By Charlie Roberts, Head of Business Development, UK, Ireland & EU at IDnow
As technology continues to change the way people do business, the world is seeing heightened security risks. In particular, in the area of identity fraud. Current estimations suggest this type of fraud has doubled in the past year.
In 2015, damage caused by internet fraud amounted to $3 trillion worldwide. Latest predictions say it will be $6 trillion in 2021. This makes cyber fraud one of the biggest threats in our economy and the fastest growing crime. It is becoming far more profitable than the global trade of illegal drugs.
Enterprises all over the world need to focus on this cost-intensive problem. With over 1.9 billion websites and counting, there is a huge possibility for fraud to be committed – a serious problem that must be slowed down.
The most common identity fraud methods
Of all fraud methods, social engineering is the biggest issue for companies. It has become the most common fraud method in 2019, accounting for 73% of all attempted attacks, according to our own research. It lures unsuspecting users into providing or using their confidential data and is increasingly popular with fraudsters, being efficient and difficult to recognise.
Fraudsters trick innocent people into registering for a service using their own valid ID. The account they open is then overtaken by the fraudster and used to generate value by withdrawing money or making online transfers.
They mainly look for their victims on online portals where people search for jobs, buying – and selling things, or connecting with other people. In most of the cases, the fraudsters use fake job ads, app testing offers, cheap loan offers, or fake IT support to lure their victims. People are contacted on channels like eBay Classifieds, job search engines and Facebook.
Fraudsters are also creating sophisticated architecture to boost the credibility of these cover stories which includes fake corporate email addresses, fake ads, and fake websites.
In addition, we are seeing more applicants being coached, either by messenger or video call, on what to say during the identity process. Specifically, they are instructed to say that they were not prompted to open the account by a third party but are doing so by choice.
How to fight social engineering
If organisations are to consistently stay ahead of the latest fraud methods and protect their customers, they need to have the right technology in place to be able to track fraudulent activity, react quickly and be flexible in reengineering the security system.
Crucially, it requires a mix of technical and ‘personal’ mechanisms. Some methods include:
- Device binding – to make sure that only the person who can use an app – and the account behind it – is the person who is entitled to do so, the device binding feature is highly effective. From the moment a customer signs up for a service, the specific app binds with their used device (a mobile phone for example) and, as soon as another device is used, the customer needs to verify themselves again.
- Psychological questions – to detect social engineering, even if it is well disguised, trained staff are an additional safety net that should be applied – and in addition to the standard checks at the start of the verification process. They ask a customer an advanced set of questions once an elevated risk of a social engineering attack is detected. These questions are constantly updated as new attack patterns emerge.
- Takedown service – with every attack, organisations can learn. This means constantly checking new methods and tricks to identify websites which fraudsters are using to lure in innocent people. And, by working with an identity verification provider that has good connections to the most used web hosts and a very engaged research team, they are able to take hundreds of these websites offline.
However, social engineering isn’t the only common type of identity fraud. Organisations should be aware of fake ID fraud. Our research indicates fake IDs are available on the dark web for as little as €50 and some of them are so realistic they can often fool human passport agents. The most commonly faked documents are national ID cards, followed by passports in second place. Other documents include residence permits and driving licenses.
The quality of these fake IDs is increasing too. Where in the past fraudsters used simple colour copies of ID cards, now they are switching to more advanced, and more costly falsifications that even include holographs.
Biometric security is extremely effective at fighting this kind of fraud. It can check and detect holograms and other features like optical variable inks just by moving the ID in front of the camera. Machine learning algorithms can also be used for dynamic visual detection.
Similarity fraud is another method used by fraudsters, although it’s not as common thanks to the development of easier and more efficient ways (like social engineering). This method sees a fraudster use a genuine, stolen, government-issued ID that belongs to a person with similar facial features.
To fight similarity fraud, biometric checks and liveness checks used together are very effective – and they are much more precise and accurate than a human could ever be without the help of state-of-the-art security technology.
The biometric checks scan all the characteristics in the customer’s face and compares it to the picture on their ID card or passport. If the technology confirms all of the important features in both pictures, it hands over to the liveness check. This is a liveness detection program to verify the customer’s presence. It builds a 3D model of their face by taking different angled photos while the customer moves according to instructions.
The biometric check itself could be tricked with a photo but, in combination with the liveness check, it proves there is a real person in front of the camera.
Fighting back
The threat of identity fraud is not going away and, as fraudsters become more and more sophisticated, so too must technology. With the right investment in advanced technology measures, organisations will be in a much stronger position to stop fraudsters in their tracks and protect their customers from the risk of identity fraud.
