Companion Analysis
The IDV Landscape
Why the Pulse Bond Challenge exists
Identity verification is being pulled in two directions at once. Attackers are getting cheaper digital impersonation through phishing kits, deepfakes, synthetic documents, and automated fraud workflows. Defenders are responding by moving toward signals that are harder to synthesize: device-bound keys, cryptographic document checks, behavioral history, and long-lived real-world context.
The Pulse Bond Challenge sits in that gap. It asks one narrow question: can an attacker cause a protected server-side completion without a genuine bonded phone session?
This page is not the contest contract. The Rules of Engagement control the bounty. This is background context for why the challenge matters.
The core thesis
The lie should be expensive. The truth should not.
Cheap generation collapsed the cost of producing a plausible artifact. A convincing face, document, voice, profile, or argument used to require time, skill, money, or institutional access to forge. Now much of that cost is gone. The result is not five separate crises in fraud, disinformation, identity, synthetic media, and account takeover. It is one economic collapse showing up through different targets.
Trust used to work because forgery was costly. The cost was the implicit collateral behind the signal. When a flawless artifact costs almost nothing to produce, the artifact stops carrying useful information: the honest and dishonest can emit it for the same price.
There are two responses. One tries to make the speaker honest: better models, better guardrails, better alignment, better classifiers. That matters where the output itself is the product. But it does not solve adversarial identity, because the attacker can use any model, any tooling, and any infrastructure outside the defender's control.
The other response re-attaches cost to the lie. It refuses to let an assertion actuate a consequence until it phase-locks to something that remains expensive to fake: real possession, real presence, real device continuity, real cryptographic evidence, real accountability, or real-world history. That is the Pulse posture.
The important distinction is continuity, not snapshot. A snapshot is one artifact at one instant, and snapshots are now cheap to forge. A continuity is sustained coherence across channels and time. The honest user pays nothing for continuity because they simply live it. The counterfeit pays continuously, and that recurring bill is the defense.
Reader's guide
This analysis compares common identity-verification and account-takeover defenses through attacker economics. The core question is not whether a defense can be bypassed in theory. The question is what a serious attacker has to pay, build, operate, and repeat to bypass it at useful scale.
The comparison uses five archetypes that show up across banking, fintech, crypto, telecom, and credit issuance:
| # | Archetype | What it attacks |
|---|---|---|
| A1 | SMS OTP / SIM swap | Phone-number-as-identity, SMS 2FA, carrier-of-record bypass. |
| A2 | TOTP / real-time phishing relay | Authenticator apps, push MFA, session cookies. |
| A3 | Industrial synthetic credit fraud | Traditional KYC at credit issuance, bureau files, document review. |
| A4 | Current-generation IDV | Document capture, selfie match, and liveness. |
| A5 | High-end IDV | Document, selfie, NFC chip read, device intelligence, and behavioral scoring. |
The archetypes are listed in roughly ascending defensive sophistication. They are not all solving the same problem. SMS OTP and TOTP are mostly account-access controls. Synthetic identity and IDV are identity-proofing problems. Pulse is aimed at the device-bound identity-assurance layer behind high-value onboarding and protected actions.
Methodology
The three-bucket model
We use three cost buckets to compare attacks:
| Bucket | Definition | Behavior |
|---|---|---|
| NRE | Non-recurring engineering: tooling, software, kit development, evasion research, infrastructure setup. | One-time program cost. Amortizes with scale. |
| Per-node CapEx | One-time cost per active attack operation: equipment, vendor relationships, devices, accounts, labs, durable assets. | One-time per attack node. Amortizes with throughput. |
| Per-identity marginal | Cost to attack one specific identity once: consumables, identity-specific data, operative time, paid services. | Does not amortize. Sets the attacker's floor. |
For comparability, the estimates assume a bank or fintech relying party protecting credit-bearing onboarding or similarly high-value account creation. Where public reporting gives a range, the model uses operationally realistic midpoints rather than the cheapest marketplace listing or the highest bespoke service rate.
The AI leverage test
AI mostly compresses digital impersonation: phishing copy, synthetic media, social-engineering scripts, fake documents, and workflow automation. It does much less for operational logistics, real-world history, carrier relationships, hardware roots of trust, NFC document authenticity, device fleets, and location or behavior seasoning.
That distinction is the spine of the analysis. If the defensive signal is something the attacker can generate, AI makes the attack cheaper. If the defensive signal requires real-world history, physical assets, cryptographic proof, or infrastructure the attacker cannot mint, AI has less leverage.
A1 — SMS OTP and SIM swap
What is being attacked
Phone-number-as-identity. SMS-delivered one-time passwords. Carrier-of-record as the implicit identity anchor. This remains common despite years of warnings against SMS as a strong authenticator.
Attack mechanics
The attacker causes a victim's phone number to be ported, swapped, or cloned onto a SIM the attacker controls. SMS OTPs and password-reset codes then flow to the attacker.
Common variants include:
- Insider-assisted swaps at telecom retail locations or call centers.
- Social-engineering swaps against carrier support.
- Commercial swap-as-a-service purchased through criminal marketplaces.
Cost model
| Bucket | Estimate | Composition |
|---|---|---|
| NRE | ~$0 | Mature technique. Playbooks and tooling are widely known. |
| Per-node CapEx | $5K-$25K | Carrier insider relationships, burner devices, OPSEC infrastructure. |
| Per-identity marginal | $300-$5,000 | Insider payments or commercial swap services, depending on target and jurisdiction. |
Estimated per-identity loaded cost: $300-$5,000.
AI leverage
| Layer | AI helps? | Why |
|---|---|---|
| Target selection | Yes | LLM-assisted OSINT and breached-data triage. |
| Social engineering | Bounded | Voice cloning and scripts help, but carrier process and human variance dominate. |
| The swap itself | No | Insider access and carrier workflows set the floor. |
| Post-swap takeover | Partial | Automation helps sequence resets across accounts. |
Blue Team — SMS OTP
SMS OTP is structurally weak for high-value identity assurance. The attacker cost is far below the value of the accounts being protected. The defensive answer is migration toward phishing-resistant, device-bound credentials and stronger recovery flows.
What Pulse changes here: Pulse is not a replacement for SMS OTP. It is a replacement for the device-binding and identity-assurance layer that should not depend on phone-number possession in the first place.
A2 — TOTP and real-time phishing relay
What is being attacked
Time-based one-time passwords, authenticator apps, push MFA, and the session cookies issued after login. This is the "we moved off SMS" tier, and it has been heavily industrialized by phishing-as-a-service crews.
Attack mechanics
The attacker stands up a phishing site that proxies the victim's browser session to the real target in real time. The victim enters credentials and the live TOTP on the phishing page. The proxy forwards them to the legitimate site within the TOTP window, captures the resulting session cookie, and reuses it.
Cost model
| Bucket | Estimate | Composition |
|---|---|---|
| NRE | ~$0 | Open-source relay frameworks and commercial phishing kits. |
| Per-node CapEx | $100-$2,000 | Kit subscription, domain infrastructure, hosting, delivery infrastructure. |
| Per-identity marginal | $1-$10 | Email or SMS delivery, target lists, basic operational overhead. |
Estimated per-identity loaded cost: $5-$50 at scale.
AI leverage
| Layer | AI helps? | Why |
|---|---|---|
| Lure content | Yes — strongly | Personalized, multilingual phishing at near-zero marginal cost. |
| Voice and video pretexts | Yes | Better follow-up calls and executive impersonation. |
| Relay infrastructure | No | Already commodity. AI does not make free tooling cheaper. |
| Post-exploitation | Partial | Automation helps triage sessions and move laterally. |
Blue Team — TOTP / phishing relay
TOTP and push MFA do not survive a well-run real-time relay. The defensive answer is phishing-resistant, device-bound credentials: hardware keys, passkeys, platform attestation, and transaction binding.
What Pulse changes here: Passkeys help with account access, but they do not answer who should be allowed to enroll, recover, or complete a high-value identity action. Pulse addresses that identity-proofing layer.
A3 — Industrial synthetic credit fraud
What is being attacked
Traditional KYC at credit issuance: paper or PDF document review, credit-bureau lookups, knowledge-based authentication, device graphs, and sometimes selfie comparison. The adversary is not always impersonating a real person. Often they are building a fabricated person slowly enough to look real.
Attack mechanics
The attacker combines real or derived SSNs with fabricated biographical data, creates or buys tradelines, uses mail drops and voice services, seasons the credit file for months, then applies for credit and busts out.
This attack is economically powerful because the attacker can spend thousands to create an identity that may generate much larger credit exposure.
Cost model
| Bucket | Estimate | Composition |
|---|---|---|
| NRE | $10K-$50K | Tradeline marketplaces, bureau-access channels, document templates, SSN sourcing pipelines. |
| Per-node CapEx | $25K-$100K | Mail drops, virtual offices, mule banking, cooperative lenders, communications infrastructure. |
| Per-identity marginal | $600-$1,300 plus seasoning | Tradeline rentals, authorized-user fees, document prep, account maintenance, operative time. |
Estimated per-identity loaded cost: $1,500-$5,000, including seasoning labor and operational overhead.
AI leverage
| Layer | AI helps? | Why |
|---|---|---|
| Biographical fabrication | Yes — strongly | Consistent dossiers become cheap. |
| Document fabrication | Yes | Utility bills, pay stubs, leases, and supporting artifacts improve. |
| Selfie spoofing | Partial | Relevant when selfie IDV is part of the flow. |
| Credit-file seasoning | No | Calendar time and real tradeline history still matter. |
| Mail-drop and mule logistics | No | Physical operations still set the floor. |
Blue Team — synthetic credit fraud
Synthetic identity is where attacker ROI can be brutal: thousands of dollars in setup cost against much larger potential fraud-out losses. Existing graph and bureau tools are useful, but the problem is still growing.
What Pulse changes here: A seasoned synthetic identity lacks the real device history, behavior history, location history, and nearby-device context of a real person. Longitudinal, device-bound signals are aimed directly at that gap.
A4 — Current-generation IDV
What is being attacked
The current baseline IDV stack: government ID image capture, selfie match, passive or active liveness, and some device/IP risk scoring.
Attack mechanics
The attacker presents a fabricated or stolen ID image and a synthesized or replayed selfie. The strongest attacks increasingly use camera-feed injection, where generated video is inserted below the browser or app layer so liveness sees a coherent stream that never came from a real camera.
Cost model
| Bucket | Estimate | Composition |
|---|---|---|
| NRE | $5K-$50K | Injection tooling, vendor-specific evasion research, deepfake pipeline setup. |
| Per-node CapEx | $2K-$15K | GPUs, modified devices or emulators, camera stack, template libraries. |
| Per-identity marginal | $10-$120 plus bypass fees | Synthetic identity kits, generated media, paid bypass attempts. |
Estimated per-identity loaded cost: $50-$600.
AI leverage
| Layer | AI helps? | Why |
|---|---|---|
| Deepfake generation | Yes — strongly | This is the canonical attacker-AI use case. |
| Document fabrication | Yes | IDs and supporting documents get cheaper and better. |
| Injection tooling | Yes | LLMs can help build and tune evasion code. |
| Real device telemetry | Usually not applicable | Many A4 flows do not collect deep longitudinal device evidence. |
Blue Team — current-generation IDV
A4 vendors are not negligent. They are defending a signal that AI has made cheaper to generate. Current IDV remains valuable against unsophisticated attackers and as part of a layered stack, but it fails predictably against motivated adversaries with modern synthetic-media tooling.
What Pulse changes here: Pulse is not a better selfie check. It moves the contest away from the camera frame and toward signals the attacker does not directly generate: hardware-backed device presence, server-held capabilities, document cryptography, and real-world context.
A5 — High-end IDV
What is being attacked
The leading edge of consumer IDV: document capture, selfie liveness, NFC chip reads, behavioral biometrics, device intelligence, and risk orchestration.
Why NFC matters
The NFC chip in a modern ePassport is signed by government document infrastructure. Correct verification checks the cryptographic signature on the chip. The attacker cannot simply generate a valid chip with AI. They need the real document, a relay path, a downgrade, or a flaw in verification.
Cost model
| Bucket | Estimate | Composition |
|---|---|---|
| NRE | $50K-$300K | NFC relay tooling, behavioral synthesis, vendor-specific evasion, risk-engine research. |
| Per-node CapEx | $25K-$150K | Passport acquisition channels, device fleets, behavioral replay rigs, operating footprint. |
| Per-identity marginal | $5K-$30K | Matched real documents, relay attempts, behavior tuning, OPSEC, burnable infrastructure. |
Estimated per-identity loaded cost: $8,000-$40,000.
AI leverage
| Layer | AI helps? | Why |
|---|---|---|
| Deepfake generation | Yes | Same as A4. |
| NFC chip authenticity | No | AI does not forge trusted document-chip signatures. |
| Real document acquisition | No | Operational logistics dominate. |
| Behavioral synthesis | Bounded | The attacker needs identity-specific data. |
| Vendor evasion | Partial | AI helps explore heuristics, but it does not replace the physical layer. |
Blue Team — high-end IDV
A5 is the closest peer category to Pulse. NFC is genuinely strong when users have eligible documents and relying parties can require it. Behavioral signals help, especially when they move beyond a single enrollment session.
What Pulse changes here: Pulse extends the same argument along the longitudinal axis: more real-world history, more device context, more server-bound action intent, and a larger surface the attacker must reproduce consistently.
Unified comparison
| Category | NRE | Per-node CapEx | Per-identity marginal | Loaded per-identity | AI impact |
|---|---|---|---|---|---|
| A1 — SMS OTP / SIM swap | ~$0 | $5K-$25K | $300-$5,000 | $300-$5,000 | Low. Carrier and insider process set the floor. |
| A2 — TOTP / phishing relay | ~$0 | $100-$2,000 | $1-$10 | $5-$50 | High. Lures and workflow automation get cheaper. |
| A3 — Synthetic credit fraud | $10K-$50K | $25K-$100K | $600-$1,300 plus seasoning | $1,500-$5,000 | Medium. Documents get cheaper; seasoning does not. |
| A4 — Doc + selfie + liveness | $5K-$50K | $2K-$15K | $10-$120 plus bypass fees | $50-$600 | Very high. AI attacks the core signal. |
| A5 — NFC + behavioral IDV | $50K-$300K | $25K-$150K | $5K-$30K | $8K-$40K | Bounded. NFC and real behavior resist pure generation. |
| Pulse-style device bond | Model-dependent | Model-dependent | Model-dependent | Designed to be materially higher | Bounded by physical, operational, and historical signals. |
The point is not that every existing IDV stack is bad. The point is that attacker economics split into two clusters:
- AI-disrupted, low attacker-cost signals: phishing pages, documents, selfies, liveness video, and client-side state.
- Operationally bound, higher attacker-cost signals: hardware-backed device presence, cryptographic document evidence, real-world history, carrier/device context, and longitudinal behavior.
Pulse is designed to live in the second cluster.
AI leverage matrix
| Archetype | AI compresses NRE? | AI compresses per-identity cost? | Net effect |
|---|---|---|---|
| A1 — SMS OTP | Not meaningfully | No | Insider and carrier logistics dominate. |
| A2 — TOTP relay | Yes | Yes | Already-low costs trend lower. |
| A3 — Synthetic credit | Yes | Bounded | Bio and document fabrication get cheaper; seasoning does not. |
| A4 — Current-gen IDV | Yes — strongly | Yes — strongly | This is the category AI disrupts most. |
| A5 — High-end IDV | Partial | Partial | Deepfakes help; NFC and real behavior constrain. |
| Pulse-style device bond | Partial | Bounded | Software gets easier; operational history and hardware do not. |
The sharp version: AI compresses the cost of digital impersonation. It does not compress the cost of physical and operational impersonation.
The IDV stacks AI most disrupts are the ones whose defensive signal AI can generate. The IDV stacks AI least disrupts are the ones whose defensive signal requires real-world data, real-world hardware, or cryptographic roots of trust the attacker cannot mint.
Defender-side AI
AI is not only an attacker advantage. It also helps defenders when defenders have access to real signals the attacker cannot synthesize.
- AI can tighten joint-distribution anomaly detection across many weak signals.
- AI can detect generative-content artifacts where optical media still matters.
- AI can help prioritize suspicious cross-channel inconsistencies for review.
- AI is most useful defensively when the defender has more real-world signal than the attacker can generate.
That last line is the important one. If both sides are fighting over a selfie frame, the attacker has leverage. If the defender is scoring a long-lived device, document, location, behavior, and server-action graph, the attacker has to do more than render pixels.
Why this matters for the challenge
The Pulse Bond Challenge is intentionally narrow. A browser green check does not win. A screenshot does not win. A relayed genuine phone does not win the top no-phone tier by itself.
The target is a server-recorded Accepted Completion for a synthetic profile without a genuine bonded phone. That is the boundary between digital theater and a real identity-assurance failure.
A confirmed, reproducible relay path or completion-binding break can still matter under the lower tier when the Operator can independently replay it. That is a different payout boundary, and the Rules of Engagement control it.
If someone can cross that boundary reproducibly, they have shown something important. If they cannot, that also says something important about where modern IDV needs to move: away from signals attackers can synthesize and toward signals that impose real operational cost.
Bottom line
The current IDV landscape divides into two broad cost structures:
- AI-disrupted, low attacker cost: SMS OTP, real-time phishing relay, and current-generation document/selfie/liveness checks. These defenses can still be useful, but they are exposed to signals attackers can generate or relay cheaply.
- Operationally bound, higher attacker cost: synthetic credit seasoning, NFC-backed document verification, behavioral history, device binding, and longitudinal context. These are harder because the attacker must reproduce real-world state, not just media.
Pulse is a bet on the second structure. The challenge exists to test whether that bet holds under pressure.
Sources and further reading
SMS swap / SMS OTP
- NIST SP 800-63B Digital Identity Guidelines
- FBI IC3 Internet Crime Reports
- Intel 471 on SIM hijacking economics
- Stingrai SIM swap statistics
Phishing and TOTP relay
- Resecurity on EvilProxy phishing-as-a-service
- Corbado phishing-as-a-service landscape
- CybersecSentinel on Rockstar 2FA
Synthetic identity fraud
- Federal Reserve synthetic identity fraud white paper
- Equifax synthetic identity research
- Synthetic identity fraud detection FAQ
Deepfake and current-generation IDV
- Trend Micro on deepfakes and eKYC
- DeepIDV fraudulent identification benchmark report
- SoftwareSeni / Group-IB on deepfake subscription tooling
High-end IDV and NFC
- ICAO 9303 machine readable travel documents
- ENISA publications
- Vendor threat reporting from iProov, Sumsub, Jumio, Onfido, Persona, and Veriff.
The Rules of Engagement define the bounty. This landscape analysis explains why the challenge is worth running.
Ready to test the actual target? The bounty is governed by the Rules of Engagement, not this analysis.