How can finance and crypto apps detect identity fraud and increase conversion rates?

"Organizations are under pressure to move more high-risk interactions online. However, the need to establish trust in the user’s real-world identity must be balanced with expectations for minimal friction in the user experience (UX)."

Gartner recently released an excellent Market Guide for Identity Proofing and Affirmation that acknowledges not only the importance of verifying a user’s identity, but also highlights the role of identity affirmation capabilities including location, device, email, and phone number to complement document-centric and selfie-based identity verification methods. 

I want to share some key takeaways and recommendations for companies to operationalize a strong identity proofing and affirmation process.

Two key quotes for me from the report are:

"Organizations are under pressure to move more high-risk interactions online. However, the need to establish trust in the user’s real-world identity must be balanced with expectations for minimal friction in the user experience (UX)."

and

"The need to obtain confidence in the real-world identity of a user during remote interactions remains paramount. Account opening, registration, application or enrollment are all typical cases in which identity proofing and affirmation is applicable. There is no single, one-size-fits-all approach. Identity proofing and affirmation capabilities can be combined in different ways depending on the use case, the level of confidence in an identity that is required, UX expectations and, of course, total cost of ownership."

Identity Affirmation as a Complement to Identity Proofing

Gartner separates identity verification methods into two main components: identity proofing and identity affirmation, as shown in the figure below:

Gartner

While identity proofing techniques of document verification and selfies are considered by Gartner to be table stakes, of more interest is the opportunity to use identity affirmation capabilities to reduce friction.

According to Gartner, identity proofing is the process of assuring that the real-world identity actually exists, usually in the form of document verification, and that the individual claiming the information is the true owner of the identity and is genuinely present during the process, which is usually done by asking the user to take a selfie but also can be based on matching the address associated with the identity to the device's location behavior.

Identity affirmation is the process of providing supporting risk or trust signals to an identity claim and if the identity exists but does not validate the presence of the valid identity owner.

In general, identity affirmation signals create less friction for users and are more economical. Therefore, the ideal identity verification process flow starts with identity affirmation and then follows with identity proofing. 

Based on our experience deploying identity affirmation processes using location and device intelligence, I want to share a few recommendations on implementing a solid identity proofing and affirmation process for mobile apps that are secure but user-friendly.

How to run a frictionless and secure identity affirmation process?

[banner_1]

Recommendation 1: check device integrity first

As the initial step in implementing an ID proofing and affirmation process, it is always good practice to verify the device's integrity by detecting anomalies such as the use of emulators, VPNs/proxies, location spoofing.

Recommendation 2: Do not rely on static PII data

Avoid relying only on static data approaches, like knowledge-based authentication (KBA) for identity verification. There have been too many data breaches, and we should assume that most users’ personal data is already in the possession of fraudsters, so companies should not rely on data-centric checks alone. Therefore, static databases and reliance on matching user-submitted PII to data-centric reviews is too risky.

Recommendation 3: Use identity affirmation signals wisely

The first step of opening a new mobile account is usually to verify the user's email or phone number.

For email verification, ensure that the email verification link was clicked on the same device in which the account was being created and verify if that email is not flagged in any email verification database.

If verifying the user's phone number, make sure you have a reliable way to detect SIM swapping in real-time.

Location can be used for identity affirmation, including verifying that the user is not located at a place with a history of fraudulent activity. Gartner recommends in the Market Guide the use of  Spoof-resistant location intelligence — using a combination of GPS, cellular, Wi-Fi and IP address data.”

Device intelligence solutions can verify if the device has previously been associated with fraudulent activities and whether it is associated with multiple other accounts, another red flag for fraud.

How to do solid but seamless identity proofing?

It's common for most high-risk ID proofing processes to match document scanning with selfies, but it may not be enough in many cases and some things require special attention.

If you are scanning document data, make sure that there is a trustworthy database of identities in the given jurisdiction, which is rare. Fraudsters can easily create fake identities in multiple countries.

When matching selfies with the picture in the document, make sure you use a strong form of liveness detection and don't deactivate it in case of a rejection. Our pictures are all over the internet, and on social media. This data can bypass facial recognition systems, even using deep fake technologies to create live videos.

Location behavior data can bind the device to the address associated with the real-world identity. In addition, this form of digital proof of address can run continuously, preventing fraud over the long term. 

"Spoof-resistant location intelligence — using a combination of GPS, cellular, Wi-Fi, and IP address data — can be correlated with the presented identity, specifically the address, to check for consistency and to affirm the identity claim. Risk signals based on user behavior offer clear benefits as a fraud detection capability within the identity proofing process."

Finally, device intelligence can also verify if the same real-world identity was associated with that device on a different mobile application because the user may already have finance or mobile commerce apps on the same device.

If you want to read more about identity proofing and affirmation, I recommend downloading Gartner's report on this link.

Most recent

How mobile gaming apps can block players out of licensed jurisdictions

Online gambling is regulated limiting individuals to place bets in specific locations. Some users try to spoof their location creating challenges for...

Fraud farms take advantage of location spoofing to swindle mobile gaming apps

With fraud farms, fraudsters are able to mechanize and scale up their fraud scams. Learn why location spoofing helps stay under the radar.

Apple announces use of location for fraud prevention

Apple Pay is now using location for fraud prevention. This is strong validation for Incognia's innovative location-based approach to mobile security.