Root Causes 379: AI-generated Fake IDS for KYC

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

April 18, 2024

Inexpensive and easily obtained deepfake photographs of IDs, generated by AI, are available online. These pose a problem for KYC initiatives.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanOkay. So I think we're gonna riff off an article. I think we want to talk about what's in this article, but there's probably a lot to discuss here. The article I'm looking at is, um, this is written by Jesse Coghlan. C-o-g-h-l-a-n. It's called AI Generated Fake IDs Claim To Pass Crypto Exchange KYC Are Selling For $15. And I see this on cointelegraph.com. So the basic ID is that know your customer, which is a requirement for lots of people is being defeated by inexpensive and easily obtained fake photographs of IDs that you can get online. Is that right, Jay?

Jason SorokoThis seems to be what's going on. If any of you have ever used a KYC system, a know your customer system, where basically, Tim, we're talking about trying to dismantle the difficulties in provisioning a user and knowing who they actually are. Provision them so that it's very difficult for somebody to fake, you know, being somebody else, or you have some level of assurance that they are who they are.

Tim CallanAnd you want to make that - - you also want to make that convenient and accessible, especially for people who might be geographically dispersed. Right? So that's part of this as well. Go on.

Jason SorokoThat's correct. And so I've seen KYC systems in the past where you are forced to hold up your driver's license or a passport, right up against your face, and then the system will automatically determine, hey, is this person using an ID that's not theirs? And presumably, there's some sort of face recognition going on to tell whether or not the face on the ID card or passport is different than the actual face that it's beside. And isn't it interesting, Tim, that there seems to be a service out there - and I wouldn't doubt that there's even more than the one that was talked about in this article - systems that you can upload your own image, choose another one of your liking, and it will actually generate a false ID. In fact, there was an example here of somebody who had created a false Australian passport of Donald Trump just as an example.

Tim CallanRight? Yeah. And it looks real. I've seen some pictures here and these things look completely real. You would not think for a second that you were not looking at an actual photograph of someone's actual passport.

Jason SorokoRight and that's the problem because a physical passport, let's say you're going through an airport, Tim, this fake passport would not pass muster, right? For various reasons. Because, number one, there are various other controls that have to be on a passport typically and those things have to do with just the way that the passport is constructed and various kinds of holograms and the paper that's used and all that kind of good - - the same kinds of things, similar things that are used for controlling currency, right?

Whether a currency is fake or not. So the problem is, if you take away those controls, not the least of which from a passport standpoint, is just there's a PKI element, right? There's a secure element on most passports that contain a certificate that actually is signed by a Certificate Authority. Pretty darn difficult to fake that. You don't have the checks. You're not swiping that. You're not checking for the hologram. You're not checking. These are just photographs of photographs, typically, that we're talking about here. And that's what these KYC systems are based off of and, Tim, that's one to two levels of abstraction away from the real deal, which is the heart of the problem here.

Tim CallanAnd in theory, this isn't a problem that is born with AI. Like a skillful user of Photoshop could have, in the past, could have several years ago taken a photograph of their passport and changed the picture, changed the words and gotten something that would pass muster, but the bar was much higher than it is now.

Jason SorokoThat's right, Tim and I think that's the crux of the story. And in fact, it even says in the title, right? For 15 bucks you just upload what you want and out will come something that will pass a KYC system. And once something's gotten that simple, you have to start to worry.

Tim CallanAnd this is more than KYC, right? This is a anything where an image of a passport or an ID is being used as part of the verification process. I know this is focused on KYC because this particular website is focused on, you know, Bitcoin and cryptocurrency but - - and I just recently had to apply for a Visa. I can't remember the last time I applied for a Visa to travel somewhere, and part of the process was uploading a photograph of my passport.

Jason SorokoThat's right. That's right. Yep, yep. Visa application programs and electronic visas are now becoming popular all over the world. I know that people entering Canada have to have one now as well. So it's - - I remember going to Australia not that long ago and yes, indeed, I had to upload my passport. So these - - KYC and all of its equivalents are at risk of this and goodness, I just don't have an answer right now for the KYC industry.

Tim CallanRight. And yeah, exactly. Normally on this show, we say, so what do we do about it? And I'm sitting here just flummoxed. What do we do about it? We don't want to go back to a system that requires some kind of in person physical verification. Like how on earth do you make that work? So I mean, do we go to notaries? I mean, what do we even do? And that makes it very tough. I'm trying to think. I recently had to apply for a copy of some official records from the California Department of Motor Vehicles, and I'm not there anymore. I'm in a different state. And I used an online notary, but I think even there, I talked to the person on the website, and they looked at my page and all that, but I think I still included a photograph of my passport as part of that process. So maybe you could do something with online notaries, but I'm not sure the existing system would work. I think it would have to be redone in certain ways. So this is a tough, very intractable problem.

Jason SorokoI'll even connect it, Tim, to we were not talking long ago about EIDAS 2.0 and identity wallets and I can assure you that a big part of how European identity wallets are going to work is through KYC systems.

Tim CallanYeah. Now once you get to the point where everything is digital, obviously, all this goes away, right? Because then you have cryptographically secure, PKI-based digital communication and if you could get everyone into the system and have everyone in the system with a digital wallet and be confident that it was all right, then at that point, this particular problem just vanishes. However, how do we get there? How do we move from the system we have now, which is completely centered around physical documents and migrate it to a system that we can really have that’s globally, that crosses borders, that's reliable, that’s secure, that has continuous uptime, or damn near continuous uptime, which it would need to have, in order to move to something where we could use the advantages that come with, you know, a very robust, PKI-based system and that's a phenomenally difficult problem.

Jason SorokoYeah. And it's not the least of which - - it's not - - the really hardest part of the problem is not the technology. Federation, PKI-based Federation has been around a long time, and it works. The problem is getting all the players to one table and agreeing that each of these provisioned identities that can attest to each other, you know, vouch for each other for using real simple words, that's the tough one.

And so, you know, in Canada, we've got a system where you can - - if you want to log into your tax system for the federal government, it is federated through the Canadian banks, and not every Canadian has a bank account. Therefore, there was talk about federating through telecom systems, right? People who have cell phones, etc. and if you have an account with the telephone company, cell phone company, you can actually federate through that. So those are beginnings of the answer. The problem is it very rarely all comes together. And the folks at the passport office, typically, in your respective country, typically don't want to talk to anybody because it's like, that's the crown jewels of everything, right? And they really, they, they usually don't want to play ball except in countries like Estonia, right, where, you know, within that country, everything is digital, and everything is on a blockchain and you can attest to yourself very, very easily. But, you know, Tim, there's also, there’s also some downsides to that as well, from a privacy standpoint.

Tim CallanSure. Yeah. Oh, yeah. Oh, yeah. And the risk there is incredible, right? Once you've got one system that has all the essential information for every citizen, that is the sweetest of honeypots. Right? And, you know, how effective has the technique of oh, well, we'll just beat something where the security - - we will just make something where the security won't be defeated. How well has that practice worked? Right? And so, you know, taking all of this stuff and accumulating it together in one place where it's just really, really, really enticing to a bad guy, there's a lot of risk associated with that, like, maybe we have to, but geez, there's a lot of risk associated with that.

Jason SorokoAnd, Tim, you're talking about the bad guy as if it's not the government. And I'm also saying, I think sometimes the bad guy is the government.

Tim CallanSure. And what if the bad guy is the government? Absolutely. And we've seen that happen, too.

Jason SorokoYeah. Sorry. Yeah, I'm just saying, you know, we've had many podcasts about this, where it depends on who you trust and the case of, you know, I'm logging into Canadian government tax system, and I federate through my bank. Presumably, my bank can tell how many times I log into my tax system. Am I worried about that? Well, as I sit here right now, no. I actually, I don't - - nobody has told me reason why I should worry about it. However, I bet you there's people, like at the EFF, who could give you 100 different reasons why you should not want these kinds of things overall.

And I'm sure some of them would be quite eye raising. And that's my only point is, it just depends on what you're doing and what you're federating.

Tim CallanOr we don’t even know, right? That's the other thing I think you're getting a lot from that, which is to say, you know, even if you sit and you scrutinize it now, and you can't come up with the way that this information is used to your detriment or used for some kind of exploit, if someone comes up with that tomorrow, and the information is all over the place, or they've been harvesting it in secret for a long time, then it's too late. Right? And so, so, yeah. It’s just a terrible, difficult situation. I get why KYC matters but if it's trivially easy to defeat it and if there isn't a good parent alternative, then this is a tough one.

Jason SorokoIt is. And you know, I would love if some of you who are in the KYC industry, who I guarantee you're sitting around boardrooms right now talking about this kind of thing and you've either come up with solid solutions that we haven't talked about here or, you're panicking, which you probably don't want to be talking about. But if you've got some really solid, solid ideas against this, especially for really simple provisioning systems that involve these hard documents, as Tim said, please reach out to us we'd like to hear about it.

Tim CallanYeah. Yeah. We would. And I don't know. I guess that's it, but I don't see this genie going back in the bottle. That's for sure.

Jason SorokoNo. The story is AI is making faking KYC docs really almost too easy. That's not a good trend. And Tim and I here can't come up with how do you solve that easily. I just don't have it.

Tim CallanI don't have it either. All right. Well, thank you, Jay.

Jason SorokoThank you, Tim.

Tim CallanThis has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!