impossible to have duplicate functional Presidents, with identical face, voice, finger, and iris biometrics. Yes, it’s highly unlikely, but it’s not impossible. If the target is important enough, adversaries will spend the money.
Grok.

And most of us will never know the answer to this question, but how do government cybersecurity experts prevent this?

On Misteaks

This morning I loudly proclaimed that three companies had received independent assessments of conformance to Level 3 Presentation Attack Detection (liveness detection).

This is important, because Level 3 conveys an enhanced certainty that the face the software sees (the face that is “presented”) is a real face and not some type of deepfake.

And as I loudly proclaimed, products from three companies had received the Level 3 designation.

But I was wrong.

As I noted several hours later, FOUR companies have received that PAD Level 3 designation: Aware, FaceTec, Paravision, and Yoti.

There are three ways to correct a mistake:

  • Don’t. Keep the incorrect information.
  • Quietly correct the mistake without admitting it. Change “three” to “four,” and you’re done with no one the wiser.
  • Admit the mistake. “Yeah, I originally said three, but it’s really four.”

I chose the third option, just in case someone remembers that I initially said three.