fbpx
Hacked image

Notorious conman and expert counterfeiter Count Victor Lustig, represented himself as part of the French Govt. – claimed the Eiffel Tower needed rebuilding and sold phony shares twice over.

George C. Parker and various others tried selling the Brooklyn Bridge, while professional swindler Frank Abagnale Jr. faked his career as a pilot, doctor and professor, without every qualifying or training in any of these fields. Rather he was as an expert counterfeiter who falsified identity documents.

This editorial summarizes the major types of Identity Theft and Fraud, their impact across industry and finally discusses Biometric Identity Screening as a useful technique to mitigate Identity Fraud.

The Most Common Categories of Identity Theft

  1. Impersonation: A Genuine Identity Document is Stolen or Falsified
  • Stolen document of someone who looks similar
  • Replacing a photo on a genuine passport
  • Modifying legitimate data, for instance date of birth, name or expiry date, to match other records owned by the forger
  1. Counterfeit or Fake Identity
  • An unauthorized reproduction of a genuine document: these documents are neither issued nor recognized by an official authority
  1. Synthetic Identity
  • Combining genuine (stolen) and fake data to produce a new identity

For simplicity below: the terms “fake”, “falsified”, “forged” and “counterfeit” will apply to any of these three forms of identity theft, as they are commonly interchanged in everyday language.

Fraud Categories with the Greatest Impact 

According to a PWC Survey, 20201, $42 billion was lost to fraud over the last 24 months.  The largest categories: Customer Fraud and Cyber Crime, followed closely by Asset Misappropriation, Bribery and Corruption, impact every industry. With the growth of online transactions, E-Commerce, E-Payments and digital logins, criminals have a way to inflict far greater damage at speed.  Whereas physical buildings may install security cameras there are not the same protections online. Digital theft can be scaled to target multiple businesses simultaneously all while hiding their tracks more easily, compared to robbing a bank or a person’s home.

  1. Customer Fraud: Stolen, Counterfeit or Synthetic IDs are used during sign-up, possibly with stolen credit cards. Criminals, cut off from the payment ecosystem, may “clean funds” through a process known as Transaction Laundering2. Care Homes may bill for non-existent residents, while those without healthcare coverage or legal status may use phony IDs to access insurance coverage. Fake IDs can be used to steal cargo, lease cars and disappear or obtain mobile phones and then access the ecosystem of e-commerce and online payments. Bogus IDs may be used in Real Estate transactions to hide money laundering proceeds, as well as beneficial owner. Other times forged IDs are used to cover up fake resumes and obtain employment. Falsified IDs may be used to swindle law firms into transferring proceeds from a trust or real estate transaction. The list of possibilities is endless and growing.
  2. Cyber Crime: High-value accounts are targets of Account Takeover, which are traded on the Dark Web. Techniques range from hacking to stealing real identities through to inserting malware3 or ransomware4.
  3. Asset Misappropriation: Internal fraud requires access to relevant systems and is usually committed by mid-senior management. To hide fraudulent fund outflows, forged invoices would be inserted from non-existent suppliers.
  4. Bribery and Corruption: This type of fraud depends on internal and external collaboration. A vulnerable or willing employee may accept a bribe to perform a service, such as by-passing controls, or awarding a contract. Corruption is far broader and encompasses bribery, abuse of power, nepotism, collusion, fraud and embezzlement.

Cyber Crime differs, in that it centres on hacking.  The common thread between the remaining types of fraud is that they each require a Fake Identity. Bribery, corruption and asset misappropriation use Fake Identities to open shell companies, payment accounts and to conceal the true ownership. Client fraud is also greatly influenced by Identity Fraud.

Identity Fraud: Risk Mitigation

One of the primary challenges is the degree of skill required to differentiate between fake and genuine identity documents.  The types of scanners used at airports could be used, but are not a suitable solution for digital interaction and remote identification and would be prohibitively expensive to roll out across each office. The following are a series of measures to strengthen digital identity verification and authentication.

Biometric Identity Screening

  1. When a user registers, first validate e-mail ownership and require 2-Factor Authentication (2-FA).Nowadays SMS is commonly used as the second form of authentication but these are subject to SIM-Swap Fraud and Phishing.  A mobile number can be taken over and used to gain access to that person’s account, often without them even being aware.  A far better alternative is Key-Based 2-FA, where the PIN is neither transmitted nor stored. It would fail after a few incorrect attempts and even a keylogger could not access the keyboard.
  2. Require Proof of Address, such as a recent utility bill.
  3. Ensure the real applicant is presenting the identity document
  4. Validate the data held in the official document (passport or driving licence): name, date of birth, expiry, checksums and data held within bar codes) matches data held by independent sources and apply tampering checks
  5. Enrol and bind the user with Key-Based 2-FA login

No system is foolproof but we should aim to reduce most types of identity fraud. A Biometric Identity Screening solution should capture several real-time snapshots of the user and compare video to the photo in the Identity Document. To prevent a fraudster from downloading photos from social media to hold in front of a webcam, there must be a “Liveness” check, where users complete a series of actions, such as looking left or right, to differentiate a real person from a photograph.

Each of these snapshots should be compared to the photo in the official identity document using Facial Recognition. The software should also handle all genders, races and ages, as well as irregular features, such as freckles, ageing or weight gain.

Electronic Passports include multiple security features and are the most stringent form of identity management.  The Machine Readable Zone, at the bottom, includes “checksums”. If a person changes a name or date of birth without “correcting” the checksums, the Biometric Screening software can invalidate the document and identity. For US Driving Licences, using Real-ID, the software should also decipher the new bar codes.

Major Advantages of Biometric Identity Screening

  • Expose fraud more effectively compared to manual checks
  • Strengthen AML Policies: Money Laundering and Transaction Laundering programs
  • Avoid risks related to human errors
  • Fit for remote on-boarding and ongoing authentication
  • Authenticate younger consumers with limited records in credit databases
  • It is scalable, fast, lets you target clients in any jurisdiction and enhances the customer experience

Main Pitfall of Biometric Identity Screening

  • Electronic Passports include certain markers that are not visible to the human eye. They require UV light which cannot be sent through a webcam or photo. Physical scanners can read UV light. However, unless your company already uses a physical scanner, a Biometric Identity Screening solution is highly likely to produce a superior outcome compared to manual authentication.  Similarly, Driving Licences include UV markers, but if the automated Biometric Screening product also decodes the bar code, this limitation is partly overcome

Additional Security and Internal Control Measures

  • Encrypt all sensitive and identifying data (in transit, storage and at rest)
  • Hold the minimum required data: as soon as an ID has been verified, unless required otherwise by law, remove all biometric data from your systems to protect the user’s privacy and reduce the attractiveness of your systems to cyber criminals
  • Screen all internal controls from a fraud-protection perspective. For example, requiring two signatures for all new supplier selection, accounts and external payments, should reduce asset misappropriation and corruption
  • Data Governance: implement policies and procedures with a full audit trail

Footnotes

1https://www.pwc.com/gx/en/forensics/gecs-2020/pdf/global-economic-crime-and-fraud-survey-2020.pdf

2Transaction Laundering, also known as credit card laundering or factoring, is a form of money laundering where the website owner is often unaware, and is estimated to top $200 billion in the USA alone. It is a merchant-based fraud scheme using legitimate payment ecosystems, to process payments for criminal enterprises selling firearms, illicit drugs, or financing terrorism via unregulated cross-border transactions. By funnelling unknown payments through verified merchant accounts, transaction launderers incorporate the three steps of money laundering: placement, layering and integration.

3Malware is a general term that refers to Spyware, Viruses, Trojan horses and Ransomware. What each has is common is the intention to cause harm.

4Ransomware is a digital form of blackmail. The victim must pay or be locked out of their systems, have their hard disks wiped or confidential client data leaked and potentially sold.

Written by Sara Statman: Founder & CEO

LetFaster: Biometric Identity Screening & Automated Tenant Screening