Strengths and Weaknesses of Identity Verifications
In today’s online world, one factor of security is not enough. Businesses need a layered approach to defend themselves with solutions that are easily deployed against evolving threats. This is one of the main reasons behind dynamic friction and why one approach will not work. Fraudsters are learning fast what it takes to bypass your traditional defenses. However, adding in a few types of verification requires extensive development, with no guarantee that it works in the long term. Trust Swiftly develops solutions that stop fraud with an ever-growing list of verification methods. Combining the best features of each verification method, we have created the optimal approach to fighting fraud. In the below analysis, we will discuss some common use cases of verifications and the strengths and weaknesses of each.
Multiple Identity Proofing
Phone SMS Ownership
A client saw a recent trend where transactions used USA phone numbers with all normal matching information. Except for one detail was a new email with an exact match on the customer’s name. This had already raised the risk score. At this point, Trust Swiftly decided to require SMS verification. Free numbers like Google Voice VOIP were also blocked from verification as they provide little insight to the person and are a cheap method for fraudsters to bypass SMS. The fraudster then was unable to confirm their original number instead, they succeeded using UK and Russian numbers. A clear indicator for further investigation that needed even more verification and resulted in knowledge that it was true fraud.
Strength
Confirming a code by SMS or automated calls is convenient and easy to use verification method. Most people have done this many times, so there is minimal training required.
Also, the privacy of the user is maintained as their number is usually shared with many people.
USA and Canada numbers have even more insight that can be obtained on the number such as owner name, address, and carrier.
Blocks many automated actions. Bots typically can not receive the code to confirm themselves automatically.
Weakness
Global data is sparse due to privacy concerns. Numbers from Europe or elsewhere provide little information about the owner.
USA and Canada data is not always accurate as it could be outdated or the person is part of a family plan. Names might not match exactly with the information you have on file.
Technical issues with receiving the codes. The person might have no reception or other trouble entering the code.
Vulnerable to a SIM swap, and the code could not be sent to the actual user but an advanced attacker.
Email Ownership
A client saw a PayPal payment come from a high-risk person who signed up with a mismatch email compared to data provided by PayPal. To confirm the payment was not from a compromised PayPal account, Trust Swiftly was used to confirm the customer’s new email. It was then discovered the fraudster was unable to verify access to the email by entering the confirmation code. The fraudster was able to compromise the account probably due to reused passwords, but the email was secured, preventing further damage. At this point, escalated verifications were triggered to confirm if it was an actual buyer which the user ignored and never followed up.
Strength
Confirm alternate emails of users who have additional signals attached to them.
Useful for businesses that do not collect email addresses but want to leverage the new data insights for fraud detection.
Fast and easy verification method most people have completed.
Limited privacy concerns with sharing email addresses.
Blocks automated actions as requires access to a mailbox.
Temporary and disposable emails blocked from verifications.
Weakness
Simple to sign up for free email addresses
Owner’s email could also be compromised, allowing the fraudster to receive the code.
Limited data collected from email address.
Google Authenticator and Authy Ownership
A client wanted to implement 2FA without the hassle of integrating it into their existing technology and also create dynamic rules to require 2FA with their fraud tool. By connecting with Trust Swiftly, they created a method for people with huge balances in their accounts to require Google or Authy mobile authenticators in order to send funds. They were able to dynamically require a 2FA registration and code prior to sending any funds for their high net worth customers. It also allowed for a seamless experience for their customers as 2FA was only prompted when needed.
Strength
No additional implementation costs for dynamic 2FA
Immune to SIM swaps and requires an actual device to get code
Limited privacy concerns as many users install apps already
Blocks automated actions as requires multiple actions to set up and receive code
Weakness
The slower registration process and steps to enter in code displayed
Requires access to device
Does not provide additional identity data
Lost and stolen devices require additional recovery options
reCaptcha
A client experienced a credential stuffing attack and also automated card testing. They wanted a simple way to stop the bots without adding work for their good users. reCaptcha Enterprise was added to their verification process, which ran seamlessly for their risky users. They did not want the added monitoring or costs of reCaptcha for all users and needed a quick way to gain extra insight into bad users. Google’s reCaptcha data was fed back to their fraud tool to provide even more information about a user’s action, which could be used for better rules and learning.
Strength
Provided fraud tool with extra signal intelligence
No friction to existing good users
Blocks automated actions as required further verifications once a bot was detected
Weakness
Provides limited identity data
Can be bypassed by anti reCaptcha farms
Limited privacy concerns, however, requires adding Google to your service
False positives exist, and people in China may have issues completing it.
Social Ownership
A client wanted to provide their customers with another verification method that didn’t require sharing sensitive information like a selfie. They chose social verifications to allow people to share their profile URL and email of the account. For example, a user refused to verify their phone but was comfortable sharing their Facebook profile information. Once the profile was verified, the client was confident about the person’s identity and allowed them.
Strength
Fast and provides data only consented by the person
Public posting and information can be a strong identity correlation factor
Difficult to create synthetic identities as behavior information is usually aged
Limited privacy concerns as shared information is typically already public.
Blocks automated actions as social credentials are difficult to mass-produce.
Weakness
Some fake accounts are easy to create
Social account security is typically weak and passwords reused
People might not want a social account, and social providers are further restricting data access
Not all social services supported globally
ID Ownership
A client experienced repeat fraud and stolen cards from an advanced attacker. All information from the buyer was high quality, but their risk scoring still required elevated verifications. The individual was able to pass the phone verifications by buying from services on the dark web. Furthermore, they had other good signals, all showing the user was probably legitimate. Since the transaction was from a new person and a very high amount, they wanted to be sure before processing. They required ID verification by Trust Swiftly. Upon receiving the ID from the person the name and age mismatched from the typical customer and likely an unauthorized use of a parents card. After a follow-up, it was confirmed the individual was using their parents’ card without permission, and the order was refunded.
Strength
Strong identifier of persons name and picture
Owned by a large portion of online consumers
Difficult to fake by beginners
Some IDs can be validated by third party databases or comparisons
Weakness
Many services selling fake or photoshopped IDs
Low-quality cameras or scans make extraction difficult
The time-consuming task to complete since might require multiple steps
Technical issues with sharing the IDs
Serious privacy concerns for sharing
Selfie Liveness
A client experienced elusive fraudsters who had been able to complete ID verifications with very compelling pictures. To confirm that the ID and person were real, the client decided an actual video selfie would defeat the fraudster. After waiting for another similar template of the ID, it was decided to use the selfie verification. The fraudster already shared their ID and even a fake picture selfie. However, when asked to repeat with the video version, they gave up their attempts. Live selfies can be a strong deterrence to any fake ID.
Strength
Strong confirmation of person and ID face match
Difficult to fake by beginners to intermediate fraudsters
Blocks any automated actions due to the multiple steps to complete
Weakness
More time-consuming than simple ID uploads
Can be defeated by advanced fraudsters either with partial forged information or outsourcing of service
Multiple attempts required as not a typical action performed by users
Expensive per verification
Serious privacy concerns for sharing liveness and full ID.
Document Ownership
A client wanted another way to verify customer’s identities without collecting sensitive IDs or other private information. They decided to allow other documents such as bills from internet providers and utilities would suffice as a verification method. They were able to speed up their verification process by being confident that the customer had a legitimate name and address from a trusted service such as Verizon.
Strength
Authoritative verification to confirm name and address information.
Most privacy concerns negated if account numbers blocked
Simple upload process that most users are familiar with
Works globally
Weakness
Time-consuming if documents are not readily available
Possible for forged documents and plenty of templates found online
Language and format issues might make it hard to extract data
PayPal Ownership
A client was experiencing a high dispute rate from PayPal transactions. Due to the limited data that PayPal provided automatically on transactions such as BIN and the last 4 digits, their fraud tool wasn’t able to catch all issues. There were also problems of repeated fraudsters creating multiple accounts as PayPal’s verification process is minimal to start. Also, most customers using PayPal refused to do most verifications due to privacy concerns. To combat it, they deployed the PayPal ownership check, which required the user to log in to their PayPal account to share additional information. This new insight was critical as they discovered a trend of newly created accounts that tended to all have fraud issues. They were then able to implement further checks for these orders and completed the verification process much faster over the previous methods.
Strength
Authoritative verification confirming PayPal identity data
Simple login to PayPal that takes a few seconds to complete
Works globally for PayPal users
Weakness
Requires user to have a PayPal account and not a guest checkout
Some identity information may not be shared
It does not detect if the account was compromised. The fraudster could have access to many details of the real owner.
Banking Ownership
A client wanted another option to confirm a user that didn’t have a PayPal account. They also wanted a more secure verification method as PayPal account security doesn’t always match that of a bank. They also needed a way to verify users who didn’t want to share any pictures or personal data. The bank ownership option was chosen as another fast method to verify the customer’s name, phone, and address. These signals were strong trust factors, as banks already employ extensive KYC checks.
Strength
Authoritative verification confirming multiple identity attributes from their bank
Fast login to existing banking portal to obtain information
Limited privacy concerns as the customer know exact data shared
Weakness
Requires users to remember banking login, and low usage requires training about privacy implications. (i.e. no login or passwords shared)
Higher costs due to banks requiring a greater cut of the verification process
Does not work globally and data mainly for USA.
Voice Ownership
A client experienced an advanced fraudster who was able to verify phones by employing mules in Western countries like the USA. However, the mules were only doing the SMS verification to forward the code and also did not know they were part of a fraud scheme. To combat this, they leveraged the voice verification option on Trust Swiftly. They had a strong hunch the fraudsters were Eastern European or from Asia. Once triggered for the fraudsters, they were able to listen to recordings of the person’s voice, which had trouble with the English prompts. This then triggered more verifications, which confirmed the fraudster was not the cardholder.
Strength
Works for any type of phone number. (Mobile / Landline)
Difficult for foreign fraudsters to pass if the cardholder is assumed a native speaker
Easy to track repeats fraudsters due to voice biometrics
Limited privacy concerns as only public information asked
Weakness
Voice recognition not always accurate
Can be defeated by organized fraudsters through hired out services
Not all languages supported
User and technical issues with following voice prompts
Card Ownership
A client was experiencing card fraud from some large transactions on a marketplace but wanted a more guaranteed way to confirm ownership. The fraudsters had SIM swapped the owner and had access to their phone number. SMS verification wasn’t enough, so they decided to use Trust Swiftly’s card verification. This method enabled them to implement 3DS2 charges immediately for high-risk individuals. The verification required the user to be authorized by the bank via 3d secure and confirm access to the recent account activity. Once logged in the account they needed to confirm the random charge amount. This verification was extremely effective against the fraudsters. When one person tried to commit friendly fraud, the evidence helped win the chargeback as there was a history of 3D secure charges.
Strength
Confirms double authentication of the credit card ownership
No new privacy information required
A fast and simple method to verify charges
No technical implementation required for 3D secure.
Can be used for address verification too if not used for normal checkouts
Weakness
Requires re-entering card information to create the verification charge
People may be unfamiliar with the process and need guidance to confirm the amount
Requires a payment processor such as Stripe. (PayPal not supported)
Does not authenticate the cardholder name
Physical Address Ownership
A client needed a way to confirm a user lived in the address signed up with. Since their customers typically were moving locations, a lot of third party databases were not up to date. To verify the address, the client used Trust Swiftly’s address confirmation. The user received a letter in the mail with a unique code for verification. This gave the confidence the client needed to deliver their high-value subscription for risky people.
Strength
Requires a physical collection of mail to an address
Minimal privacy concerns if the address is already shared
Confirms address can receive mail
Weakness
Time-consuming as the delay for mail can take days to arrive
International mail may be lost or more expensive to deliver
Mail might be intercepted before the intended person at the address opens.
Manual Review
A client had been leveraging Trust Swiftly for verifications but wanted to outsource the edge case verifications. Sometimes people didn’t want to complete anything or needed a chat session for a final review. While this number was minimal, usually a few people a day they didn’t want the hassle to decide what to do with the orders. The client used Trust Swiftly’s team to aide in these verification cases that need some extra care. In the end, the client was able to automate and outsource their verification process completely.
Strength
Adds human review for the 1% of verification issues
Improved conversions for every scenario
Live chats confirm human cognition and can be used to uncover fraud trends
Weakness
Delayed responses and wait time for customers if high demand
Privacy concerns for using a different service that communicates with customers
Strategically Implementing Friction
As seen, each method has its time and place for users to fight fraud. Customers and fraudsters can not be predicted on what they will complete, so it becomes necessary to have a strategy for your verification approach. The next evolution for your dynamic friction approach will be using dynamic triggers to apply your dynamic friction. This strategy is the most advanced use case for businesses that want to automate all aspects of their fraud prevention. For example, after a person completes their phone verification, we can also trigger a voice call if their phone country code differs from their IP. Or if they provide bank ownership with a matching name, we can skip any further onboarding KYC checks. Threats evolve, and so should your strategy for defeating fraud. By implementing dynamic friction, the overall objectives of obtaining increased revenue and security will become aligned.