Security researchers have urged customer-facing businesses to improve their verification checks after discovering a large-scale identity farming operation on the dark web.
The unnamed underground group compiled a large collection of identity documents and corresponding facial images in a bid to trick Know Your Customer (KYC) verification checks, according to IProov’s Biometric Threat Intelligence service.
However, iProov claimed that the images and documents may have actually been handed over willingly by the data subjects, in exchange for payment.
This presents an extra challenge to organizations that use selfies to verify a customer is who they say they are online. They need to not only detect fake documents but also genuine ones being misused by unauthorized scammers, iProov warned.
Read more on biometrics: ICO Bans Serco Leisure’s Use of Facial Recognition for Employee Attendance
“What’s particularly alarming about this discovery is not just the sophisticated nature of the operation, but the fact that individuals are willingly compromising their identities for short-term financial gain,” says Andrew Newell, chief scientific officer at iProov.
“When people sell their identity documents and biometric data, they’re not just risking their own financial security – they’re providing criminals with complete, genuine identity packages that can be used for sophisticated impersonation fraud.”
The group uncovered by iProov apparently operates in the Latin America region, where local police have been notified, although similar operations have been observed in Eastern Europe.
Legitimate identity documents aren’t the only way that cybercrime gangs are seeking to bypass onboarding and login verification checks.
Last month, Entrust warned that AI-powered deepfakes now comprise a quarter (24%) of fraudulent attempts to pass motion-based biometrics checks, which are used by banks and other service providers to authenticate users.
The technology is used far less frequently (5%) in more basic selfie-based authentication mechanisms – mainly because these are easier to spoof with more conventional means.