- iProov Researchers Discovered Group Purchasing Consumer Identification Data
- The data is used to bypass KYC processes.
- Companies will need to take a multi-tiered approach, says iProov
Hackers have found an easy and simple way to capture people’s sensitive information and then use it to bypass Know Your Customer (KYC) processes, purchasing the information directly from victims.
New research from identity verification and fraud prevention company iProov uncovered a “sophisticated approach to compromising identity verification systems” through a “systematic collection of genuine identity documents and images.”
iProov said it discovered a dark web group dedicated to mass collection of ID documents and corresponding facial images, which actually compensates victims for the information. It was not said how much money they were giving for a data set.
Multi-layer approach
The group operates in the Latin American region, but researchers said they also observed similar operating patterns in Eastern Europe and shared their findings with local authorities.
Commenting on the findings, Andrew Newell, chief scientific officer at iProov, warned against selling personally identifiable information to anyone.
“When people sell their ID documents and biometric data, they are not only risking their own financial security: they are providing criminals with complete, genuine identity packages that can be used for sophisticated phishing frauds,” he said. “These identities are particularly dangerous because they include both real documents and matching biometric data, making them extremely difficult to detect using traditional verification methods.”
iProof hinted that in the near future organizations will have to implement a multi-layered verification approach as current identity verification systems could be easily falsified. This approach would require people to first confirm that they are human, then that they are the right person, and everything would have to be done in real time.
“This multi-layered approach makes it exponentially more difficult for attackers to successfully spoof identity verification systems, regardless of their level of sophistication,” iProov concluded.
“Even advanced attacks struggle to simultaneously defeat all of these security measures while maintaining the natural characteristics of genuine human interaction.”
