From face biometrics to ID forgeries: lax data security fuels ID fraud

In a wave of data breaches over the last year, several organizations have carelessly exposed large troves of sensitive personal information, heightening fears of identity theft and fraud. In a step further than exposed data, 404 Media recently uncovered an underground site that sells videos and photos of real people to pass some biometric KYC checks for online services. The investigation reveals that these faces are being sold on the dark web and used to commit various forms of financial and identity fraud.

Fraudsters sometimes pay individuals to take photos and videos they can sell to others to carry out attacks, 404 reports, possibly in combination with fake ID document creation services like the recently-revealed OnlyFakes.

The creation and distribution of counterfeit identification documents using stolen personal information is not the only way identity verification is being compromised. In another recent incident, security systems company Blink recently exposed thousands of driver’s licenses and passports due to a security flaw. Cybernews reports that the breach was caused by a misconfigured Amazon Web Services (AWS) S3 bucket, which was left publicly accessible. The compromised data includes images of driver’s licenses, passports, and other identification documents uploaded by users for verification purposes.

Last year, Leverage Edu, an educational consulting firm, exposed over 100,000 student passports and other sensitive documents. The breach, also discovered by Cybernews, revealed that a misconfigured server allowed unauthorized access to a trove of personal information. The exposed data includes scanned copies of passports, academic records, and other personal details submitted by students seeking educational opportunities abroad.

Leverage Edu acknowledged the breach and assured affected individuals that steps are being taken to secure the compromised server and prevent future incidents. However, the exposure of such documents raised concerns about the potential for identity theft and fraud.

Adding to the growing list of data breaches, Evolve Bank & Trust and the LockBit ransomware group suffered a breach that impacted thousands of customers. According to a blog post by Socure, the breach involved unauthorized access to sensitive customer information, including social security numbers, account details, and transaction histories.

The implications of this breach were extensive, exposing fintech partners and their clients to a range of identity theft and fraud threats, from synthetic identity fraud to account takeovers.

Accordingly, Socure recommends service providers implement robust, passive liveness detection to protect against spoofed selfie biometrics.

Article Topics

biometric liveness detection  |  biometric passport  |  digital identity  |  face biometrics  |  fraud prevention  |  identity document  |  Socure  |  synthetic identity fraud