An industry expert provides information on ID theft and fraud and insight into a system that will help to mitigate these risks
Many people see identity theft and fraud as thoroughly modern misdeeds, scourges brought on by our growing reliance on computers, the internet and social media. In reality, these crimes—and the criminals that commit them—have been with us for quite a long time.
One of the most famous con artists and expert forgers of the early 1900s was Count Victor Lustig. In his most extravagant scheme, he used forged documents to pretend he was part of the French government, looking to sell the Eiffel Tower, which he did for a large sum of money. This con worked so well that he did it twice.
Closer to home, George C. Parker and numerous others tried selling the Brooklyn Bridge, while professional conman Frank Abagnale Jr. faked his career as a doctor, pilot and professor, without any formal qualifications or training in any of these fields. His mastery was as an expert counterfeiter who forged various identity documents.
Fortunately, there are methods available to mitigate this type of malfeasance. This article outlines the major categories of modern identity theft and fraud and then examines how each type of fraud impacts gaming. The final section discusses biometric identity screening as a practical technique to mitigate identity fraud.
IDENTITY THEFT
The most common categories of identity theft include:
- Counterfeit or fake identity: An unauthorized reproduction of a genuine document; these documents are neither issued nor recognized by an official authority.
- Impersonation: A genuine ID is stolen and the identity photo is substituted with someone else. Sometimes the stolen ID is used by someone who look similar, with genuine data such as name, date of birth or expiry altered to match other documents held by the forger.
- Synthetic ID: Combining real (stolen) and fake information to create a new identity which does not exist.
On a positive note, since the introduction of electronic passports—which include multiple security markers—it has become more challenging for criminals to manufacture counterfeit passports. Governments also update each “series” and “model” number every few years; typically to introduce improved security measures.
Although a much higher barrier to entry has been set, sophisticated criminals still produce quality forgeries. Impersonation using a genuine ID that is stolen or forged is the most common type of identity fraud, while synthetic IDs are also seeing increased usage.
IDENTITY FRAUD
According to a 2020 Survey by PWC, $42 billion was lost to fraud over the last couple of years. The largest categories—customer fraud, cybercrime, asset misappropriation and bribery and corruption—impact every industry. As an increasing amount of business is transacted online, coupled with the growth in e-commerce, e-payments and i-gaming, criminals no longer have to break into banks or homes to gain significant wealth. In addition, digital theft can be scaled—commit a theft online, and the identical scam can be run on multiple businesses simultaneously, creating a far greater danger and potential loss.
Here’s some information on these types of crime:
- Customer Fraud: Fake, stolen or synthetic IDs used during sign-up and may include stolen credit cards. Criminal elements, cut off from the payment ecosystem, may facilitate payment transfers through a process known as transaction laundering—a merchant-based fraud scheme using legitimate payment ecosystems to process payments for criminal enterprises—as a way to transfer/clean funds earned through money laundering.
- Cybercrime: A common case is account takeover, especially high-value accounts, which are then sold and resold on the Dark Web. Cybercrime also includes hacking to steal genuine identities, as well as inserting malware or ransomware.
- Asset misappropriation: This typically arises from internal fraud—often by mid-senior management and those with access to appropriate systems. Fake invoices from suppliers or fake customer accounts may be created, to mask fund outflows as legitimate, when in fact these are fraudulent.
- Bribery and corruption: This typically involves internal, as well as external counterparties. Often the external source finds vulnerable or willing employees and offers payment in return for service. Bribery is just one form of corruption, for example offering an employee a bribe to award a contract. Corruption is a much wider concept and includes anything ranging from bribery, abuse of power and nepotism, through to collusion, fraud and embezzlement.
With the exception of cybercrime, which focuses on hacking, the other three categories of fraud have a common theme and facilitator: fake identities. When internal and external parties collude or embezzle, they are likely to hide their tracks by using fake identities, new bank accounts and a web of shell companies to conceal the true ownership. Customer fraud is also heavily influenced by identity fraud.
MITIGATING THE RISK
Few possess the skills to differentiate fake vs. real identity documents, which, in addition, would require an entire set of global document templates against which to compare. Scanners, such as the kind found at airports, would be effective but too costly per office and cannot handle remote identification.
This is where biometric identity screening can help. In specific circumstances, such as identity verification and onboarding, this is an optimal approach, if implemented carefully. To accomplish this, several steps must be taken:
- Register the applicant. Validate e-mail ownership and apply two-factor authentication (2-FA); preferably key-based 2-FA, where the PIN is neither transmitted nor stored—it would fail after a few incorrect attempts and even a keylogger could not access the keyboard. SMS verifications are not ideal as they are subject to SIM-swap fraud and phishing.
- Collate information from verifiable and independent documents, such as proof of address from a recent utility bill.
- Verify the actual applicant is presenting the identity document.
- Validate the document data enclosed in the ID (name, date of birth, expiry, checksums, data held within bar codes) and ensure this matches the visible area of the ID, as well as independent sources and apply tampering checks.
- Enroll and bind the user with key-based 2-FA login.
To mitigate the risk of validating stolen IDs, a sound biometric identity solution should capture several real-time snapshots of the user and compare video or multiple selfies to the photo in the identity document. However, due to the abundance of images on social media, it would not be difficult for fraudsters to download a person’s photo to hold in front of a webcam in an attempt to circumvent these checks. For this reason, software must also add in “liveness” checks, such as giving users precise instructions either to look left or right, or to read out text where the mouth’s movements would then be detected. There should be sufficient complexity to make it very difficult for downloaded photos to replicate the required steps in a given time frame.
Next, facial recognition can be applied by comparing the photo in the official identity document to the system- generated images. Facial recognition must cope with all genders, races and ages, as well as irregular features such as freckles, ageing or weight gain. It would be very embarrassing—and possibly scandalous—if someone gained 20 pounds and the system started throwing out “not a match.”
The solution must also have software that can read and decipher bar codes. Electronic passports include multiple security features, so are the strictest form of identity management. They also include checksums in the machine-readable zone (the bottom two lines). If the ID name, date of birth or expiry changes without an adjustment the checksum, it is most likely a fraud. In the U.S., real-ID legislation is forcing jurisdictions to include a more complex bar code that can hold a vast amount of information, including all data from the visible areas, making it much tougher to steal and re-use an existing driving license.
The benefits of a biometric identity screening solution include:
- The ability to detect fraud more effectively than manual checks;
- Strengthened identity profiling that will also benefit AML programs;
- Reduced risk of human error;
- Highly suitability for today’s digital environment, i-gaming and remote onboarding;
- Capability to sign up in-person casino players;
- It is scalable, fast and enhances the customer experience;
- Sources new clients from any jurisdiction (where online gambling is permitted); and
- Traditional methods are less suitable for younger adults, with limited records in credit databases: this age group includes more online video gamers and an increasing number of gamblers.
One final item to keep in mind with biometric identity screening solutions: The main difference and disadvantage over physical scanners used at airports is that technology does not currently exist to let biometric screening products analyze UV light remotely. Passports include certain markers that are not visible to the human eye and cannot be sent via a webcam or photo to a biometric screening system. However, unless your company currently uses a physical scanner, a biometric identity screening solution is most likely to produce a far superior result vs. manual checks.
In closing, if you decide to install a biometric identity screening solution, please consider the following steps to strengthen your program:
- Encrypt all sensitive and identifying data (in transit, storage and at rest);
- Hold the minimum necessary data—once an ID has been verified, unless there are legal requirements to hold a copy of an ID document, removing it and all biometric data from your systems reduces the attractiveness of your systems to cybercriminals and protects the user’s privacy; and
- Stay current with data governance and maintain appropriate policies and procedures with a full audit trail.