how to fight identity fraud...fraud never sleeps-neither dowe. whenever technology changes the way...

Security Report 2019How to fight identity fraud

Making the connected world a safer place

Armin BauerCo-Founder and CTO, IDnow

Fraud never sleeps -neither do we.Whenever technology changes the waypeople do business, fraud is an issue. Toconsistently stay ahead of the latest fraudmethods, you need to be the quickest, themost creative and well connected.

As an online verification partner, it’s ourresponsibility to track their activity, react quickand be flexible in re-engineering the securitysystem. This modus operandi ensures wemaintain our market-leading security andprotect our customers from losses throughfraud. However, it’s not enough for us to knowthat we’re winning this security race. We wantto talk about what we’ve experienced over thelast year and to share some of our insightswith our customers and the wider market.

Due to our unique technology and theoutstanding security our customers enjoy withIDnow products, VideoIdent and AutoIdent, wesee a different type of attempted fraud to thatof other providers.

This report will focus on the specific types ofidentity fraud that happens during a digitalcustomer onboarding, whether this is openingan account or applying for a loan.

According to one survey of European Banks,the frequency of this type of fraud hasdoubled since the previous year of reporting.The fraud method most commonly seen inapplication fraud? Social engineering.According to the European Payments Council’smost recent report, this method of fraud is themost important threat in the paymentlandscape. However, while the banking sectoris by far the juiciest target for attempted fraud,security is not purely a banking concern.Whatever your business, if you want tointegrate robust KYC (know your customer)into your onboarding process, you want thebest.

That’s why we invite you to read on and findout how we’re hard at work outsmarting someof the best criminal minds on the planet. Allthis work goes to improving our identificationproducts, which our customers use to buildtrust with their own users, in a whole host ofindustries.

If you’d like to find out more about how ourtechnology is constantly evolving to stay onestep ahead of fraud, please feel free to get intouch.

2 [email protected]| www.idnow.io SecurityReport2019

Index

0506071116

18

04 Fraud attacks on the internet are increasing

The most common fraud methods

What is similarity fraud and how to fight it

What is False Acceptance Rate

What is fake ID fraud and how to fight it

What is social engineering and how to fight it

Check list: What to look for when selecting your ID verification partner

3 [email protected]| www.idnow.io SecurityReport2019

$6 trillion

4

* https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/

$3 trillion2015

2021

Fraud attacks on the internet are constantly increasing

New predictions show tremendous numbers

In 2015 damage caused by internet fraud amounted to $3 trillion for the worldwide economy. Latestpredictions say: It will be $6 trillion in 2021 – with a rising trend. This makes cyber fraud one of the biggestthreats in our economy and the fastest growing crime. It becomes waymore profitable than the global trade ofillegal drugs.

Enterprises all over the world need to focus on this cost-intensive problem. With over 1.9 billion websitescurrently, there is a huge possibility for fraud to be committed - a serious problem that must be sloweddown.*

[email protected]| www.idnow.io

False Acceptance Rate (FAR)

FAR is a specific key performance indicator which measures false acceptances with a biometricsecurity system. It tracks and evaluates the precision of a biometric system. It thereforedetermines the rate at which unauthorized users are verified on the system. The lower the FARis, the more advanced the technology is.

Why is this so important to us?

When it comes to cyber-fraud, every single case counts because it’s your (respectively, yourclients’) data and money. The over-accomplishment of the required FAR helps companies to savemoney and raise customer happiness.

5

100% more secureIDnow detects fraud significantly better than requirements of some of the highest security standards.

What is False Acceptance Rate

Current regulations require a biometric system for governmental use to have a False Acceptance Rate (FAR) of below 0.1%. IDnow is clearly outperforming even these very high requirements with a FAR of only 0.05%


6

Similarityfraud

Fake ID‘s

Most common fraud methods

There are an uncountable number of fraud methods all over the internet. Three of the mostnoticeable in our market are similarity fraud, fake ID fraud, and – the most frequent – socialengineering.

Social engineering has become the most common fraud method in 2019, accounting for 73% ofall attempted attacks. It lures unsuspecting users into providing or using their confidential dataand is increasingly popular with fraudsters, being efficient and difficult to recognize.

Over the following pages we will show you each of these methods in detail. Step-by-step weexplain what they are and what you can do to protect your customers and your company.

Socialengineering

11% 16% 73%

The most common fraud methods

Of all fraud methods social engineering is the biggest issue for companies.


7

User gets engaged with the fraudster

User signs up for a service

Fraudster takes over the account

Fraudster uses the account for illegal business

What is it?

Fraudsters trick innocent people into registering for a service using their own valid ID. Theaccount they open is then overtaken by the fraudster and used to generate value bywithdrawing money or making online transfers.

The innocent parties are contacted by fraudsters directly, via Facebook messenger orWhatsApp for example, or they click on genuine-seeming ads or promotions they find online.They are given a cover story, persuading them to open accounts with IDnow’s customers inreturn for the promise of payment. The most common cover stories we saw this year wereworking as ‘secret app testers’, fake job offers, and bank loans with special conditions.

What’s new in 2019?

• This year saw an overall increase in social engineering attempts compared to other fraudtechniques.

• Additionally, we are seeing more examples of applicants being coached, either bymessenger or video call, on what to say during the ident process. Specifically, they areinstructed to say that they were not prompted to open the account by a third party butare doing so by choice.

• Fraudsters are creating sophisticated architecture to boost the credibility of their coverstory – this includes fake corporate email addresses, fake ads, and even full fake websites.

Social engineering

A deep dive on what it is and why it is so difficult to fight it.


Where do fraudsters find their victims?

Fraudsters mainly look fortheir victims on onlineportals where peoplesearch for jobs, buying andselling things, orconnecting with otherpeople.

In most of the cases,fraudsters use fake jobads, app testing offers,cheap loan offers, or fakeIT support to lure theirvictims. People arecontacted on channelslike eBay Classifieds, jobsearch engines, Xing,Facebook groups, or eventhrough Google Ads.

8

83%

9%

4%

2%

2%

Ebay Classifieds

Indeed

Other

Xing

Jobmensa

Social engineering is a major threat in 2019

Who are the victims and how exactly does it work?


“Hi, I’m an informatics student and I’m looking for a side job.”

9

A frequently used technique is to post a job offer so people respond in anticipation for anuncomplicated job, like testing apps.

They send all their data (for an application form) and get introductions on how to “test” the app.The fraudsters tell them how to proceed, how to answer special questions, and whichregistration name and password they should use. In the end, the victim opens a bank accountwhich the fraudsters can use to operate fake shops or other illegal activities.

How fraudsters fool their victims

Fraudsters have well-developed methods which look very real to unsuspecting users.

“Thank you very much for your interest. You are one of the first applicants, so I chooseyou. I transfer you an advance of 450 EUR if you confirm now. You can start your work assoon as you receive the money. Please fill out the application form and send it back viaWhatsApp. We need the exact data, as it is on your ID-card…

…If the app tells you that there is a long waiting time in the queue and they can inform youvia push-notification or text message – don’t confirm. This notification will come weekslater. Just stay in the queue…

…Important hack: The IDnow agent should not notice that you open the bank account fora job – otherwise they will open a business account for you which cost 350 Eur. If theyask you if this is for a job, answer with ‘no’, so they can setup a private account. It’simportant to do this today or tomorrow.”


10

Takedown service

With every attack, we learn. Our takedown team is constantly checking newmethods and tricks to identify websites which lure in innocent people. With goodconnections to the most used web hosts and a very engaged research team, wewere already able to take hundreds of websites offline. We also benefit from ourusers’ knowledge – if we detect a fraud attack, we work closely with the personconcerned to find out as much as possible about the approach of the fraudsters.

Psychological questions

To detect social engineering, even if it is well disguised, particular trained staffare an additional safety net that can be applied. After all, we’re facing a realperson with valid documents who wants to use our service, just like every otherclient. We developed an advanced set of questions and checks that the user willbe asked once we detect an elevated risk of a social engineering attack. This setof questions is constantly updated every time we identify new attack patterns.At the beginning of the verification process the user is asked why they want toopen an account, if anyone paid them for this, if it is a test, etcetera.

Device binding

To make sure that only the person who can use an app – and the account behindit – is the person who is entitled to do so, the device binding feature is highlyeffective. In the moment you sign up for a service, the specific app binds withthe used device (a mobile phone for example) and, as soon as another device isused, the client needs to verify again. This is considered to be the most effectivetechnical method of fighting social engineering fraud

What we doIDnow has developed special security features for every method we’re currently facing. To fightsocial engineering, a mix of technical and ‘personal’ mechanisms are necessary. Just acollaborative work of technical features and a trained human agent are able to track down socialengineering attacks.

How to fight social engineering

IDnow’s specific security features to fight social engineering


A deep dive into what it is and how we fight it

What is it?

Our system has caught and rejected a full range of fake IDs, from low-tech photocopies up tohighly realistic, commercially produced fakes. Our research indicates that these are freely availableon the dark web for as little as €50 and some of them are so realistic that they can often foolhuman passport agents. The most commonly faked documents are national ID cards, followed bypassports in second place. Other documents, including residence permits and driving licenses,were also detected.

What’s new?

The quality of fake ID‘s is increasing. Where in the past fraudsters used simple color copies of IDcards, now they are switching to more advanced, and more costly falsifications that even includeholographs.

Today biometric security is extremely good at fighting this kind of fraud.

11

Fake ID fraud


The top 5 countries fraudsters are attacking

12

24% 76%

ID cardPassport

35%

24%

20%

12%

11%

AUT

CZE

GER

ESP

LUX

ID Cards are attacked 3x more often than passports


13

Initial attack - Attack wave starts. IDnow, due to its large customer base, is among the first to be attacked.1

2

3

4

5

TimeFalse acceptance rate Attack rate

45

12

Lifecycle of a fake ID attack wave

What happens if someone tries to sign up with a faked ID card?

3

Freq

uenc

y


Self-learning - Pattern of attack is identified by IDnow fraud network.

Efficient defense - IDnow effectively blocks fraud attempts.

Laggards still attack - Attackers continue their attempts, although they are no longer successful, and laggards try to jump on the fraud wave.

Move on - Fraudsters realize that their attacks are not successful and choose other targets and systems which have weaker protection against fraud.

The IDnow fraud data network

Security feature check

Our security feature check can detect holograms and other features like optical variable inks justby moving the ID in front of the camera. The system is able to check security features quick andprecise. We also use machine learning algorithms for dynamic visual detection.

Precision is very important to us because there are some highly professional fake IDs on the market which are available for as low as € 50 on the dark net.

Our hybrid model

In some unclear cases, we include a double check where an ident specialist will be consulted. Having a double check, will increase not only security but also accuracy. Sometimes manual checks are also demanded to fulfill certain industries regulatory requirements.

14

How to fight fake ID fraud


IDnow fraud data network

IDnow has set up a fraud data network.This technique is able to detect faked IDcards, passports, and other documentsand block them for all future activitieswith the IDnow eco-system and platform.If someone attempts verification with afaked or stolen document, the IDnowtechnology or agent detects this and putsit - automatically – on a blacklist for futureencounters: the IDnow fraud datanetwork.

This data is then enriched with fraudinformation data from third party datasources. To achieve this, IDnow is in closecommunication with the respectiveauthorities and data providers to get thelatest news about fake IDs that arecurrently circulating.

Once an ID-card or passport is blacklisted,it cannot be used for any service withIDnow.

of fraud is detected via our identity fraud network

You can leverage this even if you are not using IDnow.

How?

Subscribe to the IDnow Fraud Alert Service. This service is free for corporate customers.

Contact us at [email protected]

+20%

[email protected]| www.idnow.io15

How we detect stolen ID cards and passports

Similarity fraud

What is it?

This attempt sees a fraudster using a genuine, stolen, government-issued ID that belongs to a person with similar facial features. It’s the modern version of using your big brother’s ID to buy beer when you’re 15. As fraudsters have developed easier and more efficient ways (like social engineering) this is not a common method of fraud, but it is still happening.

What’s new?

The overall share of this type of attempt is falling, replaced by social engineering

16

Similarity fraud


To fight the different types of similarity fraud, this two-stage process is very effective and much more precise and accurate than a human could ever be without the help of state-of-the-art security technology.

Next step: Fraud network

If the system detects a fraud attempt, it transfers the case to our well-developed fraud network which blacklists the ID immediately.

17

Liveness check

What if the selfie is just a picture from someone else? In addition to thebiometric check, we utilize a liveness detection program to verify the user’spresence. The technology is able to build a 3D model of the user’s face basedon a set of photos and videos taken from different angles while the user ismoving his head according to app instructions. In addition we can also use ahuman ident specialist that is connected live via video-chat to the personbeing identified.

Biometric check

To detect stolen or modified IDs we use a biometric check. It is based on facerecognition comparison technology, which is able to make around 1 billionmatches per second. It scans all the characteristics in the user’s face andcompares a selfie to the picture on the ID-card or passport. If the technologyfinds all important features in both pictures it hands over to step 2: theliveness check.

Fraud attempts are automatically flagged at an early stage of the processand rejected. The system currently outperforms human passport agents atrecognizing similarity fraud.

How to fight similarity fraud

The two-stage process to detect similarity fraud


What to look for when selecting your ID verification partner

18

AI-based technology - not only on the cover

Many ID verification solutions claim to use AI, but you should take a look under the hood. What is actually powered by AI? How much effort is put into training the AI and keeping it up to date? What level of data accuracy will the serviceprovide?

Hybrid model, combining AI and human intelligence

Highly developed technology is important, but sometimes, when it comes to fraud, human instinct is demanded. Make sure that the ID verification solution you’re interested in offers a human review process in unclearcases.

Psychological security questions

When it comes to social engineering, a technical solution on its own is powerless. Fraudsters are so quick in developing new methods that it’s nearly impossible to build a technology which is able to stay ahead. An efficient way to detect this kind of fraud is to add psychological questions.

Biometric-check and liveness-check

Fraudsters are becoming more and more sophisticated. The biometric check itself could be tricked with a photo but, in combination with a second step, it provides real security. The second step, the liveness check, proves that there is a real person in front of the camera.

Trend spotting and fraud data network

Staying up-to-date requires a lot of insight information. Check the availability of a fraud preventionteam, a fraud data network and special fraud trend spotting services with your provider.

Security feature check

To detect fake IDs successfully, a specific security feature check is indispensable. IDnow provides two versions of the security check; a technical version as well as one which is executed by ahuman agent.

Device binding

Only the entitled user should be able to use an app - and the account behind it. We support you with a device binding feature that can be integrated into the app.

Check list


Our founding belief was simple: The worldneeds a better way to verify identity online.Better than going to physical branches withan ID. Better than signing contracts inperson.The result is the IDnow platform, arevolutionary system for online identificationthat meets the strictest regulations in theEU. IDnow’s portfolio of over 250 customersincludes leading international companiesfrom various industries such as Bank ofScotland, BNP Paribas, Commerzbank,Eventim, Raisin (Weltsparen), Sixt,solarisBank, Telefonica Deutschland, UBS,Western Union, and wirecard, as well asFinTechs such as Fidor, N26, smava, andwefox.With IDnow Identity Verification Products,better means dramatically improvedonboarding rates. It is an experience that istotally smooth for end users, faster, naturallyintuitive, and more secure than anything elseon the market.Our unique technology can read complexsecurity features, such as holograms andmicrotext, built into a physical, government-issued ID as it moves during video capture.

19

This results in industry leading, strongverification.We launched VideoIdent in 2014 as one of thefirst providers of video-based globalidentification. Why video? We realized earlyon that still images fall short when it comes tosecurity. Only video can provide theinformation that is needed to fight even themost advanced fraud attempts.

To serve a broader set of markets anduse cases, we have launched AutoIdent whichprovides an unexpectedly fast onlineverification service.

VideoIdent, AutoIdent, and eSign - IDnow’sheadline products - comprise a fast, flexible,and secure identity verification platform builtfor the enterprise. We are able to make yourdigital services (genuinely) available to over 7billion people around the globe. Withadvanced facial recognition, fully documentedAPIs, and one of the best regional andinternational regulatory support on themarket, IDnow is fast becoming the industrystandard for a range of companies such asbanks, social platforms, and digital disruptingstartups alike. Better means conversion rates,reduced potential for online fraud, andalways-up-to-date adherence to regionallaws and regulations. This is only thebeginning. Our expertise in AI-based machinelearning and big data – and the vision of “abetter way” built into our DNA – means we’realways pushing our solutions to be moresecure and easier to use.

We never stop.You shouldn’t have to, either.

“

About IDnow


20

Questions? Let’s talk.Give more than 7 billion people in 193 countries access to your products and services with a singleidentity verification platform that is compliant throughout Europe and beyond. Contact us for a demo.

Auenstr. 10080469 Munich Germany

T +49 (0)89 41324 600

40 rue du Louvre 75001 Paris France


Making the connected world a safer place

how to fight identity fraud...fraud never sleeps-neither dowe. whenever technology changes the way...

Documents