AI-generated fake IDs: How not to fall for the latest fraud


Share this post

Since last year, AI has been trying to take over the jobs of translators, copywriters, graphic designers, and other creative professionals. It generates texts that are almost indistinguishable from human-written ones and pictures that seem like Photoshop perfection. It was only a matter of time before someone used the newly discovered AI skills for the wrong cause.

A very indistinctive website at first sight, VerifTools enables its users to generate authentic pictures of IDs and passports. Based on a real ID/passport template of your chosen country. Simply fill in your (fake) personal details, upload your handwritten signature and a photo (don’t worry about the improper background in the picture; VerifTools takes care of it), and bam, the proof of your new identity exists on paper! Become a US citizen overnight and apply for a job there. Or fake your personal details, cash in a quick loan and then pretend it wasn’t you.

We’re not criminals here, so we’ve just run out of options for using a fake ID—but surely, those less sincere among us will come up with many more ways to (mis)use it.

VerifTools’ homepage warns that it takes no responsibility for what its users do with the generated IDs and advises people to respect their country’s laws and regulations. Sure. Is there any country that happily allows people to generate official documents independently? We don’t think so.

Client onboarding & verification

Who should be concerned about these malicious AI tools? Companies need to verify their users’ identities online. This is a common customer requirement, sped up by all the lockdowns we’ve experienced over the last few years. People don’t want to go to service providers in person. Today, people sort things out from the comfort of their own homes.

The client onboarding process inevitably shifts towards digital, not just in finance (banks, insurance companies, loan providers etc.). This is happening in many areas. The most susceptible to fraudulent ID use are service providers, who find it complicated to verify identities through official registers. They might soon find themselves torn between the necessity to allow digital onboarding and the need to check presented data personally.

The already sticky situation gets even more tricky when a foreign factor is at play. Verifying a foreigner’s identity can become a nightmare for telecommunication companies, HR departments, utility providers, and many others — bearing in mind they need to be careful about their conduct not being viewed as discriminating, especially not within the EU. A real minefield to navigate for many service providers.

That is why the ongoing shift to digital is a welcomed opportunity for shady companies like VerifTools — for which FakeItTools or FraudTools would be a much more apt name.

Protect your business from AI-generated fake IDs

As a service provider, you need to ensure that your verification process for new clients is secure enough and that no fake ID passes through. There are two fool-proof ways to do so.

  • Verify a new client in person, requiring physical proof of identity. At least until AI teams up with 3D printers and they start issuing their own IDs together. Most companies and institutions want to avoid the in-person identity check for the sake of not making their clients shy away.
  • This leaves us with another option — a unified ID verification system. As a service provider, you can connect to an official ID verification system based on secure user authentication methods (it usually requires physical ID verification at the very beginning). Let’s talk more about this one.

Federated ID approach

Many EU countries already employ an official ID verification system (such as SmartID in Estonia or BankID in the Czech Republic). Companies that use this system can rest assured that no fake ID passes through it — users’ identity is verified in person, but only once, at the very beginning.

This approach is known under various names — Federated Identity, One Identity, and the Federated Approach. Here’s how it works: A system is built in which people have their identity verified just once, at their first contact with the system — for example, when they open their first bank account at the age of 18. All the following client verifications is based on that. When this person applies for a mortgage loan (by another bank) at the age of 27, the mortgaging bank simply checks with the first bank whether the client is really who they claim to be. The same applies to insurance and other financial services.

“In the Czech Republic, BankID now serves as a popular remote authentication method for citizens when dealing with authorities — such as the Tax and Social Security Office. Interestingly, Czech BankID was not created by the state; it started as a private initiative of the five largest local banks that had decided it was high time to stop making people go to banks in person whenever they needed something. Over time, BankID spread to other Czech banks. In the end, it was adopted by state authorities, too,” explains Milan Hrdlička, business development manager of MONET+, a Czech provider of client authentication solutions and BankID implementation.

In a world where generating a genuinely looking fake ID of any country takes just a few minutes, banks and other financial institutions (and basically any service provider who needs to verify their clients’ identity) need to implement secure solutions that will help prevent these types of fraud. ASAP.

With federated ID solutions, it’s possible to secure your business against malintent without degrading the customer experience — clients can still do anything from anywhere, exactly as they want to.

“You can’t turn your back on digital for the sake of security. Even if your country’s not in the EU and the unified EU Digital Wallet doesn’t concern you yet. The demand of clients to do everything online is here to stay, and if you don’t provide this option, your competition will,” is the final message from MONET+’s Milan Hrdlička.

Article by Monet+ a.s.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?