Identity Fraud Protection and Safety in a World of AI

Fraudsters are always evolving, and with AI tools , they can move faster than ever. Deepfakes and other AI tools allow manipulation in real time. Fake IDs that use to take weeks to make now take minutes. When identity is the core of your safety online, that puts you at risk. Identity fraud protection, detection, and prevention has to evolve along with fraudsters’ tactics. Things like biometrics and digital identity checks are changing the game. See Real Time Fraud Detection with Bala Kumar for a complete transcript of the Easy Prey podcast episode. Bala Kumar is the Chief Product and Technology Officer at Jumio, and he’s spent the last fifteen years working with fraud prevention and identity. In the past, he worked at TransUnion, where he led global fraud and identity product groups. Now at Jumio, he focuses on reusable digital identities, biometrics, and fraud prevention at scale. Being able to verify who’s on the other end of a transaction – whether that’s someone opening a bank account or talking to you on a dating app – is at the center of online trust. And without trust, everything falls apart, online and in real life. Identity sits at the center of trust online. And if you can’t trust who’s on the other end … then everything else falls apart. In the last fifteen years Bala has worked in this space, it’s been like the Tom and Jerry cartoons. Cybersecurity pros and cybercriminals are constantly running around and beating each other up. You build a wall, and they’ll come back with a taller ladder. But in the last year or so, the explosion of generative AI tools have escalated the fraud system. They’re really useful in fraud prevention, whether that’s building products or scaling systems. But those tools are also easily available to fraudsters. We’ve seen multiple generations of AI images now. If you look at one from even six months ago, it’s easier to tell it’s been manipulated. Now, the quality is much better. It’s hard to tell real from AI. Imagine where we’ll be in another six months. It’s concerning. The good news is that security professionals saw it coming. They’ve already been working to deter these attacks, and in general they’re catching most of them. But identity fraud detection is an always-changing game. Bala won’t be surprised if the bad guys come up with something even more powerful someday. But they’ll be working on their own defenses in the meantime. Just because AI can create high-quality images doesn’t necessarily mean that’s what fraudsters are using. Back when they used to create physical fake IDs, they wouldn’t just print it. They’d also scrape it up and make it look like it had some wear and tear. Now they do something similar with AI. Too perfect is suspicious, so they put some noise and quality issues into it. The image itself isn’t the giveaway. But the manipulation leaves digital footprints that identify it. Bala’s general guidance to his team is that the ones that they spot are generally the amateurs. The real test is how many of the sophisticated, smart ones they missed. At Jumia, they have a Quality Service Team that audits everything after the fact to see if anything got through. Every now and then, they find something. No identity or fraud protection service is perfect. The key is that not very many get through, they do get spotted, and then you can start closing those gaps. No fraud system out there is 100% perfect. There will be some amount of fraud that gets through the door. A common pattern in any type of fraud is spikes. Fraudsters poke at every possible system, and once they find a way in, there’s a spike – a huge uptick in attacks. They attack until the organization figures out how to stop them. Then they realize it’s no longer working and move on to another target. Bala and his team have learned a lot from stopping these spikes. There have been many instances where spikes in attacks have led to new innovations or enhancing existing protections. The increase in generative AI tools has increased spikes, as well. Even going back a few quarters, the number of attack vectors and the volume of each spike have increased. Injected camera attacks – taking over a camera and injecting alterations or a different image or feed altogether – have especially increased. Bala has seen many times that they move on to try the same types of attacks against other Jumio customers, not realizing they all use Jumio. Because Jumio has created defenses now, all their customers have it. It doesn’t matter which customer gets hit first, they all end up blocked. Fraudsters aren’t necessarily acting together – different fraud rings try the same tactics at different times. But they are adapting faster. They used to send hundreds of attacks before they gave up. Now they’ll move on after only a few dozen. Most fraudsters don’t want to batter down your defenses, they want the biggest payout with the least effort. Fraudsters are constantly looking for the path of least resistance. The moment they realize that somebody’s … defense is up, they don’t waste their time. In the past, financial institutions led the way with identity fraud protection. They were at the forefront because identity fraud was such a big deal for them. Then other companies adopted their solutions after the fact. This has changed dramatically lately. Especially with gaming apps, dating apps, rideshare apps, and similar things, end user interactions are much more frequent than with financial institutions. Now we’re seeing identity and fraud protection innovations across different types of industries. And with the fintech boom, things are moving faster, too. There’s nothing wrong with large organizations, but big banks have regulations, compliance teams, fraud operations, risk teams, and probably more monitoring all the solutions they try. They’re like an ocean liner – big and powerful, but take significant time to get anywhere. Fintechs, dating apps , and other apps are more like startups. Their existence at the end of the year depends on their funding, so they have to move faster. They’re not waiting for others to set the example anymore. Financial services techniques also may not apply as much other places. Because those transactions have such big impact, they’re often okay with putting more friction on end users, and end users put up with it for the security. A rideshare app can’t have the same restrictions as your bank. Imagine trying to call an Uber and having to fill out a dozen forms first. You’d skip the app and just call a cab! Consumers want less friction, but less friction leads to more risk. Organizations like Jumio have to find the right balance between friction and convenience. A lot of the traditional fraud techniques haven’t really changed. They still prey on vulnerable people, inspire strong emotion , and use urgency to drive reactions. When the email says “Your payment is overdue, click here,” that’s trying to force you to act. Some of the techniques they’re using these days aren’t about upgrading those techniques as much as making them look more legitimate. We don’t see the blinking text and banners from scam emails twenty years ago. Fraudsters are making them look better and more realistic. Generative AI tools let them create much better images, too. Whether that’s an identity document, biometrics, pictures for verification selfies, manipulating a background, or anything else, their identity fraud arsenal is more sophisticated. They’re even using open source tools for their attacks. They no longer have to wait days or weeks for their fake ID to be printed. Now they can generate a sophisticated ID and realistic deepfake in half an hour. There has been a huge increase in these kinds of attacks in the past six months. One verification method used to be having the person send a photo of themselves somewhere specific or holding something specific, or to jump on a Zoom call to spot glitchy deepfakes. But unfortunately, those things are no longer good enough for identity fraud protection. Identity fraud protection strategies vary based on a lot of factors. A big one is what kind of financial or risk impact a deepfake could have. If you’re on a Zoom call trying to figure out an important financial transaction, you need to be very sure you have the right people. If you’re on a Zoom call for a casual chat about the fraud industry, you don’t necessarily need the same degree of control. It depends on the context and the risks involved. There’s a combination of different factors that need to go into how you design your fraud detection system and controls. The impact defines what kind of controls you need and how many risk layers need to go into it. In Bala’s opinion, the easiest option is biometrics. A few years ago, he wouldn’t have been so certain about that, but now so many people are used to unlocking their phones with their faces or fingerprints that it’s become second nature. It’s strong protection and it’s easy to use. Jumio actually implemented this recently with an offsite in India. Instead of making people show their IDs at the hotel, they had everybody preregister and took facial biometrics. When they showed up at the hotel, all they had to do was take a selfie with an app and they were approved to go in. Biometrics don’t provide a ton of friction and they can make sure you’re working with the right person. In the Zoom example previously, Zoom could integrate a biometrics layer when logging in – do a quick check to make sure it’s the right person, and if not, kick them out. Biometrics … is something that can work very effectively and gives you the confidence that you need that you’re interacting with the right person. Jumio right now is working on a biometrics-based multi-factor authentication system. If implemented, it could require people to verify they’re real people before logging into things like dating apps and social media. Everybody is pretty much used to biometrics right now. It’s not even generational now, as even older adults often use it for their phone. A lot of Jumio customers are already using it for account recovery processes and payments. It’s the least friction possible to still be secure. All you have to do is hold your phone up to your face like you’re taking a selfie and you’re done. Behind the scenes, software is running models to verify you, and then you’re done. For some things, people are okay with a lot of friction. If you’re recovering your account, or trying to claim a million-dollar jackpot , friction gives you confidence that it’s secure and it’s worth the hassle. But a lot of things aren’t. Biometrics are the least friction possible. It’s even easier than two-factor authentication because you don’t have to put in a code. If you care about identity fraud protection, there’s a lot of questions you could ask. But who’s answering them? Bala downloads a lot of apps. Often there’s no information available unless you go through a process to ask. And even if you go through that process, there’s often no way to know how good the checks are or how they’re configured. As a consumer, there’s no marketplace that rates apps on their level of identity fraud protection. There’s no inventory of apps with grades or even basic information. You’re essentially limited to whatever the developer decided to provide and any reviews in the app store that may be useful. Ideally, we would all take time to verify the security of our apps before we download them and make accounts. But in the real world, that’s often not practical, and it’s something most people aren’t thinking about. Bala recently helped his dad with his phone, and discovered that his dad had downloaded dozens of apps that he didn’t even know what they did, but they’d been recommended to him. Bala would love to see some sort of marketplace or other option where someone provides a rating for every app’s security and privacy practices. There’s a lot of opportunity and value there. The most important thing to protect yourself as a consumer is to consider whether you really need to give out any information. If in doubt, ask! Many organizations have forms that ask for a lot of data, but they don’t need all of it. The less you can give out, the better. Learn more about Jumio at jumio.com , where they have a ton of resources for anyone interested in identity fraud protection. Connect with Bala Kumar on LinkedIn . He is always happy to answer questions.