Crypto Apps Go Mainstream with Users and Fraudsters
Cryptocurrency is rapidly becoming mainstream, not only with record numbers of cryptocurrency users but also unfortunately with record fraud in crypto apps.
A recent survey by Pew Research showed more than 86% of Americans are now aware of cryptocurrency and the number of cryptocurrency users is now estimated at more than 300 million. And this growth of awareness has also attracted fraudsters’ attention, with fraud in crypto also reaching a peak in the past year. With a bountiful set of fraud techniques and creative scams, fraudsters have been successful in not only accessing and withdrawing funds from victims’ crypto accounts but also opening new accounts to be used for money laundering.
Cryptocurrency-related crime grew 79% in 2021, with more than $14 Billion of the funds deposited in crypto wallets being tied to criminal activities.
In a recent interview via Telegram, fraudsters admitted to the opening between 1,500 to 2,000 accounts per month in crypto exchanges using synthetic identities. These are fake identities constructed from a combination of stolen personal information. Such accounts are used for money laundering or other types of profitable crime. Today in professional hacker forums, it is possible to buy a synthetic verified crypto exchange account for $150, and also read tips and advice on how to open a new account using a fake, synthetic identity.
Know Your Customer and Your Fraudster
Know your customer (KYC) and Anti-Money Laundering (AML) regulations require financial services organizations to verify the identity of customers as part of new account opening, however, today’s fraud detection is leaving the door open for fraudsters on crypto apps. Balancing the need for security and catching fraudsters at the front door is a challenge when faced with wanting to onboard new users as fast as possible.
Currently, one of the KYC obligations for crypto exchanges is address verification, according to the Bank Secrecy Act (BSA). In addition, the Crypto Exchanges must have a Customer Identification Program (CIP), and one of the pieces of information required in the CIP is the address, as well as a proof of address.
At Incognia, we took a close look at 19 crypto mobile apps to see how they were balancing security and friction by reviewing their onboarding process to see how the user address is verified as part of identity verification.
The fraudulent techniques used to pass address validation at new account opening include:
Fake and synthetic IDs – A synthetic ID is made up of a combination of stolen pieces of personally identifiable information along with fake information – for instance, a stolen SSN, address, name, fake driver’s license. Individual ID items may be real, either stolen or purchased on the Dark Web, they may even originate from different people and they are combined to create a synthetic identity. Using this synthetic ID it is possible not only to pass the document check with put-together documents but also fool less sophisticated face recognition systems.
Real IDs and faces – Fraudsters pay as little as $7 for people willing to pass the verification on a crypto exchange using their own real identity real identification documents and their face and deliver the account for sale.
Location Spoofing – Professional fraudsters, when recruiting apprentices to fake an ID verification, explain another go-to, and usually effective way to fake compliance: faking the mobile phone location. Part of the instructions in dark-web forums states that the perpetrators should use a virtual private network (VPN) to disguise an IP address, to allow them to fake their location when opening the account. So any fraudster on the other side of the globe could open an account with a fake ID and pretend they are, for example, in New York City.
The location spoofing part of the account opening factories is key since successfully detecting location spoofing is a quick way to detect a fraudster. If a user is faking their address that is a large red flag during the identity verification process.
During the onboarding, the tested crypto apps employed a number of techniques to verify a new user address and also check compliance with the country of residence. The most common techniques used include:
Address Verification Using Uploaded Documents – Requiring the user to upload an ID or document to verify, via optical character recognition (OCR), to match the uploaded data with the information provided during onboarding. The information in the ID could be cross-referenced with static databases, such as the DMV or bureaus.
One problem with relying on pinging static databases is, in many international jurisdictions there may not be address databases available online. Even where address databases do exist, they may be incomplete and sometimes may provide dated information.
The bigger problem is that most of these static databases have leaked in the past and the data is available for purchase in online forums, making it easy for fraudsters to use this information to create accounts using fake or synthetic identities.
IP address – It is one of the most common ways still in place for mobile apps to determine if a person is opening a new account from where they are claiming, be it country of residence or zip code. The information filled in by the user is matched with the IP address location.
Today, location is routinely spoofed using a variety of techniques. There are five common techniques fraudsters use to spoof their location, including VPNs, Proxies, GPS spoofing apps, emulators, instrumentations, and app tampering. VPNs and Proxies are the fraudster’s go-to solution against IP address location verification.
What we found in the recent Incognia study is that the current address verification techniques used by nineteen leading crypto mobile apps are one of the most fragile forms of KYC during onboarding. Ten of fourteen exchanges required the new user to input declared address information and four apps required the input of country of residence or ZIP Code, but none of the nineteen apps required a proof of address using geolocation or via an uploaded documents such as a utility bill or credit card statement.
In other countries, such as the UK, the upload of a document to prove address is required, but in the US it is not typically requested, presumably because it adds friction to the onboarding. Out of the ten apps requiring address info, only five required a driver’s license picture, which could alternatively be used to verify the address via OCR and match the data with a static database such as the DMV database. It is usual that static information in databases is incomplete or dated.
The requirements of KYC and AML regulations are the main source of friction for onboarding on crypto exchanges, and this is the main reason why the majority of apps are using a soft onboarding process, which is also called progressive onboarding, an approach in which the heaviest part of the identity verification is left for when the user makes their first attempt to deposit funds or trade crypto. It is notable that the two exchanges not supporting progressive onboarding and requiring an ID scan were also the ones with the highest friction during the onboarding.
To learn more about the techniques used by leading crypto apps for identity verification at onboarding and also, which were the mobile apps presenting more friction to users, download the Incognia Crypto Mobile App Friction Report – Onboarding.
About the author: Andre Ferraz is co-founder and CEO at Incognia, a privacy-first location identity company that provides frictionless mobile authentication to banks, fintech, and crypto exchanges and wallets, for increased mobile revenue and lower fraud losses.