Akande Simpa
Akande Simpa Lead Security Engineer & Cofounder, Simpa Labs CEH (Certified Ethical Hacker)

KYC biometrics in the Nigerian fintech context

Every Nigerian fintech that onboards customers must verify identity—typically through BVN (Bank Verification Number) or NIN (National Identification Number) linked to biometric data. The standard flow: the user takes a selfie, the app compares it against the biometric record held by NIBSS or NIMC, and the match confirms identity.

This process is only as strong as two things: the quality of the biometric match algorithm and the ability to detect whether the selfie is from a live human being standing in front of the camera right now—not a photo, a video, or a deepfake.

How attackers spoof biometric verification

Printed photo attacks

The simplest presentation attack: the attacker obtains a passport-quality photo of the victim (from social media, a stolen ID card, or purchased data) and holds it in front of the camera. Against apps that perform only a basic selfie comparison without liveness checks, this succeeds with alarming reliability. We have tested multiple Nigerian fintech apps where a printed A4 photo passed verification.

Video replay attacks

For apps that require eye blinks or head movements as liveness checks, attackers play a video of the victim on a second phone screen held in front of the camera. The video includes natural head movements and blinks. If the liveness detection only checks for motion or eye closure, a pre-recorded video defeats it.

Deepfake attacks

AI-generated deepfake technology has made sophisticated spoofing accessible. With a few photos of the victim, an attacker can generate a real-time video that follows head movement instructions ("turn left," "look up") issued by the liveness challenge. Tools like DeepFaceLive and similar open-source projects can run on consumer hardware. This is the attack vector that most current liveness detection SDKs struggle with.

3D mask attacks

High-value targets justify higher-effort attacks. 3D-printed or silicone masks that replicate a victim's face can defeat 2D liveness detection and even some 3D depth-sensing systems. While less common in mass fraud, these attacks are used against high-net-worth account takeover.

Assessment Finding

Client-side liveness checks are trivially bypassed

In several pentests of Nigerian lending and mobile money apps, we found that liveness detection ran entirely on the client side. The app captured the selfie, performed the liveness check locally, then sent only the final image to the server for biometric matching. An attacker who intercepts the API call (using a proxy like Burp Suite) can replace the selfie image with any photo and set the liveness_passed flag to true. The server never performed its own liveness verification.

Evaluating biometric SDK vendors

Most Nigerian fintechs do not build biometric verification in-house—they integrate a third-party SDK (Smile Identity, Veriff, Onfido, iDenfy, Dojah, etc.). The SDK choice determines your spoofing resistance. Here is how to evaluate vendors:

The NIST PAD standard explained

NIST's Presentation Attack Detection (PAD) framework establishes metrics for evaluating biometric spoofing resistance. The key metrics are:

APCER (Attack Presentation Classification Error Rate): The proportion of presentation attacks that are incorrectly classified as bona fide. A lower APCER means better spoofing detection. For financial apps, target APCER below 1% across all tested attack instruments.

BPCER (Bona Fide Presentation Classification Error Rate): The proportion of legitimate users incorrectly rejected as attacks. A lower BPCER means less friction for real users. Target BPCER below 5% to avoid customer drop-off during onboarding.

The trade-off between APCER and BPCER is the core challenge. Tighter spoofing detection means more false rejections of real users. Your vendor should let you tune this threshold based on your risk appetite.

Not sure if your KYC flow is resilient against presentation attacks? We test biometric verification systems with printed photos, video replays, and API manipulation to expose weaknesses.

Assess Your KYC Security

Defending against biometric spoofing

Layered verification

Do not rely on biometric selfie matching alone. Combine it with: document verification (NIN slip, international passport, driver's licence) with tamper detection, BVN/NIN backend verification through NIBSS/NIMC APIs, device fingerprinting to flag multiple accounts from the same device, and behavioural signals (time to complete onboarding, location consistency).

Server-side enforcement

Every biometric decision must be validated server-side. The mobile app should send the raw image or video stream to your backend (or the vendor's API), and the match/liveness decision should come from the server. Never trust a boolean is_live: true sent from the client. This is the same principle we apply to all authentication security assessments.

Continuous monitoring

Post-onboarding, monitor for signals that suggest the account was opened fraudulently: immediate high-value transactions, device changes shortly after onboarding, and transaction patterns inconsistent with the verified identity. Flag and re-verify when risk scores spike. See our CBN compliance guide for regulatory expectations on ongoing monitoring.

Related reading

Blog: KYC & BVN Data Security · Overlay Attacks on Mobile Money · Secure Session Management

Guides: NDPA Compliance · Fintech Security Checklist · CBN Compliance Security

Services: Authentication Security · Penetration Testing · Secure Architecture Review

Frequently asked questions

{faqs.map((faq) => (
{faq.q}

{faq.a}

))}