![Native[risk]](http://images.squarespace-cdn.com/content/v1/65704856a75e450a6d17d647/f3aa0ca7-8a4d-4034-992f-9ae514f1127e/Native+risk_logo-invert.png?format=1500w){kind=logo}
#08 - Dark Web Services Bypass KYC Checks for $150
GenAI has revolutionized how fraudsters attack Fintechs.
I'm not speaking only about creating synthetic identities at scale.
Bypassing a document verification, selfie check, or even a liveness check is just a matter of cash.
Together with the folks from New Paradigm, we took a dive into the depths of the dark-web, and today I'm going to uncover some uncomfortable truths.
But don't worry. I'm also going to share some ideas on how Fintechs can protect themselves from this emerging threat.
Let's take a look.
Fraudsters can bypass the biggest KYC vendors in the market.
When I asked New Paradigm to help me research this topic, they utilized their existing knowledge sources and technology to look at the fraud services offered by cyber criminals.
Their approach was pretty simple: Uncover what cyber criminals offer, but also to check what's in demand.
I cannot share their detailed report for obvious reasons, but here are some of the insights I gleaned from it:
KYC vendors are being actively targeted:
Services sold are almost always marketed to bypass a specific vendor. In odd cases, they are targeting a specific Fintech/Merchant, but in essence it's pretty much the same.
The biggest vendors are also the biggest targets:
There's a direct correlation between vendor size and supply/demand for services to bypass it. That makes a ton of sense for many reasons. Some vendors, though, look to be more vulnerable than others.
Small, unknown players are not targeted:
Again, this makes sense. While there was some level of minimal demand, supply was practically non-existent.
High ticket services:
Generally speaking, the services cost $150-$600 per verified account. The price depends on the vendor, and the check/s that need to be bypassed in the process.
This isn't cheap at all, and would require fraudsters to monetize high amounts for them to have a good ROI.
Incredibly high level of fidelity:
I saw some examples of fraudsters being able to create a high-quality, 3D liveness checks from faded 2D pics. For the right price, any security measure - automated or not - can be bypassed.
Are smaller vendors the right choice as your KYC partner?
That's the first question that was on my mind.
Here's the thing:
Even though all vendors use pretty much the same commoditized technology for image recognition, they train their models differently.
My guess is that fraud vendors optimize their "products" to attack specific vendors. Using the same product on a different vendor might work, but probably with much less success and will negatively impact the ROI.
So is it safer to go with a small, unknown player instead? One that might not be actively targeted?
Layering defenses is a universal principal that applies here as well.
I spoke about this with Rashmi Pujar, a product leader and a veteran of the industry (ex-Socure, Intuit, and Mitek).
Her view was that in order to build a truly robust fraud prevention system, you need to go back to the basics and combine several solutions.
Here are some tips:
Integrate multiple KYC solutions - yes, this is much more expensive in terms of effort and operating costs. But it's also much safer, considering a single solution is also a single point of failure.
Step-up high risk events - to optimize costs, you can send the ID checks to a 2nd or even 3rd vendor only when the user is showcasing high-risk behavior. You don't necessarily need to triple-check your entire user-base at signup.
"Load balance" your vendors - by having multiple vendors integrated, you can choose to randomly assign each check to a different vendor. While keeping your operational costs the same, you will heavily reduce fraudsters' ROI, as their tools are typically designed to bypass only one particular vendor.
It goes without saying that sticking to these principles is always better than opting for an unknown vendor.
Relying on a single technology/process will always lead to system failure.
Remember: stopping fraud at signup is not only about verifying documents/selfies/live videos.
It's also about analyzing the device, email, IP address, and mostly - monitoring user actions and detecting suspicious activity post signup.
Don't let your analytical and pattern recognition muscles grow weak, while you get addicted to a vendor.
It's a mistake I always see backfiring.
That’s all for this week.
See you next Saturday.
P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:
Fraud Strategy Workshop - are you an early-stage Fintech that needs to move fast and with confidence? Book this 1.5-hours workshop to get instant insight into your vulnerabilities, optimization opportunities, and get clear actionable recommendations that won't burn through your budget.
Fraud Strategy Transformation Program - are you a growth-stage Fintech in need for performance optimization or expansion of your products offering? Sign up to this 6-8 weeks program, culminating in a tailored made, high-ROI roadmap that will unlock world-class performance.
Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!
