Deepfakes Defeated a Dutch Bank's Face Recognition — 46 Times

How the Attack Worked

The attack exploited a fundamental weakness in camera-based biometric verification: it trusts the input. Standard liveness detection checks whether the person in front of the camera is physically present — evaluating blink patterns, head movement, and 3D depth. But when the camera feed itself is compromised, these checks are meaningless.

Injection attacks work by intercepting the video stream between the camera and the verification software, replacing the legitimate feed with pre-recorded or synthetically generated video. The verification system receives what appears to be a live capture of a real person. It evaluates the liveness signals, finds nothing anomalous, and approves the verification.

The ABN AMRO case demonstrates that this attack vector is now being used at scale — not by state-sponsored actors with custom tools, but by individuals with access to consumer-grade deepfake software.

Why Liveness Detection Failed

Liveness detection was designed for a specific threat model: someone holding a printed photo or a screen in front of a camera. Against that attack, it works. Check for blink. Check for depth. Check for movement. Pass.

But the threat model has changed. Modern injection attacks do not present a photo or a screen to the camera. They replace the camera feed entirely. The deepfake video includes natural blinking, head movement, and apparent depth — because the source material is either a real video of a real person or a synthesis sophisticated enough to include these signals.

In this threat model, liveness detection is checking whether a deepfake looks alive. The answer is always yes — because that is exactly what deepfakes are designed to do.

What Detection Should Look Like

Effective deepfake detection asks a different question: has this media been generated, manipulated, or injected?

This requires evaluating forensic signals that generative models fail to replicate accurately: compression artifact patterns, frequency domain anomalies, noise consistency across the frame, temporal coherence between frames, and subtle physiological signals that are present in genuine captures but absent or distorted in synthetic media.

It also requires detecting injection itself — evaluating whether the video stream originated from a physical camera or was inserted into the pipeline through software. This is a fundamentally different technical challenge than liveness detection, and it requires purpose-built detection infrastructure.

The Broader Implications

The ABN AMRO case is a single data point in a much larger trend. Deepfake usage in biometric fraud attempts surged 58% year-over-year according to FinTech Global's 2026 identity fraud analysis. The UK government predicted 8 million deepfakes would be shared in 2025, up from 500,000 in 2023. Gartner projects that by 2026, 30% of enterprises will no longer treat standalone identity verification as reliable in isolation.

For any organization that verifies identities through a camera — banks, crypto exchanges, marketplaces, HR platforms, dating apps — the question is no longer whether deepfake attacks will target your system. The question is whether your system can tell the difference.