ID verification has become a crucial method to identify individuals in the past year due to virtual requirements. It has allowed many new services to be offered digitally, such as account openings and financial services in critical times of need. However, with every new technology, there are plenty of bad actors waiting to exploit it. These actors can be highly sophisticated and organized worldwide, making it difficult for them to face repercussions. ID verification bypassing has gone global, but the U.S. government is starting to take action, as observed in the SecondEye Solution case. Unfortunately, this is just one of the clearnet vendors, and acts against more underground services might take time.
To start, we can look at some standard bypass methods. These are commonly shared and documented between fraudsters, and some can be defeated with extra controls while others are difficult to detect.
Image Alterations and Video Software
Fraudsters use tools like Photoshop, Manycam, Split Cam, OBS, and CrazyTalk8. They can modify their camera feed to use any images or video for a specific step in the verification process. Even services that use an actual live video can be deceived. The fraudster needs the right frames extracted at the time expected to bypass the checks. (Example Video)
Liveness checks with specific movements of body parts is another attempt at defeating these attacks, but fraudsters can recreate each scenario easily with the software they have. Next intercepting requests to the API endpoints can be done with tools like Burp, similar to many pen-testing activities looking to submit modified requests.
Preventing it through analysis of metadata of a file can be done, and checking system attributes to ensure the images are being taken from an actual device at that time. Systems might also check for glare and other labels from the picture that machine learning deem fake.
Face Masks and Mannequins
These can range from sophisticated to basic levels of attacks. Most human reviews can quickly identify masks and mannequins. However, many systems that are using machine learning for their analysis might be fooled if they don't incorporate additional checks.
Using a low bandwidth or low-quality camera is another way to trick the verification system as most require high-quality footage to detect certain inconsistencies.
Stopping it can be used through machine learning to detect specific attributes of verification, such as light reflections.
Hire a Stand in and Deep Fakes
This method is complicated to detect as there is no use in liveness checks or accurate image checks. The ID will look 100% legitimate with only the photos being replaced. The fraudster can use all real data such as driver's license ID, name, DOB, etc., from leaks or unauthorized services that will pass any database checks. All this can be printed on a physical ID and then used for verification. The fraudster will then find someone willing to knowingly participate in the fraud or even be tricked into thinking it's part of a job application.
Deep fakes are a more complicated method but one that requires much data to create with non-celebrities successfully. Now it is not very practical and more straightforward for most fraudsters to use a different approach like mentioned above. Once there is a simple and easy-to-use software similar to sites like https://thispersondoesnotexist.com, we should expect a shift in this method to defeat liveness checks.
Requiring the person to confirm the service they are verifying for can help detect some cases. Another method could include verifying their social footprint, which would have a history of the face you expect to verify. Lastly, using live video meetings with another human is a way to defeat any coached or trained subjects to ensure they are signing up for your service. Furthermore, continuous re-authentication of a face at random intervals can confirm the user is still the same.
Each bypass method requires some sophistication to implement as just one attribute missed could alert a fake. Instead, many fraudsters continue their trend of outsourcing parts of their fraud to specialists who can complete the ID verification step. ID and biometric checks are just one method that can be used in an overall fraud prevention strategy. Having an adaptable system that can defeat multiple fraud attacks is critical to keeping your business secure. If you are looking for new ways to verify customers, then check out Trust Swiftly's suite of 10+ methods that can throw a wrench into fraudsters' plans.