Fraud in Crypto Apps Has Never Been Higher
https://ift.tt/0x9RX1L
A recent survey by Pew Research showed more than 86% of Americans that are now aware of cryptocurrency, and the number of cryptocurrency users is now estimated at more than 300 million. Growth of awareness has also attracted fraudsters’ attention, with crypto fraud peaked in the past year. With a bountiful set of fraud techniques and creative scams, fraudsters have been successful in not only accessing and withdrawing funds from victims’ crypto accounts but also opening new accounts to be used for money laundering.
Fraud in Crypto Apps Has Never Been Higher
Cryptocurrency-related crime grew 79% in 2021, with more than $14 Billion of the funds deposited in crypto wallets being tied to criminal activities. In a recent interview via Telegram, fraudsters admitted to the opening between 1,500 to 2,000 accounts per month in crypto exchanges using synthetic identities.
These are fake identities constructed from stolen personal information, and such accounts are used for money laundering or other types of profitable crime. Today in professional hacker forums, it is possible to buy a synthetic verified crypto exchange account for $150 and read tips and advice on opening a new account using a fake, synthetic identity.
Know Your Customer and Your Fraudster
Know your customer (KYC), and Anti-Money Laundering (AML) regulations require financial services organizations to verify the identity of customers. As part of the new account opening; however, today’s fraud detection is leaving the door open for fraudsters on crypto apps. Balancing the need for security and catching fraudsters at the front door is a challenge when trying to onboard new users as fast as possible.
Currently, one of the KYC obligations for crypto exchanges is address verification, according to the Bank Secrecy Act (BSA). In addition, the Crypto Exchanges must have a Customer Identification Program (CIP), and one of the pieces of information required in the CIP is the address and a proof of address.
Andre Ferraz, co-founder, and CEO at Incognia provides frictionless mobile authentication to banks, crypto exchanges, fintech, and wallets for more mobile revenue and fewer fraud losses. Says, “At Incognia, we took a close look at 19 mobile crypto apps to see how they were balancing security and friction by reviewing their onboarding process to see how the user address is verified as part of identity verification.”
The fraudulent techniques used to pass address validation at new account opening include:-
Fake and Synthetic IDs – A synthetic ID is made up of a combination of stolen pieces of personally identifiable information along with fake information – for instance, a stolen SSN, address, name, fake driver’s license. Individual ID items may be real, either stolen or purchased on the Dark Web, they may even originate from different people, and they are combined to create a synthetic identity. Using this synthetic ID, it is possible to pass the document check with put-together documents and to fool less sophisticated face recognition systems.
Real IDs and Faces – Fraudsters pay as little as $7 for people willing to pass the verification on a crypto exchange using their own real identity, actual identification documents, and face and deliver the account for sale.
Location Spoofing – When recruiting apprentices to fake an ID verification, professional fraudsters explain another go-to and usually effective way to fake compliance: faking the mobile phone location. Part of the instructions in dark-web forums states that the perpetrators should use a virtual private network (VPN) to disguise an IP address to allow them to be fake their location when opening the account. So any fraudster on the other side of the globe could open an account with a fake ID and pretend they are, for example, in New York City.
The location spoofing part of the account opening factories is key since successfully detecting location spoofing is a quick way to detect a fraudster. If a user is faking their address, that is a large red flag during the identity verification.
Address Verification Is Not Just for KYC Compliance But Is Also a Powerful Tool to Prevent Fraud
During the onboarding, the tested crypto apps employed several techniques to verify a new user address and check compliance with the country of residence. The most common techniques used include:-
Address Verification Using Uploaded Documents – Requiring the user to upload an ID or document to verify, via optical character recognition (OCR), to match the uploaded data with the information provided during onboarding. The information in the ID could be cross-referenced with static databases, such as the DMV or bureaus.
One problem with relying on pinging static databases is that there may not be address databases available online in many international jurisdictions. Even where address databases exist, they may be incomplete and sometimes provide dated information.
The bigger problem is that most of these static databases have leaked in the past, and the data is available for purchase in online forums, making it easy for fraudsters to use this information to create accounts using fake or synthetic identities.
IP Address – It is one of the most common ways still in place for mobile apps to determine if a person is opening a new account from where they are claiming, be it country of residence or zip code. The information filled in by the user is matched with the IP address location.
Today, location is routinely spoofed using a variety of techniques. There are five common techniques fraudsters use to spoof their location, including VPNs, Proxies, GPS spoofing apps, emulators, instrumentations, and app tampering. VPNs and Proxies are the fraudster’s go-to solution against IP address location verification.
In the recent Incognia study, we found that the current address verification techniques used by nineteen leading crypto mobile apps are one of the most fragile forms of KYC during onboarding. Ten of fourteen exchanges required the new user to input declared address information, and four apps required the input of country of residence or ZIP Code.
Still, none of the nineteen apps required proof of address using geolocation or via uploaded documents such as a utility bill or credit card statement. In other countries, such as the UK, uploading a document to prove address is required, but in the US, it is not typically requested, presumably because it adds friction to the onboarding.
Out of the ten apps requiring address info, only five required a driver’s license picture, which could alternatively be used to verify the address via OCR and match the data with a static database such as the DMV database. Usually, static information in databases is incomplete or dated.
The requirements of KYC and AML regulations are the main source of friction for onboarding on crypto exchanges. And this is the main reason why most apps use a soft onboarding process. This is also called progressive onboarding, an approach in which the heaviest part of the identity verification is left for when the user makes their first attempt to deposit funds or trade crypto. Notably, the two exchanges not supporting progressive onboarding and requiring an ID scan were also the ones with the highest friction during the onboarding.
To learn more about the techniques used by leading crypto apps for identity verification at onboarding and also, which were the mobile apps presenting more friction to users, download the Incognia Crypto Mobile App Friction Report – Onboarding.
This blog contains excerpts from the Incognia Crypto Mobile App Friction Report – Onboarding. To download the full report, click here.
Cryptocurrency