Fraud marketplaces continue to commercialize tools that help attackers automate account abuse and onboarding evasion. Reviewing these services provides useful insight into how verification programs should evolve.
Now looking at the latest offering, we found a site called Verif Tools. They offer an API and simple to use tool to create any ID for a fraction of the price a person could make the ID. They even do many anti detection steps to bypass any verification tools. All you need to do is send the name, selfie, signature, and some other data through their website or API and then send back an image that can be used for identity verification. The self-service nature of this software shows how fraudsters can SaaSify their business models to expand their offerings. Many fraudsters have little knowledge about creating an ID that bypasses systems, but these tools make it so easy that anyone can use it.
Below is their promotional video describing how to use their site.
These generators are becoming more complex, with software to replicate liveness checks by having the face turn its head or open the mouth. In the past, it has required a skilled fraudster to bypass the verifications, but now the guides are making it easier for more people to follow.
Another software tool can generate millions of unique selfies. These are AI-generated faces that can be adjusted based on color, age, gender, and more. Their solutions work so well that they can bypass airport-level security, which shows you the sophistication they are putting into these tools.
Lastly, even if you require more physical checks on the ID like many crypto exchanges attempt, it still can be bypassed with a printed ID. Fraudsters are just using public transport cards to save on costs like in the below Russian vendor case.
What can businesses learn from this new activity? Hopefully, you now know that fraudsters have no limits and will one-up any checks you have in pace. Monitor your verifications and do not rely 100% on an automated solution. You should constantly be testing and adding new measures to detect fraud. If your fraud solution can not catch these types of attacks, then you might be on the next target list. We have seen how these fraudsters act like a swarm of bees and will target a business they hear about that has a vulnerability. Lastly, remember that there is a financial cost to all this, and there usually is no need to go overboard as long as you balance your risk levels with your business requirements.
Trust Swiftly does have verification methods that can defeat these types of IDs, and we are constantly enhancing our software just as fraudsters are adapting their strategies. The key to identifying fraud effectively is making the experience for fraudsters a difficult one while having your good customers not even notice there were additional checks in place. Partnering with a solution provider that can rapidly deploy countermeasures to these types of fraud is critical to your vendor selection. If you are stuck with one vendor or tool, you may have no recourse against a sophisticated attack. We have yet to see a plateau in fraudsters' usage of fake identities and expect even more volume in the coming year as these automated fraud tools proliferate online.
Update October 2022
Fraudsters have taken no breaks and have more options to choose from with advanced features. Some ID tools verify with PDF417 scanning which is supposed to be a good check but generators such as these can bypass them. Another tool is able to create barcodes and more advanced fake documents such as passport MRZs.
Video and image
Watch Demo Video
