Georgi Sokolov — Business Development Specialist at BASIS ID discusses how new technological advancements can be used to steal or fake identities.
According to National Science Foundation identity theft occurs when an unauthorized party uses your personally identifying information, such as your name, address, Social Security Number (SSN), credit card or bank account information to assume your identity in order to commit fraud or other criminal acts.
This might happen either if you are not careful and provide your personal data to sketchy websites or just lose your personal identity documents as well as due to data breaches that occur all over the place, even at credible companies. You cannot be protected from that. Just by googling “Data Breach”, I found this week’s story: “U.S. Customs and Border Protection says photos of travelers were taken in a data breach.” In this article I want to discuss how fraudsters can use your data to take loans, launder money or finance terrorism.
Which data is needed to sign up for a financial service?
In order to create an account in an online financial service, such as a lending platform or a crypto exchange, we usually provide the following data during KYC process:
- Basic data: name, birthdate, country of citizenship, email, etc.
- Photos of identity document
- A video (or a selfie)
Sometimes it is also required to provide proof of address but in most cases if a fraudster is able to get these 3 pieces of your personal information, they will be able to steal your identity and do all sorts of unpleasant things under your name. It is especially painful when you realize that you have tens of thousands of dollars in an unpaid debt or when you get a notice that apparently you were convicted in money laundering or terrorist financing.
It is even easier in the US
In the United States of America, where one of the crucial parts of personal identity is SSN (Social Security Number), stealing identity is even easier. If you can get your hands on a person’s SSN, you can come up with your own name, appearance, address and so on and use this fake persona to utilize financial services. This is called synthetic fraud. According to Ron Schlecht, managing partner at BTB Security, an information and IT security company “Synthetic identity fraud is when a criminal combines real but often stolen information, like a child’s Social Security number with a falsified name to perpetrate fraud. Unlike typical identity theft, the pieces of fake information make the fraud harder to trace and the identity difficult to verify.”
“If I made up a fake John Smith, I would get John Smith his own email address, sign John Smith up for social media accounts,” explained Naftali Harris, CEO of SentiLink. “And when somebody tries to ask me if I’m actually John Smith, I’d be able to verify the email, phone number, [and] answer questions about John Smith’s history… because I’m the one that created John Smith’s entire history.”
Your document can be bought for $10
According to Statista in 2018 United States alone saw 1,244 data breaches and had 446.5 million exposed records. This enormous number of data breaches results in millions of private documents sold on Dark Web.
Chances are that your identity documents can be bought for as little as $10.
It is very likely that your ID document has all of the basic data about you. Your name, your date of birth, your country of citizenship… That’s a check for 2 out of 3 pieces of data needed to steal your identity. The only one left — a selfie or a video.
In the worst case scenario fraudster decides to sign up on a platform, which only requires a selfie. Many KYC providers don’t bother to analyze a video so they just require users to take a picture of themselves. How hard is it to find a picture of you on social media? I bet it’s not too complicated.
What if liveness check is performed?
KYC providers who actually care about fraud prevention never use a selfie as a method of verification. There are too many skilled fraudsters who can either google a picture of a person and use their photoshop skills to make it seem more realistic. Liveness check is a necessity in the modern age.
Here’s a Medium article that discusses liveness check in depth:
How do we make sure that a person is real and alive?
Sergei, who is CTO at BASIS ID, talks about one of the elements of user verification — liveness check.
Unfortunately, there are so many great technologies that were created for good reasons but might actually be used by criminals.
A couple of years ago several videos went viral, where celebrities such as Barack Obama were talking about unbelievable things. Later it appeared that these videos were created just from a few photos or a short video of those celebrities. Here’s how those videos were created:
This was only the beginning. Technology advances from day to day. Some of the developers have experimented with swapping faces live, which received the name “Live Deep Fakes”. Alessandro Cauduro described his experience in a Medium article:
Live Deep Fakes — you can now change your face to someone else’s in real time video applications.
TL;DR; What happens if Deep Fakes become real time? Let’s try it!
Impressive, huh? “Deepfakes had suddenly made it possible for anyone to master complex machine learning; you just needed the time to collect enough photographs of a person to train the model. You dragged these images into a folder, and the tool handled the convincing forgery from there.” wrote Mark Wilson in his Medium post.
One of the recent examples of Deep Fake is a video created by artists Bill Posters and Daniel Howe that shows Mark Zuckerberg saying that one man, with total control of billions of people’s stolen data, all their secrets, their lives, their futures.
And it doesn’t stop there. Misha Leybovich has created Meo, which creates a 3D face from a 2D video or a single photo. “Leybovich admits it’s possible you might abuse the system to create a 3D model from a source other than your own face. ‘Eventually you’ll be able to impersonate a celebrity, or whatever else,’ he says, ‘Maybe you could point your phone to a video of a Twitch streamer playing a game and create an avatar based upon them’”.
These avatars may not look realistic just yet but imagine what will happen in several years. I predict that it will be possible to create a very realistic avatar using just 1 photo of a person. You will be able to control this avatar in any way you want to create a video and it will be impossible to tell that it is fake.
Fraudsters don’t even need your document, they can create one
Do you think that you might still be safe because you have kept your ID documents private and have never shared them with anyone. Well, I have bad news for you. Fraudsters don’t even need your document to steal your identity. For a skilled fraudster it is not a big deal to photoshop your picture onto a different document. Especially given the fact that you can obtain layer by layer Photoshop templates for the most of the documents on the Dark Web. It is a little trickier to print them out but you can also buy plastic bases and special tools to do it. Fake Detect filters that BASIS ID and some other KYC providers use come at hand. However, there are too many online financial services that do not use proper KYC tools and fraudsters are a lot more likely to use those.
Do you think that you are safe because there are no publicly available photos of you? You might avoid social media but someone might just take a picture of you on the street at use software like Topaz Gigapixel AI to sharpen it or Meo, which I have mentioned before, to create a necessary angle.
It is quite scary but it’s close to impossible to eliminate the possibility of your identity theft.
Fake identity without human data
If technology has gone so far that a fraudster needs as little as your picture or your name to steal your identity, why would they even bother to do it? Even if they only use a photo of you, there’s a chance that you or an authority can track it and realize that it is used by someone else. That’s why I predict that in the future fraudsters will rather create new identities from scratch rather than stealing a complete identity of someone, which is already outdated, or creating an identity from pieces of different real identities, which is popular nowadays.
Recently, I’ve stumbled across a website called https://www.thispersondoesnotexist.com/.
Its name speaks for itself. Each time this page is refreshed, a new face is generated. That’s right. It is generated by artificial intelligence. People that you see on this website do not exist and do not have any features connected to real people.
Nothing prevents fraudsters from using technology similar to that in combination with software like Meo to create a video of a person who doesn’t exist. They can give it a voice and teach it to answer questions. If this happens, in a few years video call liveness check and other tools that detect fraud will not be reliable enough.
There’s a constant race between fraudsters and technology that strives to prevent money laundering, terrorist financing and other criminal activities. I tend to believe that it’s a natural process, which has began way before the internet era. We cannot stop it from happening so the wisest thing would be to adapt to our ever changing world. As individuals, we must take reasonable measures to keep our identity safe, while still being able to enjoy financial services. As companies, we should implement CDD process, which is tuned to actually preventing fraud instead of doing the bare minimum to stay compliant.