Deepfake injection attacks bypass selfie-based identity verification at scale because virtual cameras feed synthetic video directly into the verification pipeline

Most fintech onboarding flows require a selfie or short video to verify that the person applying is real and matches their ID document. Liveness detection algorithms check for eye blinks, head turns, and depth cues to distinguish a real face from a photo or mask. But injection attacks bypass the camera entirely. Attackers use virtual camera software to feed a deepfake video stream directly into the verification API, as if it were coming from a physical camera. The deepfake passes liveness checks because it exhibits all the expected micro-movements. The verification system has no way to distinguish a synthetic video injected at the API level from a real camera feed. An Indonesian financial institution suffered 1,100 deepfake attacks against its loan application service. Companies lost $534 billion to fraud in the second half of 2025 alone. The tools are cheap: a synthetic identity costs $15 to create, a deepfake image costs $10 to $50, and face-swap software runs about $1,000 per month. At these prices, attackers can automate thousands of fraudulent account openings per day, each one backed by a convincing deepfake selfie and a synthetic identity built on a real child's or deceased person's SSN. This persists because identity verification vendors designed their systems around presentation attacks, where a fraudster holds a photo or mask up to a real camera. Injection attacks operate at a different layer of the stack, inserting synthetic data after the camera sensor, and most liveness detection algorithms do not validate the integrity of the video source. Gartner projects that by 2026, 30% of enterprises will no longer consider standard identity verification solutions reliable in isolation. The verification industry is playing catch-up against an attack vector that makes their core product, the selfie check, fundamentally unreliable.