How to tackle the growing threat of eKYC fraud

Have you ever come across one of those posts about the advancements in AI technology that shows you 5 or 6 human faces and then tells you that only one of them is real? 

Your instinct is to assume you’ll easily be able to identify the real human face. But a minute or two goes by and you’re still not sure. It could be number three, you suppose. Or do the eyes seem just a little bit too far apart? 

In the end, you give up. And the realization that there’s simply no way of knowing for sure is a pretty disconcerting one. It also helps to explain why identity fraud has become much more complex and difficult to prevent in the digital world. 

In this article we’ll focus on one of the fastest-growing areas of digital fraud; eKYC fraud. We’ll tell you how attackers are exploiting virtual ID verification - particularly in the world of mobile banking - and then we’ll explain how we’re helping to protect our clients here at Licel.

Electronic Know Your Customer (eKYC) has become an integral part of modern digital business processes in recent years. It enables identities to be quickly and securely verified across a range of industries, from banking to telecoms. 

Let’s take neobanks as a use case example to better understand how eKYC verification works:

When someone wants to apply for a bank account, banks need to know they are who they say they are. That’s why they might ask that person to share a picture of their passport or another form of ID. But banks will most likely also ask them to take a selfie or a video of them talking. That way they can make sure that the ID that the applicant provided earlier matches the live, in-application version of them. If the answer is yes, then they get verified and can begin using the bank’s services (often the very same day), whether that is opening an account or applying for a loan or a credit card.  

This process used to be a lot more complex and time consuming. It almost always involved in-person checks and a lot of paperwork, and so the benefits of eKYC verification from an efficiency standpoint alone are obvious.

There are other benefits, too; eKYC helps to keep costs down as it reduces the need for face-to-face verification and the maintenance of physical records. Making sure that customer identities are verified accurately and securely can also help compliance and certification bids. And it can vastly improve user experience.

That being said, there’s a fine balance between user experience and security, as we’ll explore later.

For all the benefits of eKYC that we’ve covered above, there are plenty of challenges, too. Fraudsters have begun to find ways of bypassing and abusing the eKYC verification process – often using stolen or counterfeit documents to do so.

Machine learning and AI tools have also made it possible for cybercriminals to pretend to be someone they’re not in ever-more convincing ways. Just two or three years ago, we all would have backed ourselves to identify fake, virtual photos like those I mentioned above, but these days it’s a much tougher task. Struggling to identify the real homo sapiens in a lineup filled with several AI-imagined human characters is one thing, but the stakes are often much higher.

Earlier this year, a scammer tricked an employee of a Hong Kong bank into wiring $25 million to a bogus account. They did this via a video call, using deepfake versions of the CFO and other company stakeholders to convince the victim. This was the first high-profile case of such vast quantities of money being lost in this way, but it almost-certainly won’t be the last.

Banks are well aware of the dangers of AI-assisted fakes being used in the eKYC verification process, too. They are spending huge amounts on liveness checks with a view to making sure that end users are uploading real photos or videos of themselves, and are not injecting deepfakes.  

Cyber threats are shape-shifting. Some of the security challenges that keep CISOs and CTOs up at night today weren’t even on their radar a few years ago.

If attackers have already stolen parts of somebody’s identity, then they can go a long way toward completing the eKYC verification process. Identity theft can happen a number of ways, but often people are tricked into sharing information about themselves as part of a wider phishing or social engineering campaign.

You might be surprised by the lengths that some fraudsters go to in order to steal the identity of people that they can then use for later attacks – including eKYC fraud. There was an attack recently in the Middle East where bad actors created a fake version of their new mobile banking app and had even mirrored the bank’s marketing campaign in their phishing campaign. This led to a number of people mistakenly downloading the bogus app which collected personally identifiable information and credentials that could then be used in eKYC fraud.

Some bad actors also use advanced design tools to tamper with identity documents submitted during the eKYC verification process. Related to this is synthetic identity fraud, where an attacker will use a combination of real and fake information. This might be using a real social security number, but using a fictitious name or date of birth, for example. In this way, the attacker can bypass more traditional fraud detection tools.

Deepfakes, voice spoofing, and fingerprinting fakes have taken the manipulation to even more sophisticated heights. They can now be so convincing (as the Hong Kong bank story above attests), that they can bypass liveness checks and facial recognition systems. Bad actors can also leverage AI tools to generate realistic-looking documents as well as people.

The upshot of these trends is an increase in the number of successful instances of eKYC fraud. And the more that bad actors can get around anti-fraud systems that banks employ, the more money those banks will lose to credit card payments (and other fraudulent transactions) carried out by people who don’t actually exist.   

An associated negative impact can also emerge if individuals become aware that their personal identification or credentials have been used. This can result in a sizeable hit on business reputations. 

There are also regulatory fines to consider. A failure to comply with KYC (and security) specifications can result in weighty penalties; some of which are especially focused around dealing with money laundering. Banks with insufficient fraud-prevention measures might find themselves facing legal action.

What is more, additional regulations are also coming into force that will punish banks even more severely if it emerges that they failed to prevent the onboarding of a fraudulent account.

As you’re probably aware if you’ve read this far, the threat of eKYC fraud is multi-layered. And so stopping it must be, too.

On the one hand, this involves minimizing the social engineering threat in the first place and making it as difficult as possible for fraudsters to trick people into sharing their personal information. On the other hand, it’s about identifying suspicious devices, stopping deepfakes and image-injection based spoofing, and preventing bad actors from using versions of your app that are outdated, insecure, or that have been tampered with.

As the example we shared earlier from the Middle East shows, social engineering is becoming more and more sophisticated. Scammers are utilizing AI tools to make their phishing attempts more convincing than ever. We all have a responsibility to be as clear as possible with end users about the threats that exist and how to recognize when a fraudster is trying to trick them. eKYC fraud often involves attackers using some form of stolen identity, so attempting to stop this at source is vitally important.

To explain how to stop some of the go-to e-KYC fraud techniques, we’ll tell you how we do it here at Licel. After all, we’re currently securing the mobile channel between banks and 310 million end users of banking applications.

When it comes to preventing deepfakes and image-injection based spoofing, there are two key defensive mechanisms that our clients lean on. The first is DexProtector; and more specifically, its runtime application self protection (RASP) engine, which is able to detect compromised devices (say a device that is jailbroken or rooted). It also prevents exploits based on modifying app functionalities, and it stops interference with the app in memory.

Then there’s our Device ID module, which provides your authorization servers with unique, tamperproof device identifiers. It enables you to both log devices that may have been used for fraudulent activities in the past and continue to detect suspicious user activity.

Our anti-malware module is also a vital defensive component that combines both DexProtector and our threat intelligence and threat monitoring solution, Alice. The latter constantly scans your application’s landscape for threats, including the latest mobile banking trojans. Alice receives and analyzes incident insights from apps secured by DexProtector before sharing these insights with you so that you’re one step ahead.     

As we’ve mentioned above, fraudsters will also often use outdated, insecure, or tampered versions of your app to evade security controls. Our API protection provides ways to identify trusted endpoints and reject API requests from fraudulent endpoints, as well as untrusted versions of the app.

One of the ironies of the modern world is that, the more convenient technology makes our lives, the more threats we sometimes expose ourselves to.

While the banking onboarding process has become infinitely simpler and more efficient, these benefits have come at a cost. Bad actors are now using bogus forms of ID and verification material to obtain accounts when they shouldn’t, which has resulted in huge financial losses.  

In the months and years ahead, cyber threats – including deepfakes, voice spoofing, and manipulation of AI models – aren’t going to go away. They’ll only get more sophisticated. And so conversations about finding the right balance between usability and security are set to grow louder, too.

Future-proofing eKYC verification is going to rely on finding this balance. Up to now, the scales have swung firmly on the side of usability and convenience. As with everything in life, it can take time for them to swing back the other way and then to settle somewhere in the middle.

What is clear is that, if we want to continue enjoying the convenience of eKYC, then we need to ensure the integrity of the entire process. Integrity is the watchword for us here at Licel; it always has been. We’ll continue to do our bit to make sure that it is maintained throughout the eKYC verification process and that our mobile banking clients can be sure that the person behind the black screen is who they say they are.