Identity Verification Solutions for a World of Synthetic IDs
Synthetic identity fraud takes pieces of information from real people and manipulates them so a criminal can pretend to be that person. It can be very effective if there aren’t methods to spot it. But even though there are scammer gangs constantly coming up with creative ways to abuse documentation and commit this kind of fraud, there are companies and communities dedicated to fighting it. And new advances in identity verification are always changing the game.
See 5 Common Uses for Synthetic ID’s with Stuart Wells for a complete transcript of the Easy Prey podcast episode.
Stuart Wells is the Chief Technology Officer at Jumio. He is responsible for software development, cloud services, and machine learning, and the majority of his work goes towards verifying identity documents from over 200 countries to detect and prevent synthetic identity fraud. He spent almost thirty years working with the big Wall Street banks and global financial services. There, he looked at a variety of solutions for different types of fraud, including credit card fraud, ATM fraud, and account takeovers. With Jumio, he focuses especially on identity theft and identity verification. It’s like being a mini Sherlock Holmes. Some attacks are just a sticky note on a document, but others are much more sophisticated. For each one, he gets to explore how fraudsters work, reverse-engineer how they did it, and try to find ways to prevent it in the future.
How Verification has Evolved
The need to verify authenticity of a document isn’t new. Even a hundred years ago, people were exploring the science of document security features to keep criminals from counterfeiting banknotes. Today, there’s a lot of technology that goes into preventing fraud, both on banknotes and on identity documents.
Most passports, for example, contain fourteen security features on each page. From tactile text (text you can feel) and laser perforations to holograms and polycarbonate coatings, there’s incredible science in it. And the same document that you use to enter a country and that has all these great security features is the same one you can submit for online identity verification. The idea is to make it as frictionless as possible for you, the consumer.
However, many of those great security features aren’t as easy to verify through a photo or video as they would be if you could actually touch the document. Which is why companies like Jumio have people take a photo of the passport, then a photo of themselves, and compare the two. They work to match basic stuff like that the age is correct, but also identify if the images have been tampered with.
It’s a very simple process for the end user. But behind the scenes, there’s a tremendous amount of machine learning and artificial intelligence used to actually do that verification.
Stuart Wells
Why People Use Synthetic Identities
You need identity documents to do almost anything in life. If you’re booking travel internationally, you need a passport. If you’re getting a job, you need to prove your identity. Even to rent a house or apartment, you have to provide some form of ID. There’s a huge variety of places where you need ID and synthetic identities can be helpful. It’s not limited to one industry, either. People use synthetic identities to open bank accounts, but also to get healthcare, book hotels, get jobs, and even gamble online.
With technology these days, synthetic identities aren’t even difficult to get. Until recently, you could get a high-quality synthetic ID for between $400 and $1,000. Today, you can buy one for $20. This creates a lot more opportunity. And it’s not just criminals using them, either. There are a large volume of people using them to commit crime. But there are also a lot of people using them in situations where they just want to live their lives, but they can’t use their own identity, such as being in a country illegally. These identities are used for both.
What makes it more challenging is that fraudsters use automation to scale up their attacks with synthetic IDs. They buy thousands of identity documents on the dark web, then use techniques like face morph. Face morph lets the criminal combine the actual face on the ID with a picture of themselves, creating a new face that looks enough like them that they can use the ID. Face morph is quick and easy to do, so they can attack hundreds of times a day. That’s why any good identity verification system needs to be able to detect manipulation like face morph.
The fraudsters are becoming ever more sophisticated, we’ve got to become more sophisticated to prevent them.
Stuart Wells
Companies are Increasing Identity Verification
It’s not just banking, fintech, and financial services using identity verification anymore. More and more businesses are using products like Jumio to verify their customers. There are multiple reasons this is beneficial. Keeping fraudsters out protects their company’s financial assets. It can also protect them from reputation damage.
Awareness is also helping with this issue. Studies say that 65% of people are aware of and concerned about deep fakes, deceptive video calls, and similar issues that technology can create. Because of this awareness, businesses are starting to take action towards better identity verification.
Identity Verification in Account Creation
We’re going to see more and more companies asking for ID or some sort of verification tool when you create your account. That way they can do a better job keeping fraudsters out.
Biometrics is especially popular as a tool against fraud. A recent study showed out of the top hundred countries in the world, only one doesn’t use biometrics regularly. You can use your biometrics to get on a train in Tokyo or Moscow. For a while, China was experimenting with limiting the number of toilet paper sheets allowed by using biometrics. Either by themselves or as part of multi-factor authentication, they’re becoming more prevalent.
Stuart recently returned home from an international trip using Global Entry. When he walked through the security line, they took a picture of his face, and then he just kept walking. They didn’t stop him and didn’t even look at his passport. It was convenient and frictionless – and as long as the facial biometric quality is good enough, very secure.
This same process is slightly different with online identity verification. It requires a system or a person to look at the image, look at you, and make sure they match. But fraudsters can “inject” an image into the device, bypassing the camera. It looks like they’re sending in an image that they took just now, but it’s really a doctored image. So there’s multiple sides of the issue. Face matching can be fast and convenient, but depending on the method, it can cause new attack vectors.
The Dangers of Deep Fakes
There was a recent news story where fraudsters used deep fakes to steal $25 million. The target thought they were on a video with their colleagues, but it was really deep fake images of their colleagues’ faces morphed onto the fraudsters’ faces. It was such high-quality that the person believed they were dealing with their colleagues and sent $25 million to the fraudsters.
Most people don’t realize that it’s very easy to buy a bunch of different IDs, take the legitimate image on that ID, morph it with the face of the fraudster, and give the fraudster an image that looks very much like the person on the ID. It’s often so good that the fraudster will have their identity verified as the person on the ID.
This is a real challenge for businesses. In the past, you used to be able to have well-trained humans look at a selfie, look at a document, and be able to verify identities or catch fraud. But that’s no longer the case. Adversarial networks, a type of machine learning, can generate such high quality that even a trained person may not be able to spot it. When fraud is happening through machine learning, the only real way to detect it is with machine learning.
You need machine learning to detect deep fraud that’s based on machine learning.
Stuart Wells
How to Identify Fraud and Deep Fakes
The good news is that fraudsters aren’t perfect. You can still identify things that aren’t quite right and spot potential fraud if you pay attention. Most of us have good intuition. You generally don’t need an identity verification software to tell you if something is fishy. Listen to that inner skepticism and check into anything that feels off. And even if nothing feels off, always check a separate source before you transfer any money.
Fraudsters are very innovative … but they make mistakes, and that’s what we have to rely on.
Stuart Wells
Deep fakes aren’t perfect yet, either. There are “tells” that you can watch for that something, especially a video, isn’t quite what it claims to be. Deep fake software has a hard time reproducing blinking. Watch to see if the person in the video blinks, and if so if there’s anything strange about it. Also watch their facial muscles to see if they synchronize with the voice. Often it will be just slightly off. Face morph may be able to put a different face on a scammer’s head, but it won’t be able to change their head shape, so you can also watch for that.
When it comes to deep fake voices, it turns out most people aren’t able to detect the difference between real and fake. But a machine learning model can spot fakes. Human voices have irregularities that artificial voices don’t, and generally only other tech tools can pick it up. So when it comes to voices, identity verification by technology is the only truly reliable option. So trust your gut and verify. If something seems fishy or it’s a threatening situation, hang up and call back.
The Future of Identity Verification
Right now, most biometrics are unimodial. That means they use only one point of verification, such as just your fingerprint or just your face, for identity verification. But the industry is moving more towards what’s called multimodal liveness. This uses a combination of biometric identifiers and signs that you are a real, alive person, not a computer-generated fake. Signs of aliveness can include those irregularities in your voice, looking for tiny movements in your eyes, or even the blood flow in your face. These are all things that sensors can identify on real, alive humans, but that deep fakes can’t successfully imitate yet.
But there’s even ways to go beyond these things for more thorough identity verification. If you think about your identity, you probably think about obvious information like your name, your social security number, or your address. Since we were just talking about it, you may think of biometric indicators like your voice or your fingerprint. But you can think about it more broadly, too. There are actually more ways to identify who Stuart Wells is by the way he uses his phone than just by biometrics. The way you pull it out of your pocket, the way you lift it and hold it, and the way you swipe on your keyboard are all unique. If you can combine these “behavioral biometrics” with physical biometrics, you’re future-proofing your identity.
We have the benefits of being able to use all the information coming from the phone to protect ourselves.
Stuart Wells
The Future is Happening Now
Nobody wants verifying yourself to be harder and more complicated. But by using multimodal biometrics, you can secure your identity without ever having to present documentation. It’s no longer very hard for a criminal to fake even your face. But it’s much, much harder for them to fake your face and the way you interact with your device. Combining all this leads to multi-factor authentication where there are four or five different factors securing your identity.
Most security systems are layered. The same thing is going to be needed to protect your identity.
Stuart Wells
There are a lot of companies actually working on these kinds of identity verification solutions today. With the innovations in mobile devices, we can now get data from accelerometers, gyroscopes, magnetometers, and more. And they’re getting more sensitive practically by the day. By using this data to verify our identities, we can make it even more convenient for us, while making it more difficult for criminals to pretend to be us.
Learn more about Jumio and what they do through their marketing and PR materials at jumio.com. They file patents for the tech they build, and you can find those through online patent searches. If you want to send a question or request directly to Stuart Wells, you can reach him at [email protected].
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Choosing from the Best VPN Trials of 2024: Which One is Best?
Whether you are shopping for a VPN for the first time or you are ready to make…
[Read More]Guide to Types of AI Models and How They Work
When you think of AI (Artificial Intelligence) models, you may automatically think of generative AI like OpenAI’s…
[Read More]Adversary Emulation for Business Cybersecurity
Security risks are constantly changing. Projects start and end, employees leave and are hired, new tools replace…
[Read More]Should You Use Apple’s Lockdown Mode? Here’s What you Need to Know Before You Decide
With the releases of macOS Ventura and iOS 16 in 2022, Apple rolled out a new feature…
[Read More]Protect Against Ransomware by Planning for Ransomware
Ransomware is a huge cybersecurity threat, and it’s only growing. It’s especially a risk for businesses, but…
[Read More]PIA: Private Internet ACCESS
The Private Internet ACCESS VPN will deliver the security, performance, and online access most users want. Behind...
[Read More]