The Anatomy of a Modern Onboarding Attack: Verifus, OBS, Virtual Cameras, and What Defends Against Them

The attack stack

A modern onboarding attack has six functional layers.

Layer 1 — The identity package

A combination of real personally identifiable information, fabricated PII, and the generated assets needed to support it. The package costs between 50 and 200 dollars on the underground market.

Layer 2 — The face

A generated photograph, or for higher-tier attacks, a generated short video clip.

Layer 3 — The live session generator

Real-time deepfake software that produces a video stream of the identity performing the actions the verification flow requests. The Verifus toolchain is one component of this layer.

Layer 4 — The scene controller

Open Broadcaster Software, used to manage the input streams and overlay the live deepfake on the camera output.

Layer 5 — The virtual camera driver

Software that exposes the OBS-managed scene as if it were a physical webcam.

Layer 6 — The device fingerprint mask

The Verifus Keybox component or equivalent. Modifies device telemetry so that the fingerprinting layer of the verification SDK sees a clean, unflagged device.

Where each layer is supposed to fail (and doesn't)

Document verification was supposed to fail at the document capture step. Now the document is generated against the actual template. Face matching was supposed to fail when the face on the ID did not match the face on camera. Both faces are generated to be consistent. Liveness verification was supposed to fail because a static image cannot blink on cue. The deepfake produces a live face. Device fingerprinting was supposed to fail because tampering tools left traces. The Keybox layer cleans those traces.

The cumulative effect is that an attack stack costing under 1,000 dollars defeats a verification flow that took the issuer 18 months to build and deploy.

The seven defensive controls that work

Defense 1 — Hardware attestation

The verification SDK demands a cryptographic attestation from the device's secure enclave that confirms the capture originated from a real camera sensor on a non-tampered OS.

Defense 2 — Frame-level injection detection

Even when the verification SDK accepts a capture, the captured frames are analyzed for the artifacts virtual cameras leave behind.

Defense 3 — Generated face detection

Analysis of the captured face for the signature of a generative model.

Defense 4 — Document forensic analysis

Beyond template matching, the document is examined for the signature of digital generation.

Defense 5 — Behavioral biometric scoring

During the session itself, the SDK captures micro-movements, response latency, gesture variance, and interaction patterns.

Defense 6 — NFC chip authentication

For passport and eID documents that contain an NFC chip, the verification SDK reads the chip directly via the device's NFC radio.

Defense 7 — Continuous post-onboarding monitoring

The session that passed at the front door does not have to be where the defense ends.

The defensive architecture

The architecture is opinionated. The order matters because each layer has a specific job and the earlier layers reduce the attack surface for the later ones.

The session originates from a hardware-attested device or it does not originate. The capture is analyzed in real time for injection signals, face generation signals, and document generation signals. NFC chip reads are required for any document type that supports them. Behavioral biometric scoring runs throughout the session. Continuous post-onboarding monitoring activates the moment the account opens. No single layer is allowed to be the deciding factor.

Operational checklist

Six actions in priority order:

1. Confirm hardware attestation is required by your verification SDK.

2. Confirm injection detection is in your stack.

3. Confirm NFC chip reads are offered for chip-bearing documents.

4. Confirm ensemble deepfake detection runs on the captured face.

5. Confirm continuous monitoring is active for the first 180 days post-onboarding.

6. Run a red team exercise against your own onboarding flow.

Compliance and audit positioning

Examiners and auditors increasingly expect institutions to be able to articulate their defensive architecture in technical terms, not just policy terms. The FFIEC examination procedures, the UK Failure to Prevent Fraud offence, and the EU's Digital Identity Wallet framework all set technical bars that institutions must meet.