Ensuring Mobile KYC Integrity with Code Hardening & Runtime Protection

Mobile Know Your Customer (KYC) has allowed financial institutions to make the regulatory-mandated customers’ ID verification process more streamlined, accurate, and safer. User’s Android and iOS devices are now used to facilitate various aspects of the KYC processes, including document/ID capture, biometric/facial recognition, and geolocation verification. Unsurprisingly, however, this convenience has also opened up new avenues for malicious actors to exploit, which could result in security breaches and non-compliance if left unmitigated.

This blog explores the importance of bolstering your KYC processes with code hardening and runtime protection.

• Mobile KYC helps financial institutions streamline their customers’ ID verification process to more reliably meet regulatory requirements while improving users’ overall mobile banking experience. However, it has also become a new attack vector for threat actors to exploit.
• Without sufficient protection against tampering and reverse engineering attacks, threat actors can utilize tools such as emulators/virtual environments, rooted/jailbroken devices, and hooking frameworks to bypass the KYC verification process to commit fraud.
• Code hardening and runtime protection techniques are two complementary tools that preserve both the integrity of your mobile banking application and the embedded Mobile KYC SDK by protecting them against static and dynamic attacks.

How attackers bypass mobile KYC verification

Using in-house or third-party Mobile KYC SDKs, banks, digital wallets, crypto, and other fintech platforms often leverage the built-in camera in the users’ mobile devices in the verification flows. Users are usually required to take pictures of their ID document (i.e., National ID Card, driver’s license, passport) as well as a headshot or a video of themselves to verify their identity. However, without enforcing environment and code integrity, threat actors can easily manipulate this process on insecure KYC mobile applications and SDKs.

Insecure environments, hooking, and AI

One of the most common ways attackers do this is by using a combination of tools such as emulators, virtual environments, rooted or jailbroken devices to bypass the device–based security measures and hooking frameworks to ‘inject’ forged images or pre-recorded videos to be used in the verification process.

For instance, earlier this year a team of researchers discovered a tutorial within a Russian-speaking cybercrime forum explaining how attackers could bypass well-known neo-bank and crypto wallet mobile KYC flows by tricking the apps into accepting stolen or pre-manipulated photos. One researcher demonstrated this risk further by making use of artificial intelligence (AI) to generate a deep-faked video to be used in a popular neobank’s mobile KYC process, successfully passing the “liveness verification” test. More concerningly, he could trigger the verification on the bank’s iOS apps as many times as he wanted, even after many previous failed attempts. Attackers could also leverage the aforementioned tools to manipulate passive (device) signals - such as IP address, geolocation data, and device fingerprint - that are often collected as part of the verification process.

Once successful and equipped with working banking accounts, attackers can then use or sell these fraudulent banking accounts to criminals - which reportedly can be bought online for as low as $50-$150 per account - to commit crimes without fear of accountability. Left unmitigated, affected financial services organizations could face criminal and civil penalties, loss of credit rating, damaged reputation, and even loss of operational license.

The role of code protection and monitoring in mobile KYC

Static and dynamic code protection

To overcome this risk, financial services organizations and Mobile KYC SDK developers alike should ensure that the applications or SDKs used in the mobile KYC process cannot be reverse-engineered or tampered with. This can be achieved by applying code hardening and runtime protection self-protection (RASP) techniques with Android and iOS mobile applications and SDKs security tools, such as DexGuard and iXGuard, that can:

• Apply layers of code obfuscation to make it virtually impossible for threat actors to understand, let alone manipulate the logic of your mobile KYC process;
• Detect rooted/jailbroken devices to ensure that your application or SDK cannot be run on potentially unsafe mobile devices;
• Run debugger and emulator checks to verify the integrity of the environment your application or SDK is running on, preventing it from running when debugging tools and emulators are detected;
• Detect and prevent attackers’ attempts to modify the behavior of your application or SDK during the verification process using hooking frameworks;
• Detect illegitimate code modifications and verify the integrity of individual files in your application or SDK using tamper detection.
• Polymorphically (and automatically) apply different security measures for every build to continuously reset the attackers' clock, making the knowledge they gained from previous attacks virtually useless.

Runtime threat monitoring

Lastly, financial services organizations should consider enriching their anti-fraud systems with runtime threat information. Guardsquare’s real-time threat monitoring tool, ThreatCast, enables developers and security professionals to detect, monitor, and gain broad contextual information surrounding threats during runtime your DexGuard and iXGuard-protected applications face in production. These insights can then be used to refine your anti-fraud strategies and the effectiveness of your protection configuration, to improve your overall mobile application security posture. Learn more about it here.