65 comments

[ 3.0 ms ] story [ 120 ms ] thread
Nitpick! It could make remote KYC effectively useless. Banks and other mainstream financial institutions can just make you visit a branch for them to open your account and / or providing you new services. In turn, those institutions could provide federation of identification to smaller entities.
That federation kind of exists in some countries already (e.g., in some Scandinavian countries, I believe).
Exists for a lot of banks in the US as well.

Many people had to go physically into a bank branch (half of them were closed) and show ID when BMO bought Bank of the West. Your cards and electronic banking didn't work until they were reissued, which required physical presence.

God forbid, you were traveling out of country.

A lot of financial institutions loosened up in-person requirements during COVID. But, at least in the case of my brokerage where I don't have an advisor I know, they've reinstituted going into an office for certain types of transactions. You can use a Medallion Signature as an alternative but you're still going into a bank branch, only certain branches can do it, and it didn't work the one time I tried and I ended up driving to a brokerage branch anyway.
Yet another reason to travel with multiple credit cards not all issued by the same institution.

ADDED: And there are a number of such reasons even if you consider this one an edge case. I have absolutely triggered fraud detection when traveling and most banks don't even want you to enter your travel plans any longer. (And I've even had a trivial purchase rejected in the US when traveling--admittedly this hasn't happened recently.)

The majority (all?) EU countries have a government sanctioned identity system.

It’s always either a government approved agency or bank that does the initial identity verification.

The EU will also eventually force all of them to be interoperable.

> Banks and other mainstream financial institutions can just make you visit a branch

Most financial institutions I'm dealing with don't have branches. The ones that do are offering atrocious savings rates and charge high monthly fees for their zero-interest checking accounts.

> In turn, those institutions could provide federation of identification to smaller entities.

Do you seriously expect these same entities to willingly become federated identity verification providers for their direct competitors?

More by force of law than willingly, really. Similar to what PSD2 defined in Europe. If they can charge for it, then the financial institutions that you deal with have an economically interesting tool against GenAI!
Just wait until AI-powered android in the real world. We only need the movements to be simulated properly, the speech is already there.
What I find slightly weird is that this has been technically possible with a combination of modern cryptography and physical infrastructure for decades but it's still so incipient.
(comment deleted)
KYC = "Know Your Customer"

I think a rule for all submissions, that use acronyms and initialisms, should include the definition of those in the extra submission text.

Helpful for a significant portion of readers in this case, but tough to make this a general rule without using some judgement. For example, it would probably be overkill to define "AI" in every submission.
Oh, yeah, that's a good point. There would need to be a list of common ones to skip.

Or use an acronym LLM to fill as an extension to Firefox! (Since everything "has" to be a model nowadays)

we can do this easily in photoshop now as well right ? Its just FUD IMHO
My boss had a KYC experience that involved uploading a short selfie video in which he had to turn his head/blink, smile, etc. This was recently, and in addition to the "photo of yourself holding a document with your photo in it" check.

I don't know enough about GenAI or the KYC process to say whether or not that could be faked, but I'm confident saying that with only traditional tools it's a barrier that would stop all but the most sophisticated actors.

> an attacker could download a selfie of a person, edit it with generative AI tools and use the manipulated ID image to pass a KYC test.

Surely these ID checking services validate the passport/driving licenses with the issuing authorities, validate address through multiple sources etc.

I know zipcar/streetcar in the UK validated driving licenses through the DVLC.

How would you validate a passport with an issuing authority? That's not a thing, at least it's not very common.
Passport offices/departments/bureaus/etc... will gladly verify it's real and bonafide, for a fee. At least in the countries I'm aware of.
What if the passport office is in a different country?
In many cases, I would assume a foreign passport is not considered acceptable government-issued photo ID.
What other ID would a company that does business globally (eg, a cloud server provider) accept?
Sure if you live in a racially homogenous country like North Korea, everywhere else of course it is, how else would non-nationals prove their identity?
Non-nationals may not be able to do certain types of transactions like opening a bank account at many banks. For trivial things like age verification for alcohol purchase I expect most stores/bars would be fine; presumably no one is forging a passport so they can get a drink. And obviously, in general, places like hotels can fulfill any legal requirements by accepting a passport as ID.

As for organizations like AWS, they presumably have a business presence of some sort in countries where they do business and are setup to verify identity in those countries if they so choose. They also presumably don't have the same degree of KYC requirements that a bank does.

> Non-nationals may not be able to do certain types of transactions like opening a bank account at many banks.

Although many banks in the US can't be bothered to do KYC for non-residents, some certainly allow it. I've done it myself.

Outside the US, opening an account as a non-citizen is very common and usually not a problem at all. In the EU, it would even be illegal to only accept citizens as customers.

Yes, I was speaking specifically of the US.

I'm sure it's possible with a lot of bigger banks. As you say, I assume a lot of smaller, local banks consider it a headache not worth it as the profit to them is miniscule.

What context are we talking about here?

In financial context (e.g. verification for a bank account), usually banks will only accept ID that they can verify as primary ID.

In an immigration context, the agency is often able to verify passports even with countries that government is at war with.

> In financial context (e.g. verification for a bank account), usually banks will only accept ID that they can verify as primary ID.

This usually includes passports. I don't think banks can actually reach out to the issuing government to check whether the passport is stolen or cancelled.

They pay a higher fee and/or manually send an agent to their offices to verify, if they really really want that customer.
That doesn't help at all when trying to open a bank account or applying for a credit card online.
Is there an actual bank that allows you to open an account online without coming in person at least once?
Definitely! There are many US banks that don't even have branches.

I've done it myself, both for branchless/online-only banks and for banks that do have branches in my state but didn't require me to show up in person to open a checking account.

ePassports use public key cryptography to sign them. I don't know if the picture is in the ePassport data, but I believe that there's an approximation of a low resolution version.

The ICAO even maintains its own sort-of-PKI system: https://www.icao.int/Security/FAL/PKD/Pages/default.aspx

I believe that the standard can be adopted by anyone (national IDs, etc...).

It's definitely possible. The picture is statically signed, and the smartcard chip in the passport can perform dynamic authentication on top of that, proving physical possession.

What's missing for this to be an actual remote ID scheme is checking the passport for being reported as stolen, as well as authentication of the person presenting it (e.g. using a PIN or local biometry). Otherwise, anybody could wave your passport over a reader and open a bank account etc. in your name.

For example, Germany does have a (national) remote/online ID scheme on top of an ICAO-compliant (in-person identification only) smartcard-based ID card using a 6-digit PIN.

For example The U.S. Passport Verification Service (USPVS)

https://www.aamva.org/technology/systems/verification-system...

This seems to be geared towards state governments (i.e. DMVs):

> The service assists states in issuing more secure driver’s licenses and identification (ID) cards.

In other words, this doesn't help non-government entities trying to remote KYC their (prospective) customers.

Yeah, I thought similarly. So the whole time, these US services asking for my Drivers License # and a photo of my ID haven't really been checking it?
I don't think that type of interface exists for most issuers of ID documents.
Good, we don't need it. We did (and still do) just fine when I could walk into a store with cash and buy something, or get a loan in person, etc.
There are a ton of situations in which you can't just use cash. Pretty much anything online, many things related to travel, etc.
This works great when you live in a big city and have a choice of several banks with branches (and even then, you'll probably pay a higher interest rate due to decreased competition of lenders).
I think the silver lining here is that AI will force people back into the real world because a face-to-face meeting will ultimately be the only way you can be certain that you're speaking to a human being. That's not the worst thing. What's happening with social media and ad-driven engagement today may one day be recognised as a neurological catastrophe by future generations.
> a face-to-face meeting will ultimately be the only way you can be certain that you're speaking to a human being

for now

but you can give your AI some money and autonomy to spend it and the AI IS the customer. Their little ID card should have a picture of bender or c3po.
I think the premise of the article is flawed:

> KYC, or “know your customer,” is a process intended to help financial institutions, fintech startups and banks verify the identity of their customers

vs Wikipedia:

> * Know Your Customer (KYC) guidelines and regulations in financial services require professionals to verify the identity, suitability, and risks involved with maintaining a business relationship with a customer. The procedures fit within the broader scope of anti-money laundering (AML) and counter terrorism financing (CTF) regulations.*

> KYC processes are also employed by companies of all sizes for the purpose of ensuring their proposed customers, agents, consultants, or distributors are anti-bribery compliant and are actually who they claim to be. Banks, insurers, export creditors, and other financial institutions are increasingly required to make sure that customers provide detailed due-diligence information. Initially, these regulations were imposed only on the financial institutions, but now the non-financial industry, fintech, virtual assets dealers, and even non-profit organizations are included in regulations.

Generative AI isn’t going to help people that have been intentionally excluded from the monetary system obtain legitimate bank accounts.

That's not what the article is saying. The article is saying that the ability to pretty easily create realistic fake looking identities with AI will undermine e-KYC systems that are popular with online financial services. This would make fraud less difficult.
But the services have to go back to a subcontracted government database to make sure that the fake identity belongs to an upstanding citizen, and that check should fail.

(Unless the KYC providers are selling snake oil, which wouldn't surprise me, but that would make it even harder to feel sorry for them.)

As far as I can tell no one is validating against government databases except for things like sanctions lists. For Americans they might use something like TLO in the best case. The identity verification companies like Onfido get a picture of both sides of an ID and then try to match the face of the person on the ID with the person in the selfie video. Presumably while doing some checks to see if it appears to be a fake. That's it.

In the case of synthetic identity fraud, they establish a history with the credit bureaus by applying for cards and getting denied (eventually they are approved for some low level starter credit card) or getting added as an authorized user to someone with a good credit history (people on eBay sell this).

Good. Random sites like Reddit asking verification and asking for a govt ID is ridiculous.

Banks will still get KYC done through face to face.

The internet needs to go back to being anonymous and weird.

> Banks will still get KYC done through face to face.

Whose face? Many banks don't even have branches.

All that kind of FUD is a great tool for European govs that want to push for the eIDAS and national electronic identity certification.
Why's it FUD? It seems likely to me that GenAI can make fake people, and break current KYC.
Remote KYC has always been a joke. Photoshop has existed long before AI.
How long before some journalist peruses literally any fraud forum and finds people selling fully KYCed bank/exchange accounts for $200 and several people offering to verify an account with whatever identity you want? Also, the slow rollout of eCBSV by the Social Security Administration probably allowed a few hundred million dollars of synthetic identity fraud losses to occur that otherwise wouldn't have occured.

I'm thinking of packaging my brilliant insights into a $6000 per month "threat intelligence" subscription.

I don't know I feel like that would require deeper digging than just seeing a tweet and spawning an entire article off of it.
KYC is already effectively useless.

Unless the “use” of it is to harass and exclude citizens from free commerce with each other for trivial amounts of money, while allowing industrial-scale fraud in the trillions to continue unabated.

I guess this will just mean even more mandatory apps with hardware-backed backdoor crap like SafetyNet et al., in the hopeless witch hunt for emulators. And of course, installing a custom ROM or otherwise degoogling will be considered criminal-like behavior not long from now.

Look at the payment card industry: the whole system is fundamentally broken by design and has zero meaningful privacy and security since its inception, yet it somehow survives, decade by decade, with more and more layers of bureaucratic band-aid.

> Look at the payment card industry: the whole system is fundamentally broken by design

Quite the contrary: The parts of it that are broken are broken due to industry inertia and backwards compatibility considerations.

Payment cards have had the capability for strong cardholder authentication both online (3DS) and at the POS (chip/EMV and PIN) for almost two decades now.

There just isn't political/regulatory will to enforce their use in the US, and nobody will move first without being forced (since it's game-theoretical/economic suicide to be the first mover). In the EU, both are now largely mandatory.

>POS (chip/EMV and PIN)

Although I went ahead and got a PIN for my US credit card after I had an issue, I don't know the last time I've had to use it in Europe. I do sometimes scrawl a not really signature now and then.

That still usually won't make it PIN-preferring. US credit cards request a signature by default; if you request a PIN, that's usually only ever used for cash advances, but not for payments, even in Europe.

In other words, it's effectively impossible to get a PIN-preferring, i.e. more secure, credit card in the US...

I wasn't clear. Right, you never use a PIN for a credit card payment in the US. You're sometimes required to "sign" but basically that can be an X these days if you like. Mine is an even lazier scrawl than my illegible signature.

My comment was that I have been asked to enter a PIN in Europe which is why I requested one. But I've never used it since.

You're covered for fraud by the credit card bank so, as a consumer, I don't really care about the level of security.

Modern KYC should rely on cryptographically secure eID. For example, in Russia you can’t even buy a e-sim online without a cryptographic signature connected to your eID that you can only create if you prove your identity offline. No photoshop or GenAI can overcome that.
> Modern KYC should rely on cryptographically secure eID.

Agreed, in principle.

> Russia you can’t even buy a e-sim online without a cryptographic signature connected to your eID

And this already highlights the biggest caveat of establishing such a system: It lowers the bar for requiring KYC for all kinds of transactions that currently are possible anonymously.

In the best case, e-ID can be done in a more privacy-preserving way than analog ID (e.g. only revealing information on a need-to-know basis, e.g. your age or citizenship rather than your full name and photo); worst case, it becomes a privacy nightmare.

The solution for this is for the government to provide IDs which operate with the PKI model.

Think about a lot of European countries where having an ID is mandatory (which frankly I'm not in favor of) and carrying said ID is mandatory (which I'm wholly against).

But the reality of things is that in Belgium I have no issue authenticating myself to any platform that needs to know my identity. I don't need to upload a photo of something. I don't need to look left/right while a camera takes a photo of my face and does a 3D scan trying to give some certainty that I am actually me, and that I am alive.

I put in the card which is just a smart card, and it contains a certificate. I sign the request with a PIN and I am me.

KYC! Child abusers! Terrorists!

It is perfectly right that moral, legal citizens share all their online data, all the time, with our ever-loving government. /s

What could possibly go right?