Transformative Approaches to Reduce Identity Fraud in Banking

Banking fraud becomes costlier each year, and the threat of generative and adversarial AI technologies being misused adds additional approaches and sophistication of attack vectors never experienced before. Identity fraud is a major contributor to the rise in overall bank fraud, driven by many factors including an explosion in identity theft, with experts believing there is a new victim of identity theft every 22 seconds, and total fraud and identity theft cases up 47% from the previous year to $10.2 billion according to the Federal Trade Commission (FTC). Meanwhile, the Financial Crimes Enforcement Network (FinCEN) has released a Financial Trend Analysis in January 2024 that reveals approximately 1.6 million, or 42% of around 3.8 million total Bank Secrecy Act (BSA) reports, equivalent to $212 billion in suspicious activity, were related to identity.

These government agencies are sounding the alarm because banks and other financial institutions are increasingly challenged by sophisticated, motivated cybercriminals who are constantly finding new and creative ways to commit fraud. At the same time, customer demands mean that financial institutions are under significant pressure to provide Open Banking APIs and other new federated connections with business partners, despite the fact that this significantly increases their attack surface. 

Fortunately, new technologies and architectures are now available that can help banks counter the traditional attacks and future-proof against new and enhanced AI-based attacks.

Compromised Identity Is Central to Banking Fraud

Identity crimes often precede the many types of fraud common in banking. Whether fraudsters are aiming to open new accounts or apply for loans or new credit cards under a stolen or synthetic identity, or are seeking to gain access to existing accounts in order to make fraudulent transfers or harvest sensitive information, they must commit identity fraud first.

It is unsurprising, then, that the cost of identity fraud in banking as well as the volume of fraud cases related to identity continues to go up. Andrea Gacki, Director of FinCEN revealed in June 2024 some preliminary results of an early assessment of the Suspicious Activity Reports (SARs) from 2022 and 2023. Director Gacki revealed that in just two years, the percentage of the 4.7 million reported SARs tied to some impersonation, circumvention or compromise of identity has jumped from 42% (2021 assessment) to 75%. Director Gacki said, “Based on initial indications, by 2023, identity-related SARs accounted for around half of value and almost three quarters of volume.”

AI Has Created New Threat Vectors

The development in artificial intelligence technologies has been a book to fraudsters, who can now use generative AI to commit fraud more effectively and at scale. As just one example of how this might play out, many European banks and regulators have instituted remote video interviews as a requirement to opening a bank account. However, what our eyes see and our ears hear can no longer be relied upon thanks to generative and other AI technologies being exploited by adversaries. Rapid implementation and usage tools now available as layers on top of the AI core tech enables video and audio deep fakes to be created and injected into a digital interaction with little effort.

Fraud departments already struggle to keep up with the number of cases that need their attention, and AI is likely to make this problem much worse. Ping recently surveyed 700 IT decision makers from around the world about the topics of AI, fraud, and decentralized identity, and found that only 52% of respondents felt fully confident that they could detect a deepfake of their CEO. Meanwhile, AI emerged as the top area of significant concern among the professionals surveyed, and 54% of organizations admitted to being extremely concerned that AI technology would increase identity fraud.

Digital and Open Banking Increases Attack Surface

Digital and online banking continues to increase at a rapid pace with customer demand to execute routine financial transactions driving adoption. 81% of users in the US surveyed say they have linked their bank account to third parties online. Regulation from governing authorities demanding Open Banking so as to not lock customers into one bank and enabling them to move between banks has added additional pressure. 

Enabling access using traditional methods like server-side APIs and federation (such as OIDC) does not lend itself to increasing security. Every time account access APIs are published for consumption by third parties or federated integrations are created between the bank and a third party, the attack surface of the bank increases, making it more vulnerable and statistically more likely to experience an attack that must be mitigated. As sophistication increases with generative and adversarial AI, securing these connections and mitigating attacks will become increasingly expensive with a higher probability of failure to mitigate.

New Technologies and Architectures Open Up New Protective Fronts to Fight Fraud

Fortunately, new technologies and architectures are now available that can help banks counter the traditional attacks and future-proof for the fast-approaching AI-based attacks. One such solution is the PingOne Neo product suite, which includes identity verification with liveness and data injection detection (deep fake protection), verifiable credentials, and decentralized identity and integration.

To see how these technologies can help, let’s examine some of the functional areas requiring protection in banking and how these new technologies can help.

FinCEN has established a model for how financial crimes and losses are categorized, including the following functional areas:

• Validation - This category involves checking that the real world identity is legitimate. Impersonation is used here to commit fraud.

• Verification - This category involves ensuring that the identity of the claimant actually matches the real world identity (and they are present for the transaction). Circumvention is used here to commit fraud.

• Authentication - This category ensures ongoing access to the account is being performed by an authorized device or endpoint tied to the identity…typically a combination of what you know, what you have or who you are. Compromise is used here to commit fraud.

Let’s dig into the numbers and find out what can be done to start bringing the fraud numbers down.

Impersonizationization and Circumvention of Identity

FinCEN said its analysis of 2021 SARs revealed that “69% of the reports and 57% of the value cited in reports, equivalent to $200 billion, relate to impersonation challenges involving the validation of a unique, real human and identity evidence.”

Prior to COVID and the significant increase in digital and mobile banking, many of us opened bank accounts in person. Although expensive, meeting the person face-to-face and requiring multiple pieces of evidence to prove identity provided some key protections, including against bot-based and AI-based attacks, which can only occur in the digital space. Today’s digital-first banking customers demand the convenience of digital interactions, with many saying they would be happiest if they never had to visit a bank branch in person at all. This has driven financial institutions to allow online bank account registration and opening, removing the protections granted by a face-to-face encounter between a customer and a bank employee.

When it comes to verifying identity at account opening, this process mostly relies on alphanumeric-based checks of a person’s claims against historical and reputational data aggregated by commercial identity verification and bank consortiums. With the rise of data breaches, obtaining a collection of claims for a person and then impersonating them has become fairly easy. Over 1 billion records have been stolen in 2024 data breaches already, and the year is only half over. Identity thieves can use this data to impersonate someone wholesale, create composite identities where actual data is combined from multiple people, and create synthetic identities where a data trail is created in advance to appear legitimate. The identity checks historically used by financial institutions can often be fooled by these tactics. 

Banks Should Deploy Government ID Verification

Meanwhile, government ID verification (like that provided by PingOne Verify, part of the PingOne Neo product suite) is becoming a key tool for account opening, to prevent account takeover, and at time of account closure where cash is paid out to the customer. Analyst firms increasingly are recommending implementing government ID verification for better confidence in a customer’s identity at account origination and beyond.

Fortunately, the user experience of self-service imaging of government IDs and the performance of inspecting and authenticating these IDs against exemplars using visible light has improved significantly over the last few years using automated and manual approaches.

Furthermore, the ability for users to self-capture a live selfie that is used to compare their face against the photo printed on their government ID has also improved significantly over the last few years, including detecting photo substitutions on the ID.

Some of the key benefits of document-centric identity verification include, but are not limited to:

• Verify the real world or trusted identity exists

• Verify the claimant is the actual identity owner

• Enable continuous identity and device trust

• Confirm chain-of-trust along the user journey

• Ensure verified (golden) data is used everywhere

• Capture auditable, irrefutable proofs for improved compliance

• Prevent fraud along the journey or lifecycle

• Reduce risk and liability

   

Banks Should Implement Verifiable Credentials

Once a person has been proofed, a verifiable credential (cred) can be issued to the person’s mobile banking app leveraging a digital wallet (such as with PingOne Credentials, part of the PingOne Neo product suite). This cred is tied to the individual and their device, and can be quickly and affordably verified instead of repeating a more expensive full government ID verification. The person’s selfie (alongside their biographic data) captured at time of proofing can be stored in the cred and matched server-side at time of presentation. A 6-digit PIN can also be stored in the cred and verified server-side.

These creds leverage strong cryptographic mechanisms that are nearly impossible to phish and replay via a man-in-the-middle attack, for example. This means adversarial AI cannot easily steal or modify the cred and impersonate the user to gain access, as this requires a significant and expensive attack against each user’s personal device, one by one, as well as securing the private signing key of the issuer of the cred. Trusted verifier technology, like that offered in PingOne Neo, ensures that rogue verifiers cannot interact with the Neo wallet or harvest data from the creds for nefarious use as well.

Traditional Account Credential Compromise

Authentication is another area of interest, as account takeover (ATO) in banking can be very expensive. The FinCEN report states, “the use of compromised credentials has a disproportionately higher monetary impact—around 18% of reports, but 32% of total transaction value—than impersonation and circumvention of verification exploitations.”

Data breaches, phishing, man-in-the-middle attacks, social engineering, and scams have all demonstrated that traditional credential types including usernames, passwords, one-time passcodes sent via email or mobile messaging, magic links, and others can no longer be relied on for routine account access. Newer approaches such as FIDO2 Passkeys enable users to easily share their method of login with other devices and users, which leaves users vulnerable to social engineering from fraudsters who can convince a user to share their Passkey, or can enable complicit illegal activity on an account such as money laundering across many devices and persons. In addition, device-side biometrics cannot be guaranteed to be unique, to not be substituted after registration, or to actually belong to the account holder or a designated account manager.  Unfortunately, educating customers to make them more aware of typical warning signs of fraud isn’t enough to keep them from practicing poor password hygiene or unwittingly giving away access to their account.

Risk-based access control approaches that rely on multi-modal factors such as device characteristics, transaction context and bot detection, are an improvement, but they still suffer from the possibility of adversarial AI gaming the access attempts to discover vulnerabilities, and then finally gaining access potentially without any traditional credentials at all.

Therefore, it has become increasingly critical to bind account access to a single individual leveraging verifiable credentials and server-side matching using PINs and biometric data stored in the cred.

Furthermore, decentralized identity where the account lives at the edge (endpoint) and the digital wallet becomes the method of integration alleviates the current need to increase the attack surface in order to enable Open Banking and the sharing of data with third parties such as business partners and affiliates. This significantly frustrates both generative and adversarial AI that can gain access via traditional backend APIs or federated connections (e.g. OIDC). In fact, when implemented properly, decentralized identity and data sharing integrations can completely eliminate the need for opening account access via APIs or federation. Instead, account access can rely on a customer using their mobile banking app to present an issuer-signed cred unique to the person and device along with server-side PIN verification or selfie matching using authoritative data stored inside the cred itself. 

The key benefits of verifiable credentials and decentralized identity include, but are not limited to:

• Highly phishing-resistant cryptographic architecture

• Support for identification, authorization, and authentication

• Enable continuous identity and device trust

• Accelerate digital transformation with autofill

• Unify and improve user experiences including both online and in-person

• Interoperable standards enable B2C2B / B2E2B

• Prevent fraud along the journey or lifecycle

• Reduce risk and liability

• Increase privacy and deliver consent-by-design

• Simpler, more secure and more affordable than federation or API based data sharing

As fraud rates continue to balloon, banks can no longer do business as usual when it comes to their technical architectures and approaches for identity verification, authentication, and access management. Product suites that provide identity verification and verifiable credentials are a key defense against identity fraud, especially as generative and adversarial AI threats continue to increase rapidly.

To learn more, check out our whitepaper on Reducing Fraud with BankID and Verifiable Credentials.

¹ Identitytheft.org

² Financial Trend Analysis, Identity-Related Suspicious Activity: 2021 Threats and Trends; FinCEN, January 2024

³ Prepared Remarks Identity Project Colloquium; FinCEN

⁴ Fighting the Next Major Digital Threat: AI and Identity Fraud Protection Take Priority; Ping Identity

⁵ The Rise of Open Banking; Mastercard

⁶ Financial Trend Analysis, Identity-Related Suspicious Activity: 2021 Threats and Trends; FinCEN, January 2024

⁷ Tech Crunch

⁸ Financial Trend Analysis, Identity-Related Suspicious Activity: 2021 Threats and Trends; FinCEN, January 2024

⁹ Why adversarial AI is the cyber threat no one sees coming; VentueBeat March 2024; Breaking the Bot Barrier: Evaluating Adversarial AI Techniques Against Multi-Modal Defense Models; May 2024