Vietnam police catch ring using biometric face spoof to launder $39M

Vietnam is adapting its rules for online account security as the country leans into digital transformation for government and business, but fraudsters are also innovating with fresh techniques.

Police in Vietnam have arrested a 14-member gang for allegedly laundering VND 1 trillion ($38.4 million) using generative AI to defeat biometric security measures at banks, according to VN Express.

The gang, led by 46-year-old Pham Hong Chuyen from Hanoi, are under investigation for organizing illegal gambling from their bases in Hanoi and Ninh Binh province, according to Ninh Binh police, and are being questioned for money laundering.

It is the first recorded case in Vietnam where AI has been used to create fake biometric face scans for money laundering purposes, the police say. The money was supposedly laundered from a gambling website. A thousand bank accounts have been frozen by the police suspected of being involved in the case.

Chuyen hired locals to open bank accounts under their names and got them to submit a 30-second video of their face, which he later used to create an AI version. The AI face biometric scans Chuyen created enabled his group to operate the bank accounts without the owners’ knowledge, and used them to transfer money to other accounts.

In Vietnam, a bank transaction worth VND10 million or more requires the sender to use the smartphone camera for face biometric scanning. Since July 2024, the State Bank of Vietnam has mandated financial institutions to implement end-to-end biometric verification for digital transactions. Vietnamese digital banks including Techcombank and Vietcombank have quickly integrated face biometrics to comply with the mandate.=

Following the introduction of biometric verification, there was a 72 percent decrease in fraudulent accounts. With the rise in use of biometric technology in Vietnam, local Vietnamese start-ups and companies have sought to upgrade their technology, with a noticeable uptick in iBeta anti-spoofing testing.

Ever since VNPay, a Vietnamese electronic payments startup, was certified for conformity with ISO/IEC standard 27001, there’s been a trend for greater quality assurance. The Hanoi-based firm’s eKYC offering was subject to testing for compliance by iBeta Quality Assurance for presentation attack detection (PAD) standard ISO/IEC 30107-3, to determine its ability to tell real people in selfies used for biometric face verification from printed and on-screen images.

Vietnam’s Cake Digital Bank became the first digital-only bank in Southeast Asia to pass iBeta’s test for detecting sophisticated face biometric presentation attacks under the ISO standard. “Achieving the highest international ISO standard for facial biometrics with a solution developed entirely in-house by our Vietnamese engineering team is a remarkable milestone for Cake,” said Nguyễn Hữu Quang, CEO of Cake Digital Bank.

Developed in-house by Cake’s team of engineers, Cake Face Authen uses Passive Liveness Detection to verify a user’s identity. Currently, more than 15 million people in Vietnam use Cake Face Authen.

Vietnam’s FPT also passed iBeta’s testing for ISO 30107-3 compliance. Director of the Digital Identity Platform Center at FPT IS, FPT Corporation, Phan Thanh Toan, said FPT’s development team faced many challenges during iBeta’s evaluation, with the technical team having to work overnight to monitor the system given the 13-hour time difference between Vietnam and the United States (iBeta is based in Colorado).

According to Circular 50/2024/TT-NHNN, online service providers in the Vietnamese banking sector must meet ISO 30107-3 and ISO 19795-2 standards, tested by an organization recognized by the FIDO Alliance. As the provider of FPT.eID to more than 50 major financial and banking institutions in Vietnam, FPT considers achieving these international certifications a strategic priority to ensure security, build trust, and enhance competitiveness in the electronic authentication market, it says. FPT aims to complete certifications for ISO 30107-3 (Level 2) and ISO 19795-2.

Article Topics

AI fraud  |  banking  |  biometric authentication  |  biometric liveness detection  |  biometrics  |  face biometrics  |  financial crime  |  fraud prevention  |  Vietnam