Zendoric
← Back to the day · July 15, 2026

When the 'genuine' ID lies: why AI fraud forces us to bury biometrics as a silver bullet

🕒 Published on Zendoric: July 15, 2026 · 08:41

A major South African retailer discovered that scammers were using AI to alter data directly on photographs of real ID documents, producing forgeries that fooled both people and systems. The case, told by the COO of identity-tech firm Contactable, illustrates a deeper shift: a single strong signal is no longer enough—you need layers of cross-checked truths.

🎧 Listen to the analysis (in Spanish)

By TechCentral · July 15, 2026.

The fact behind this analysis is concrete: a year and a half ago, one of South Africa's major retailers began receiving customer applications with seemingly legitimate South African identity documents. They were not. A fraud network had used AI to alter key information directly on photographs of real ID documents, producing documents that passed both human inspection and automated verification systems. According to Jason Shedden, chief operating officer of Contactable —the South African digital identity company that authored the article—, they searched the global market for a technology capable of reliably detecting it. They did not find one.

It is worth noting the context of this piece: it is sponsored content, an opinion article paid for by Contactable and published on TechCentral, not independent journalistic investigation. That does not invalidate the case it describes —the manipulation of identity documents with generative AI is a widely documented fraud vector in the sector—, but it does call for reading with caution the claims about the effectiveness of its own technical solution, which the author neither details nor submits to external evaluation. What does deserve credit is the underlying diagnosis, which aligns with what banks, insurers and identity verification providers around the world have been reporting: generative AI has made document forgery so cheap that a single verifier, however sophisticated, is no longer enough.

The central argument —and it is the one that really matters beyond the commercial pitch— is that security based on a single signal (a photo, a fingerprint, a liveness check) was built on an assumption that generative AI has just broken: that a signal, if strong enough, ends up being reliable. Shedden sums it up with a phrase worth taking seriously coming from someone who sells biometrics at scale: 'you cannot beat fraud with more biometrics'. When his own team tried to build a detector of AI-forged documents, no individual algorithm worked consistently; reliability only appeared when combining dozens of independent signals. It is, in essence, the same defense-in-depth logic that already governs traditional cybersecurity, now applied to identity verification.

Our reading is that this case fits a pattern we have been observing: the immediate risk of AI is not hypothetical superintelligence, but the silent industrialization of fraud and disinformation, with economic harm already present and measurable. Capabilities that once required specialized knowledge —convincingly forging a document, cloning a voice, generating a synthetic identity— are today within reach of anyone with access to commercial generative tools, and attack time has been compressed from weeks to minutes. It is exactly the kind of short-term asymmetry that should not be downplayed: while the defense takes months to deploy a new control, the attacker iterates with the same generative AI that any legitimate user uses.

That said, the case itself refutes easy catastrophism. The response the article describes is not surrender or banning digital identity, but making the defense more sophisticated by combining identity, behavior, transaction context and risk level into a single trust decision, rather than placing it in a document or a face. That same AI that breaks biometrics is the one that makes it possible to correlate in real time dozens of signals no human analyst could cross-check by hand. It is the usual dynamic of the AI-driven arms race between attack and defense: the winner is not whoever has the most expensive sensor, but whoever best orchestrates the available evidence, properly manages the protection of that personal data (this is where South Africa's data protection framework, Popia, comes into play, which other articles in the same publication address in parallel) and does not turn security into an excuse to accumulate sensitive information without oversight.

In the longer term, this kind of episode reinforces an idea we frequently maintain: the same technology that multiplies fraud is the one that, well governed, can shield digital trust at a far lower cost than today's, freeing companies and users from frictions that are now unavoidable. The problem is not AI itself, but that the defense advances more slowly than the attack; closing that gap with governance, transparency and independent verification —not just the marketing of whoever sells the solution— is the outstanding task for the digital identity sector in the coming years.

🔗 Related on Zendoric

Sources & references