It is true that identity fraud has become a buzz word among people and experts, but not in a good way. First coined in 1964, identity theft has since turned prolific, whether it is fraudsters seeking to impersonate others in order to either open a credit card account or gangs laundering money without linking transactions to their real-life identities.
Last year, The National Fraud Intelligence Bureau reported that fraud offences increased by 17% in March 2022, reaching 936,276 compared to the year ending March 2021.
A GlobalData survey conducted in September 2022 stated identity theft came among the top three concerns shared among citizens from the UK, US, France, Germany and Poland.
Nir Stern is vice president of product management at AU10TIX, a tech company providing intelligence information and the infrastructure needed to combat fraud.
In an interview with Retail Banker International, Stern talks about how machine learning, data consortiums as well as external sources can effectively be used to combat identity fraud.
How does identity theft compare to other methods of fraud, such as social engineering or email scams? What makes identity theft unique and maybe more appealing to some fraudsters?
Generally speaking, in the world of financial crime and even beyond, you need to differentiate between account takeover and identity fraud.
In the case of an account takeover, as a consumer, you have an existing relationship with a financial institution, and someone is taking over that account by stealing your credentials (username, password or even one-time password).
This is usually done via social engineering or email scams. In the end, a fraudster tries to make the victim do things for them or provide them with information that they need without the victim knowing about the fraud.
With identity fraud, the purpose usually is to pretend to be another person to start a new interaction with the institution – either to commit financial crimes or to accomplish other activities. One example could be money laundering to finance terrorist activity.
Because of regulations, you would need an identity with all relevant information. The methods employed would be different.
First, you need to have access to your victim’s personal information unless you want to create a synthetic ID.
Secondly, you must create a fake ID that is good quality enough to bypass any security measurements financial institutions have.
What are the latest tricks fraudsters use to fool the tech that banks and payment companies rely on to detect ID fraud?
There are roughly three types of methods.
There is the very elementary and naïve one, like trying to take a photo of the victim’s ID or download an ID image.
Then there are the more sophisticated fraud techniques. You could go on certain websites, pay a certain amount of money and download any type of digital document. Those should be of sufficient quality so that when you hand them to an expert, they will not notice anything suspicious.
Then you have the top quality fraud, where identity fraudsters steal or buy personal information from databases uploaded on the dark web. Then, they create high-quality, sometimes even physical IDs that are almost impossible to detect with all the information or standard methods of going through fraud. Everything will look perfectly normal because the fraudsters have accessed information through a particular type of data breach.
Those are the trickiest to detect because everything looks completely normal. And when we examine web traffic, we see the most sophisticated fraudsters use this.
With all the advances in technology like facial recognition, adaptive analytics, automation, and machine learning that have been made to detect identity fraud, why are the numbers growing?
So, because fraudsters are using the methods mentioned above, none of the standard ID verification measures employed by banks will be helpful, no matter how sophisticated they are.
The only way to detect it with systems like ours is first to use machine learning that has access to millions of legitimate transactions and can spot different indicators showing what counts as fraudulent activity.
Also, we have a unique system called Instinct, a concerted database where we track transactions worldwide. Through our big customers, we keep an eye on a huge amount of legitimate and fraudulent transactions. We securely store that information, avoiding any storage of sensitive data.
These steps enable us to see repetitions. Because when
these fraudsters invest a lot of time, effort, and money in coming up with a specific tactic, they will not do it just once. They will perform mass attacks.
And then we see cases where everything will look perfectly normal if you look at a single transaction. Still, our systems can detect the same face used on multiple IDs or the same ID with different faces.
The combination of sophisticated machine learning to determine indicators of fraudulent activity and using a data consortium is basically the only way to detect those attacks. Unfortunately, many organisations do not use such capabilities to prevent identity fraud, thereby risking their money.
You are working for a company called AU10TIX. How do AU10TIX solutions differ from the solutions provided by other companies?
So, the main differentiator is, first, the fact that many of our competitors and ID-proofing solutions need to provide manual reviews behind the scenes. They will capture the information or images sent over to them. But most of the analysis will be done by human beings. And, as I have mentioned, with all these sophisticated, super complex forgeries, a human being cannot identify ID fraud because the activity looks normal even when you go into detail with your examination.
That’s why first, you need to have a fully automated system based on machine learning/AI to detect those tiny indicators of forgeries that are hard to see otherwise.
Moreover, you also need the capabilities – like we do with Instinct – to look through a data consortium, detect synthetic fraud or mass attacks, and see whether those attacks are repetitive.
What does it take for banks and payment companies to adapt to ID fraud, and how can they learn to be one step ahead of fraudsters?
You don’t bring a knife to a gunfight. That is probably the key element in fighting identity fraud. If you look at the reports that are always shared, the value of identity theft-related fraud is hundreds of millions. You see specific gangs of identity thieves making millions out of it. As a result, they invest a lot of money into acquiring new technology to commit fraud. So you need to have the equivalent of that technology to fight.
Therefore, you cannot have a solution based on human beings/agents that are supposed to detect identity fraud. It is almost impossible for them.
Next, on top of having a fully automated system, you also need to have a multi-layered approach.
That means not only searching to pinpoint fraudulent activity but also having access to data consortiums, as well as looking into external data sources to determine whether the fraudulent activity is one-off or not.
Thirdly, fraudsters adapt all the time, so you need a fully adaptable system that keeps on learning, a system with access to information not limited to your customers. If you only monitor your customer environment, when the next attack comes, they might not be prepared for it unless they have enough experience.
How do digital banks and payment platforms fight identity fraud and are there lessons that traditional banks can learn and implement?
The other side of this discussion we should have brought up is the legitimate user experience.
If you think about these banks, they want to be secure and protected from fraud. Around 99.9% of their traffic consists of legitimate persons. In that sense, you want to ensure they have the best user experience, especially when you are a digital bank. That is your only channel; you don’t have a backup physical branch.
You need to ensure you have a smoother digital user experience and make it secure and comfortable for your customers.
The key for these companies is to have the back-end systems able to detect these forgeries and the front-end solutions that help you, as a legitimate user, take the best profile photos and quickly become a customer.
When using these front-end solutions, make sure that the quality of customer images enables you, as a company, to detect ID theft and prevent fraudsters from using things like external cameras to create deep-fake photos, as well as upload images, or screenshot pictures of people or their IDs.
So all of that, combining a sophisticated front-end solution and a sophisticated back-end solution, is the direction many digital banks and financial institutions take and what traditional banks should do more as well.
Should banks outsource ID verification more to fintech startups or companies providing anti-fraud solutions?
When doing ID or digital verification, if you are not a small local bank but a global one willing to extend to other countries, you need companies like AU10TIX to do it for you.
We support over 200 countries and over 4,000 types of IDs. It is virtually impossible for a bank to develop a system that can manage various national ID formats while also successfully detecting forgeries.
That’s not their business. Their business is to give the best user experience, so I believe the best approach to combat fraud is for them to get expert help.
Decentralised finance is an emerging financial technology using blockchain to store and share data. How vulnerable are decentralised systems when it comes to identity fraud? What do blockchain transactions right what can they improve when it comes to digital security?
The riskiest thing about blockchain or decentralised financial transactions is that you don’t have any indication of where the money goes, no way to turn it back, and no information about who is interacting with the system. So in the case of any account takeovers or social engineering acts that happen, there is nothing you can do.
There are different transaction monitoring techniques for decentralised IDs. A lot of times, these techniques make sure the money doesn’t go to unknown wallets. But if it’s something like a fraudster opening the digital wallet and stealing the money – there is very little you can do.
One of the trends we see, and we’re strategically investing a lot in it, is decentralised ID. It is when you issue a digital ID, which is encrypted and tokenised on your mobile device or digital wallet. That information is not shared with anyone; the signature is kept in the blockchain.
Because it is based on these standards, if you need to use the identification system, you can just share simple information or claims like am I allowed to do it? Am I over 18? Am I a citizen of a particular country?
We see a lot of hype around this technology. Because it’s all around self-survey identity and significantly related to data privacy, which is key to decentralised finance, the combination of the two may actually be a solution that benefits everyone. You can keep your privacy without the need to be part of the financial institution ecosystem while still making it secure in a way that guarantees only you have access to it.