Strengths and Weaknesses of Complex Verification Methods

In today’s online world, one factor of security is not enough. Businesses need a layered approach to defend themselves with solutions that are easily deployed against evolving threats. This is one of the main reasons behind dynamic friction and why one approach will not work. Fraudsters are learning fast what it takes to bypass your traditional defenses. However, adding in a few types of verification requires extensive development, with no guarantee that it works in the long term. Trust Swiftly develops solutions that stop fraud with an ever-growing list of verification methods. Combining the best features of each verification method, we have created the optimal approach to fighting fraud. In the below analysis, we will discuss some common use cases of verifications and the strengths and weaknesses of each.

1. Phone SMS Ownership
2. Email Ownership
3. Google Authenticator and Authy Ownership
4. reCaptcha
5. Social Ownership
6. ID Ownership
7. Selfie Liveness
8. Document Ownership
9. PayPal Ownership
10. Banking Ownership
11. Voice Ownership
12. Card Ownership
13. Physical Address Ownership  
14. Manual Review

Phone SMS Ownership

A client saw a recent trend where transactions used USA phone numbers with all normal matching information. Except for one detail was a new email with an exact match on the customer’s name. This had already raised the risk score. At this point, Trust Swiftly decided to require SMS verification. Free numbers like Google Voice VOIP were also blocked from verification as they provide little insight to the person and are a cheap method for fraudsters to bypass SMS. The fraudster then was unable to confirm their original number instead, they succeeded using UK and Russian numbers. A clear indicator for further investigation that needed even more verification and resulted in knowledge that it was true fraud.

Strength

• Confirming a code by SMS or automated calls is convenient and easy to use verification method. Most people have done this many times, so there is minimal training required.
• Also, the privacy of the user is maintained as their number is usually shared with many people.
• USA and Canada numbers have even more insight that can be obtained on the number such as owner name, address, and carrier.
• Blocks many automated actions. Bots typically can not receive the code to confirm themselves automatically.

Weakness

• Global data is sparse due to privacy concerns. Numbers from Europe or elsewhere provide little information about the owner. 
• USA and Canada data is not always accurate as it could be outdated or the person is part of a family plan. Names might not match exactly with the information you have on file. 
• Technical issues with receiving the codes. The person might have no reception or other trouble entering the code.
• Vulnerable to a SIM swap, and the code could not be sent to the actual user but an advanced attacker. 

Email Ownership

A client saw a PayPal payment come from a high-risk person who signed up with a mismatch email compared to data provided by PayPal. To confirm the payment was not from a compromised PayPal account, Trust Swiftly was used to confirm the customer’s new email. It was then discovered the fraudster was unable to verify access to the email by entering the confirmation code. The fraudster was able to compromise the account probably due to reused passwords, but the email was secured, preventing further damage. At this point, escalated verifications were triggered to confirm if it was an actual buyer which the user ignored and never followed up.

Strength

• Confirm alternate emails of users who have additional signals attached to them.
• Useful for businesses that do not collect email addresses but want to leverage the new data insights for fraud detection.
• Fast and easy verification method most people have completed.
• Limited privacy concerns with sharing email addresses.
• Blocks automated actions as requires access to a mailbox.
• Temporary and disposable emails blocked from verifications.

Weakness

• Simple to sign up for free email addresses
• Owner’s email could also be compromised, allowing the fraudster to receive the code.
• Limited data collected from email address. 

Google Authenticator and Authy Ownership

 A client wanted to implement 2FA without the hassle of integrating it into their existing technology and also create dynamic rules to require 2FA with their fraud tool. By connecting with Trust Swiftly, they created a method for people with huge balances in their accounts to require Google or Authy mobile authenticators in order to send funds. They were able to dynamically require a 2FA registration and code prior to sending any funds for their high net worth customers. It also allowed for a seamless experience for their customers as 2FA was only prompted when needed.

Strength

• No additional implementation costs for dynamic 2FA
• Immune to SIM swaps and requires an actual device to get code
• Limited privacy concerns as many users install apps already
• Blocks automated actions as requires multiple actions to set up and receive code

Weakness

• The slower registration process and steps to enter in code displayed
• Requires access to device
• Does not provide additional identity data
• Lost and stolen devices require additional recovery options

reCaptcha

 A client experienced a credential stuffing attack and also automated card testing. They wanted a simple way to stop the bots without adding work for their good users. reCaptcha Enterprise was added to their verification process, which ran seamlessly for their risky users. They did not want the added monitoring or costs of reCaptcha for all users and needed a quick way to gain extra insight into bad users. Google’s reCaptcha data was fed back to their fraud tool to provide even more information about a user’s action, which could be used for better rules and learning.

Strength

• Provided fraud tool with extra signal intelligence
• No friction to existing good users
• Blocks automated actions as required further verifications once a bot was detected

Weakness

• Provides limited identity data
• Can be bypassed by anti reCaptcha farms
• Limited privacy concerns, however, requires adding Google to your service
• False positives exist, and people in China may have issues completing it.

Social Ownership

 A client wanted to provide their customers with another verification method that didn’t require sharing sensitive information like a selfie. They chose social verifications to allow people to share their profile URL and email of the account. For example, a user refused to verify their phone but was comfortable sharing their Facebook profile information. Once the profile was verified, the client was confident about the person’s identity and allowed them.

Strength  

• Fast and provides data only consented by the person
• Public posting and information can be a strong identity correlation factor
• Difficult to create synthetic identities as behavior information is usually aged
• Limited privacy concerns as shared information is typically already public.
• Blocks automated actions as social credentials are difficult to mass-produce.

Weakness

• Some fake accounts are easy to create
• Social account security is typically weak and passwords reused
• People might not want a social account, and social providers are further restricting data access
• Not all social services supported globally

ID Ownership

A client experienced repeat fraud and stolen cards from an advanced attacker. All information from the buyer was high quality, but their risk scoring still required elevated verifications. The individual was able to pass the phone verifications by buying from services on the dark web. Furthermore, they had other good signals, all showing the user was probably legitimate. Since the transaction was from a new person and a very high amount, they wanted to be sure before processing. They required ID verification by Trust Swiftly. Upon receiving the ID from the person the name and age mismatched from the typical customer and likely an unauthorized use of a parents card. After a follow-up, it was confirmed the individual was using their parents’ card without permission, and the order was refunded.

Strength

• Strong identifier of persons name and picture
• Owned by a large portion of online consumers
• Difficult to fake by beginners
• Some IDs can be validated by third party databases or comparisons

Weakness

• Many services selling fake or photoshopped IDs
• Low-quality cameras or scans make extraction difficult
• The time-consuming task to complete since might require multiple steps
• Technical issues with sharing the IDs
• Serious privacy concerns for sharing

Selfie Liveness

A client experienced elusive fraudsters who had been able to complete ID verifications with very compelling pictures. To confirm that the ID and person were real, the client decided an actual video selfie would defeat the fraudster. After waiting for another similar template of the ID, it was decided to use the selfie verification. The fraudster already shared their ID and even a fake picture selfie. However, when asked to repeat with the video version, they gave up their attempts. Live selfies can be a strong deterrence to any fake ID.

Strength

• Strong confirmation of person and ID face match
• Difficult to fake by beginners to intermediate fraudsters
• Blocks any automated actions due to the multiple steps to complete

Weakness

• More time-consuming than simple ID uploads
• Can be defeated by advanced fraudsters either with partial forged information or outsourcing of service
• Multiple attempts required as not a typical action performed by users
• Expensive per verification
• Serious privacy concerns for sharing liveness and full ID. 

Document Ownership

 A client wanted another way to verify customer’s identities without collecting sensitive IDs or other private information. They decided to allow other documents such as bills from internet providers and utilities would suffice as a verification method. They were able to speed up their verification process by being confident that the customer had a legitimate name and address from a trusted service such as Verizon.

Strength

• Authoritative verification to confirm name and address information.
• Most privacy concerns negated if account numbers blocked
• Simple upload process that most users are familiar with
• Works globally

Weakness

• Time-consuming if documents are not readily available
• Possible for forged documents and plenty of templates found online
• Language and format issues might make it hard to extract data

PayPal Ownership

 A client was experiencing a high dispute rate from PayPal transactions. Due to the limited data that PayPal provided automatically on transactions such as BIN and the last 4 digits, their fraud tool wasn’t able to catch all issues. There were also problems of repeated fraudsters creating multiple accounts as PayPal’s verification process is minimal to start. Also, most customers using PayPal refused to do most verifications due to privacy concerns. To combat it, they deployed the PayPal ownership check, which required the user to log in to their PayPal account to share additional information. This new insight was critical as they discovered a trend of newly created accounts that tended to all have fraud issues. They were then able to implement further checks for these orders and completed the verification process much faster over the previous methods.

Strength

• Authoritative verification confirming PayPal identity data
• Simple login to PayPal that takes a few seconds to complete
• Works globally for PayPal users

Weakness

• Requires user to have a PayPal account and not a guest checkout
• Some identity information may not be shared
• It does not detect if the account was compromised. The fraudster could have access to many details of the real owner.

Banking Ownership

A client wanted another option to confirm a user that didn’t have a PayPal account. They also wanted a more secure verification method as PayPal account security doesn’t always match that of a bank. They also needed a way to verify users who didn’t want to share any pictures or personal data. The bank ownership option was chosen as another fast method to verify the customer’s name, phone, and address. These signals were strong trust factors, as banks already employ extensive KYC checks.

Strength

• Authoritative verification confirming multiple identity attributes from their bank
• Fast login to existing banking portal to obtain information
• Limited privacy concerns as the customer know exact data shared

Weakness

• Requires users to remember banking login, and low usage requires training about privacy implications. (i.e. no login or passwords shared)
• Higher costs due to banks requiring a greater cut of the verification process
• Does not work globally and data mainly for USA.

Voice Ownership

 A client experienced an advanced fraudster who was able to verify phones by employing mules in Western countries like the USA. However, the mules were only doing the SMS verification to forward the code and also did not know they were part of a fraud scheme. To combat this, they leveraged the voice verification option on Trust Swiftly. They had a strong hunch the fraudsters were Eastern European or from Asia. Once triggered for the fraudsters, they were able to listen to recordings of the person’s voice, which had trouble with the English prompts. This then triggered more verifications, which confirmed the fraudster was not the cardholder.

Strength

• Works for any type of phone number. (Mobile / Landline)
• Difficult for foreign fraudsters to pass if the cardholder is assumed a native speaker
• Easy to track repeats fraudsters due to voice biometrics
• Limited privacy concerns as only public information asked

Weakness

• Voice recognition not always accurate
• Can be defeated by organized fraudsters through hired out services
• Not all languages supported
• User and technical issues with following voice prompts

Card Ownership

 A client was experiencing card fraud from some large transactions on a marketplace but wanted a more guaranteed way to confirm ownership. The fraudsters had SIM swapped the owner and had access to their phone number. SMS verification wasn’t enough, so they decided to use Trust Swiftly’s card verification. This method enabled them to implement 3DS2 charges immediately for high-risk individuals. The verification required the user to be authorized by the bank via 3d secure and confirm access to the recent account activity. Once logged in the account they needed to confirm the random charge amount. This verification was extremely effective against the fraudsters. When one person tried to commit friendly fraud, the evidence helped win the chargeback as there was a history of 3D secure charges.

Strength

• Confirms double authentication of the credit card ownership
• No new privacy information required
• A fast and simple method to verify charges
• No technical implementation required for 3D secure.
• Can be used for address verification too if not used for normal checkouts

Weakness

• Requires re-entering card information to create the verification charge
• People may be unfamiliar with the process and need guidance to confirm the amount
• Requires a payment processor such as Stripe. (PayPal not supported)
• Does not authenticate the cardholder name

Physical Address Ownership  

A client needed a way to confirm a user lived in the address signed up with. Since their customers typically were moving locations, a lot of third party databases were not up to date. To verify the address, the client used Trust Swiftly’s address confirmation. The user received a letter in the mail with a unique code for verification. This gave the confidence the client needed to deliver their high-value subscription for risky people.

Strength

• Requires a physical collection of mail to an address
• Minimal privacy concerns if the address is already shared
• Confirms address can receive mail

Weakness

• Time-consuming as the delay for mail can take days to arrive
• International mail may be lost or more expensive to deliver
• Mail might be intercepted before the intended person at the address opens.

Manual Review

A client had been leveraging Trust Swiftly for verifications but wanted to outsource the edge case verifications. Sometimes people didn’t want to complete anything or needed a chat session for a final review. While this number was minimal, usually a few people a day they didn’t want the hassle to decide what to do with the orders. The client used Trust Swiftly’s team to aide in these verification cases that need some extra care. In the end, the client was able to automate and outsource their verification process completely.

Strength

• Adds human review for the 1% of verification issues
• Improved conversions for every scenario
• Live chats confirm human cognition and can be used to uncover fraud trends

Weakness

• Delayed responses and wait time for customers if high demand
• Privacy concerns for using a different service that communicates with customers

As seen, each method has its time and place for users to fight fraud. Customers and fraudsters can not be predicted on what they will complete, so it becomes necessary to have a strategy for your verification approach. The next evolution for your dynamic friction approach will be using dynamic triggers to apply your dynamic friction. This strategy is the most advanced use case for businesses that want to automate all aspects of their fraud prevention. For example, after a person completes their phone verification, we can also trigger a voice call if their phone country code differs from their IP. Or if they provide bank ownership with a matching name, we can skip any further onboarding KYC checks. Threats evolve, and so should your strategy for defeating fraud. By implementing dynamic friction, the overall objectives of obtaining increased revenue and security will become aligned.