First, it’s incredible that these types of complex, digital documents can be produced at the click of a button with nothing more than artificial intelligence. We’re truly living in a new era of technical capability.
And to be sure, the deepfakes that are generated are very good. While there are minor visual issues that could be distinguished by the naked eye, for the most part it is as good as the fake IDs from your friendly neighborhood fake ID manufacturer — at a much lower cost and effort than ever before.
But fake IDs are nothing new. For decades, fake IDs have been generated in massive quantities to help under 21 year-olds get into bars and nightclubs in the U.S. And those fake IDs have typically been good enough to fool a bouncer who gets to look at thousands of IDs a month. If not, there wouldn’t be a market for those fake IDs in the first place.
Why This Fraud is Different
So why is this new fraud concerning? Well, for one, the scale. High quality fake IDs have always required time and money, so it was not typically a scalable attack vector for fraud.
Second, the prevalence of online document verification has blown up, particularly for creating accounts for financial institutions, where getting it wrong can be very bad. And having a handful of fraudulent accounts opening is business as usual for many financial institutions where there’s always been a tolerable level of fraud which is higher than zero. But now with this scale, fraudsters could multiply their impact dramatically.
What Do We Do Now?
First, we need to acknowledge that document verification, which was always hard, is about to get a whole lot harder. This is just the beginning of this trend of broadening access to fraud tooling.
Second, we need to revisit our assumptions on what acceptable looks like for checking IDs online.
To date, a huge proportion of ID checks that happen online are still at least partially powered by humans. If you have ever waited more than 15 seconds to get a result after uploading your ID, there was a human on the other side manually checking that ID.
That is completely obsolete starting today. Humans will not be able to easily distinguish between deepfakes and real IDs. If bouncers can’t do it when they’re looking at or touching the fake IDs, what chance does some manual reviewer have looking at an image on a screen?
The most obvious fraud vectors are no longer the ones you need to be worried about. Why would you manually alter an ID or take a photocopy of it if you can just use a service to create a deepfake that is visually indistinguishable from a real one? Why take that risk as a fraudster?
We need to rethink our toolchain to catch the really scary fraud — the scalable, technology-powered kind.
The Path Forward
It’s time to fight fire with fire. Organizations need technology and big data to solve this next generation of digital identity problems, because humans are not the answer.
Here’s how that works:
Look at the full digital identity picture rather than examining each piece individually
Leverage a defense-in-depth approach
In security, you never rely on a single protection to keep bad actors at bay. Instead, you think about how you can create many layers of defense such that no single failure can cause full system failure.
The Answer: Predictive Document Verification
With Predictive DocV, we’ve packaged this all up into a single product. Before you’ve uploaded your first image, we have a huge amount of knowledge about the user who is going through the process:
Have we seen them before?
What devices have they used?
Is their information in the source of truth datasets?
Does the phone number they’re using correlate to their digital identity?
Are they likely to be a synthetic identity?
Are they likely to be a third-party fraudster?
Once we’ve answered those questions, we collect your identity documents and compare that to a selfie. In addition to our liveness and image recapture models, we are looking for inconsistencies in the data presented. This includes spotting minor visual flaws in the photos, as well as consistency with the submitted data versus the extracted data.
While this recent news is surprising for many, it’s not at all surprising to us at Socure. We’ve been anticipating this day, planning for it, and executing to prepare for this new reality. Welcome to the new age.
Eric Levine is the SVP, Head of Document Verification at Socure. Prior to that role, he was the Co-Founder and CEO at Berbix where they built privacy-first document verification products and were acquired by Socure in 2023. Prior to founding Berbix, he led the Engineering Trust & Safety team at Airbnb where he built many of the early components of the Airbnb identity systems.
Socure is the leading platform for digital identity verification and trust.
Its predictive analytics platform applies artificial intelligence and machine learning technology with trusted online/offline data intelligence from email, phone address, IP, device, velocity, and the broader internet to verify identities in real time.
885 Tahoe Blvd., Suite 1, Incline Village, Nevada 89451, US
