In this article, we will explore current vulnerabilities and exploits by advanced threat actors for identity verification. We have prior experience dealing with the most aggressive threat actors and have seen how their operations run in the background through intelligence gathering and defensive countermeasures. Some identity verification companies may attempt to sell security guarantees with overstated real-world experience, practical application, or an understanding of how to detect and defend against fraud. We have observed gaps either in the actual security posture of deployed platforms or through a lack of understanding of how nation-state actors operate in the wild. To aid the entire ecosystem, we will uncover and review some examples to help all defenders harden their posture.
One key understanding is to learn about their objectives, which are mainly intelligence gathering. While actual offensive actions cause a lot of noise, the steady stream of data outweighs the value of many intrusions. This is important to understand, as we have seen the top-rated group be duped by trivial tricks that keep them unaware of active insider threats. Wasting a highly skilled operator's time on disinformation is a key capability that groups employ, as there is a limited number of skilled users worldwide operating at this level of threat. In one case, we monitored a group that invested years of work targeting specific intelligence, only to discover they were duped by a honeypot set by another threat actor for their own intelligence gathering. There are countless cases of smoke-and-mirrors tactics that make dealing with these threat actors highly complex and difficult to track. Dealing with these groups should not be taken lightly, as their activities often intersect with those of multiple criminals, who attempt to brute-force solutions to problems they cannot solve. We will dive into example exploits by threat actors and then look at best practices for staying secure, including novel countermeasures.
Tracking Threat Actors and Safely Containing Insiders
Typically, these groups operate as if they are invisible, but in reality, they are traceable people with signatures that can be tracked across targets. Once you become familiar with these signatures and create systems to track them, it helps to inventory all the exploits they use. The most critical part is getting a threat actor to take the bait, as they are typically very averse to anything that could compromise their operational security. Another key aspect is that when exposing any of these groups or individuals, it’s important to do so delicately, as bad actors can behave irrationally toward others and themselves. A gradual restriction of their access ensures the insider threat is safely contained. For example, place their account in a mirrored environment to properly sandbox their behavior and ensure there are enough distractions so they don’t realize they’re in an enclosure.
The Top IAL3 Vulnerability: Social Engineering and Proxy Hires
The most common vulnerability in IAL3 and identity checks now is through social engineering of legitimate people to gain access to specific companies. A threat actor recruiter will find specific individuals who are perfect for these placements, desperate for a job, and unlikely to question any odd behavior. The best way to ensure long-term infiltration with this method is for the handlers to serve as intermediaries for all real work between the individual placed and their technical setup. Advanced nation-state actors don’t always target low-level support roles; they can also target privileged roles, since those roles often grant access to an entire company. The reason these efforts are better is that they create little internal noise rather than maintaining an external hole that can be easily patched on short notice.
For example, since the recruiter helped place the position, they will be able to manipulate the relationship and manage their career through different placements to achieve end targets. With an automated setup, it is possible to keep the straw employee occupied through AI-generated requirements or extended tasks while the actual job is operated by a skilled threat actor. This ensures the quality of the work is at its maximum, and that any background checks and identity verification will pass. The person firmly believes they work at the company, but in reality, everything is filtered to them through their handler. They will even allow the employee to collect the full paycheck to minimize operational risk, as any financial transaction can be traced. Dealing with financials, as some North Korean operations do, is also a lower-level objective, as it exposes them to more ways to get caught, which is why it’s more difficult to track when money isn’t the motive.
Operating at this level of obfuscation enables extremely long campaigns and bypasses in-person identity checks like IAL3, since they see it as a normal job. Finding willing fraudulent employees who take a cut of a paycheck or use their identity is a legacy method that fails during identity and background checks. In the past, it was common to find complicit fraudsters, but they pose additional risk and are only useful for short infiltrations. The key, easy defense for this is to have recurring in-person interactions, as even IAL3 is just an in-time identity verification exercise. A fellow employee who meets up for in-office events semi-annually is more secure than one who has been fully remote throughout their career. The truth is that IAL3 won’t always solve insider threat cases, and your own employees are extremely valuable at rooting out this bad behavior.
Rapid In-Person Checks: Why IAL3 Verifications Must Be Timeboxed
The next scenario we uncovered involved flying threat actors into a country using private jets for quick in-person checks. In the world of identity verification, time is also extremely important, which is why nation-state actors will work with intermediaries to quickly fly personnel into countries. If a threat actor is living in the Middle East and is requested to be physically present in the next 12 hours in DC, there is little possibility of making it in time via commercial. This is one reason why, when IAL3 verifications are required, the process should be timeboxed for maximum security. Allowing extended exceptions or other delays gives the threat actor time to prepare for identity checks. These cases are rare, as they require even more resources to maintain and pose a significant risk by leaving extensive trails.
This is a scenario where Trust Swiftly excels over all other solutions, since we can bind verification to unique data points using an array of sensors. In the world of identity, each additional datapoint can mean the difference between a bypass and catching bad actors, which is why our solution focuses on providing the most valuable intelligence available. The amount of data captured and the capabilities of one of our kits are significantly greater than those of a fixed kiosk. Especially valuable is the identification of a threat actor. Trust Swiftly offers an advanced solution to actively manage and resolve threats with multiple options deployable instantly. Another key defense measure is to allow access to your IAL3 process only at predetermined times and locations. A fixed, always-on device will be exposed to constant threat vectors, while a regulated and strictly monitored device will limit when and where an attack can happen.
Physical and Hardware Vulnerabilities in IAL3 Kiosks
Another major vulnerability in IAL3 systems has always been in the hardware's physical components. Since many systems are unguarded, they can be physically tampered with to exploit. A simple bump key or other lock-breaking device can open the insides of a device that is not completely physically soldered together. Some complex kiosk builds usually revolve around a Windows device that offers an almost limitless library of exploits. While Windows is generally secure if properly configured, it provides limited defensive measures once a physical port is accessible. For example, one exploit is through creating a false fire alarm scenario using a USB killer to hack the responder when they come to debug or repair a device. Breaking a device and then embedding a keylogger in one of the kiosk's components grants full access to the company that operates the device. Typically, a technician will log in to the device or attempt to repair it without knowing that their entire session is being sent offsite for reuse.
Some companies do not operate under strict identity and access policies, which allows this exploit to cause a massive breach. A silo approach to operating identity verification is critical, with operators using devices with restricted and one-way communication to the actual device. For example, using protocols such as RDP to manage Windows devices exposes your network to more exploits, as the platform supports multiple 2-way interactions and has been targeted for lateral movements. Another critical layer of security is to isolate any device from its ability to communicate within a cloud or data center boundary. The physical components will remain critical to security, as they are what separate IAL3 from lower levels of verification. This is why having a strict supply chain audit with limited 3rd-party components is key, especially since the system must remain trustworthy over an extended period. The best approach to physical integrity is continuous hardware checks with periodic pentesting. AI continues to surprise cybersecurity experts, with the ability to expose many hardware modules and attempt kernel and low-level exploits. In the past, one would need to deeply understand how to even interface with a hardware device, and now it is possible to translate the same pentesting skills of software attacks into hardware-level exploits.
Hardening IAL3 Through Testing, Bounties, and Scale
As seen, the scope of vulnerabilities in any IAL3 system is vast, and isolating them one by one creates a highly defensible system. While almost all companies and agencies implement IAL3 as part of compliance regulation, it should be taken a step further by testing the system and processes to the limit. Trust Swiftly employs an active bounty program with zero bypasses and actively works with industry experts to test the limits of identity verification. Mass usage is the remaining top security measure for minimizing active vulnerabilities in a system. Over time, IAL3 adoption will further harden the identity verification ecosystem with more innovative and secure solutions. The key to limiting vulnerabilities in IAL3 in the future will be more solutions that focus on high-assurance identity proofing, offered at scale, as the current limited options leave many gaps.
Want to test your identity verification process against the same threat actors we track? Contact Trust Swiftly to pressure-test your IAL3 deployment.