Identity Fraud Detection and Prevention: Insights from the CTO's Desk

Since identity fraud is a broad category of scam techniques, let’s first determine the concept. Generally, identity fraud is the illegal use of someone’s personal information, including identifying data such as name, address, Social Security Number, etc. By committing this type of fraud, scammers can pursue a plethora of goals, but gaining monetary benefit is often the ultimate one. 

Here are the most common types of identity fraud:

When trying to gain unauthorized access to online services or offline facilities and territories, fraudsters opt for false identity documents, creating physical or digital forgeries. If another person’s data is used, this is referred to as an impersonation attack.

The INTERPOL definition of ID document fraud includes three categories:

• Counterfeits—When genuine documents are reproduced without authorization.

• Forgeries—When genuine documents are altered in some way.

• Pseudo documents—When fraudsters craft false IDs that were never issued in reality and are not officially recognized. 

Digitalization and the rise of generative AI have increased the number of tools available to criminals. For example, anyone can generate a compelling enough fake ID with photo or video generators such as OnlyFake. The cost of such a fake is alarmingly low: about $15. 

False IDs can be used in a variety of identification scenarios, both on-site and remote, from crossing a country border to opening an account with a payment service provider. 

Using someone else's biometrics, such as face or fingerprints, to deceive inspectors is an example of this type of fraud. When these attempts occur online, they are called presentation attacks. 

Since biometrics are now frequently used identification and authentication factors, fraudsters use them to sign up for services under a false identity or take over other users’ accounts. Creating synthetic identities, where a real person’s data is mixed with fake entries, is also a form of biometric identity fraud.

Genuine or false identity documents and biometrics are frequently used for numerous fraudulent activities. For example, the personal information of a company executive can fuel a BEC (business email compromise) attack, where fraudsters impersonate organization representatives via email to benefit from their fake authority. 

The list of common fraud types also includes, but is not limited to, payment fraud, platform fraud, and phishing scams. 

Fraud detection is a set of techniques aimed at identifying fraud in business. This process involves the participation of responsible specialists and the use of specific tools. Typically, these include dedicated compliance officers, risk and fraud managers, or a team of IT specialists.

A fraud detection system can be represented as a framework which comprises the following components:

As you can see, to detect fraud effectively, you need:

• Specialists who are knowledgeable in the subject and keep in touch with your identity verification (IDV) vendor support reps;

• An automated IDV solution that embraces both document and biometric verification, and can be tailored to your business needs through customization;

• A comprehensive ID document template database with regular updates from a vendor to verify foreign IDs;

• A set of advanced technologies under the IDV hood that make the verification process  quick, yet secure;

• Productivity assessment aimed at identifying the percentage of flagged users and evaluating the number of false positives and negatives to keep the right balance between security measures and user comfort;

• A review schedule for all components that tracks the emergence of new industry standards and updated ID documents.

Fraud prevention is a long-term strategy covering a company’s risk assessment, fraud detection, and consequence management. Typically, it covers all touchpoints of the customer journey, from enrollment to every transaction in the system. Fraud prevention measures should be implemented at both the user identification and authentication stages. 

As part of risk management, a fraud prevention strategy is usually drawn up by department managers and approved by the company’s stakeholders and board of directors. 

Among other aspects, it describes objectives, necessary documentation, employees’ responsibilities, fraud prevention procedures, and controls, including the resolution of fraud cases. 

A fraud prevention strategy also requires regular review to remain relevant. Since fraudsters are constantly advancing their techniques, outdated solutions can miss sophisticated attempts to illegally penetrate your perimeter.

Therefore, while fraud detection serves as a toolkit, fraud prevention is a detailed plan outlining where, when, and how to apply it effectively to succeed in creating a secure ecosystem. However, both definitions fall into the same category as risk management practices. In the next sections of this blog post, we’ll use these concepts as parts of the same whole.

When it comes to choosing fraud detection and prevention techniques, the current business processes, as well as the company’s industry, should be considered. 

For instance, unlike a neobank, which operates fully remotely, a traditional bank often has both physical offices and online applications to serve customers. That means that, while a neobank should focus solely on remote scenarios, a traditional bank also needs the proper equipment and procedures for verifying physical documents on-site.

In regulated industries such as Banking, there are also mandatory standards to comply with, such as establishing an appropriate Know Your Customer framework. Primarily aimed at preventing money laundering and terrorism financing, KYC fraud detection measures also help reduce the risk of identity fraud. 

Let’s take a closer look at the key elements of a robust identity fraud protection system.

Even domestic identity documents have myriad legitimate versions. Inspectors often don’t know exactly what data and security features a particular passport or driver’s license should contain. Fraudsters try to capitalize on this fact when crafting fakes.

This is why your identity verification solution should be equipped with a large database of ID templates. For example, Regula Document Reader SDK relies on a database of over 13,600 items from 249 countries and territories.

By harnessing the latest technologies, fraudsters can now create more compelling fake identities. To successfully detect sophisticated fraudulent traces, such as photo replacement or RFID chip cloning, you need powerful software. 

The set of authenticity checks must include, at the very least, document image quality assessment; MRZ, barcode, and QR code reading and verification; document type detection; data validation in the Visual Inspection Zone; and document liveness. The more checks, the more reliable your solution is.

A complete solution should also include a  biometric verification component with face matching and liveness detection to ensure a user is the real person they claim to be. Liveness checks also help detect presentation attacks involving silicone masks, on-screen photos, and other fraudulent artifacts.   

More customers are using their mobile devices for enrollment and authentication. However, issues arise when third-party smartphones are integrated into the process, as they pose a constant threat. Scammers and identity thieves can effectively exploit this remote channel, preparing presentation attacks using numerous tricks, from submitting on-screen selfies to performing video injections. In some cases, there is no actual verification; instead, there is only a “verified” result, prepared by the fraudsters in advance and sent back to your systems during an injection attack. This is why it’s never a good idea to accept verification results from an untrusted device at face value.    

The zero-trust-to-mobile approach involves re-verifying results obtained from a user’s mobile device within a trusted perimeter. This is why the presence of server-side verification is a must in the list of methods for identity fraud detection and prevention.

Customers expect your apps to be not only secure but also speedy and smooth. Establishing the optimal balance between these aspects should be part of your fraud detection and prevention strategy as well.

This is partly the responsibility of the IDV vendor, which should meet industry standards while developing the solution. According to Gartner analysts, the average selfie retake rate must be 7% or less. By harnessing the latest technologies, such as face capture and image quality assessment, this indicator can be reduced even further. For example, Regula solutions now show a 5% retake rate on average, and almost a 0% retake rate for facial recognition. 

Last but not least, a robust anti-fraud strategy should include awareness campaigns and regular training programs for personnel. Fraudsters frequently exploit the lack of cybersecurity knowledge among employees by sending compelling phishing emails, which are now powered with generative AI. 

Establishing and formalizing an adequate digital authentication ecosystem within a company is critical as well. According to a recent report from the National Institute of Standards and Technology (NIST), companies shouldn’t force employees to change their corporate passwords periodically. Instead, it’s more reasonable to reset passwords or other authentication factors only when they have been compromised. The issue is that employees often set less secure passwords and forget their credentials. 

Mapping out a fraud detection and prevention strategy is a challenging task. Primarily, any strategy is a model of “how it could be,” not “how it is.”

Here are some obstacles you might come across along the way:

• Emergence of new types of identity fraud and scams: The pig butchering scam, based on luring online users to invest in fake cryptocurrency trading platforms, is one of the newest ones. According to a Visa study, 10% of surveyed adults have been recently targeted in a pig butchering scam. 

• Issuance of new versions and types of identity documents: For instance, the launch of the EU Digital Wallet program last year requires new approaches from the IDV industry. 

• Adoption of new verification scenarios: A Regula survey revealed that 73% of businesses globally now operate both online and in-store. That means remote identity verification is becoming a mandatory process for more companies.

• Low quality of user devices: A significant portion of your target demographics, especially from the Asian and African regions, may not be using the latest versions of smartphones but instead rely on basic or budget mobile devices. Consequently, you may encounter challenges in processing blurred and darkened selfies and document photos when entering certain markets. However, implementing technologies such as image quality assessment, as well as providing clear prompts for users, can help solve this problem. 

• Submission of foreign IDs to your systems: The rise of digital nomadism and work migration are signs of post-pandemic economies across the globe. The necessity to onboard new customers by verifying their non-domestic passports and driver’s licenses can be a challenge for an organization.

• Compliance burden: New regulations associated with identity verification are introduced every year. That makes things harder for companies in Banking, Fintech, and other regulated industries.  

• UX and fraud detection and prevention balance: Finally, businesses have to streamline their procedures while keeping them secure and reliable. 

Gartner analysts describe a holistic identity verification process as a 5-step approach. It includes document image capture, document assessment, document data extraction, selfie image capture, and face comparison. This means that both document and biometric checks are performed simultaneously. 

Regula Document Reader SDK, enhanced with Regula Face SDK, covers all the required stages. What’s more, by opting for a single-vendor solution, you can avoid a complex infrastructure based on a mix of software from different providers. Book a short intro call to learn more about your possibilities with Regula.