Financial services organizations are mandated by know-your-customer (KYC) and anti-money laundering (AML) laws to verify the identity of users who open new accounts. However, crypto apps are not entirely secure yet, and there are hidden backdoors to sneak information out.
While cryptocurrency prices were touching new all-time highs (ATH) in 2021, so were crypto-related crimes. A Chainalysis report revealed a whopping $14 billion was siphoned off from wallets linked to illicit activities in 2021. That is a 79.5 percent jump from the $7.8 billion swindled in 2020.
As crypto adoption continues to rise faster than ever, it is no surprise that crypto theft is picking up pace too. In 2021, the global crypto transaction volume was pegged at $15.8 trillion, a number that has ballooned by 567 percent since 2020.
Scammers admitted they opened between 1,500-2,000 fraudulent accounts on crypto exchanges using fake identities every month, in a telegram interview with Crypto.news. The identities were created using stolen personal information and used for money laundering and other criminal activities. Let’s find out how this was done.
As part of the robust Customer Identification Program, crypto exchanges must verify the KYC details, including the address, of new account creators. To complete this step, users must submit proof of address.
Incognia, an identity authentication service provider, took a closer look at the 19 most prominent crypto apps to evaluate their user identification process. Their study revealed three possible ways to illegitimately get through this verification process:
Synthetic IDs:
As the name suggests, a synthetic ID is created by picking out parts from multiple user details and using them to fabricate a new user. This information may have come from stolen social security numbers (SSN), drivers’ licenses, names, and addresses made available on the dark web, which is full of content that is not indexed by search engines and is difficult to access without specific software or authorization. All the information may even belong to a single user. Such lawless acts not only allow scammers to pass the verification phase but can also be used to fool non-sophisticated facial recognition software as well.
Real faces for real IDs:
Incognia also unveiled to Crypto.news that real user information is available to fraudsters on hidden channels for as little as $7 per user. Once the account has successfully mimicked a real person, it can even be put up for sale.
Spoofed locations:
Faking one’s location has long been possible using Virtual Private Networks (VPNs). VPNs have been used on the dark web to mask the IP addresses of cybercriminals who can otherwise be precisely tracked down if they do not hide their locations. Therefore, fraudsters can fake their locations and open accounts from anywhere in the world. However, such activities can now be detected during the address verification process and are glaring red flags for exchanges.
While testing the crypto apps, Incognia also delved deeper into the onboarding process for new users. It was found that the apps also deployed various techniques to verify user addresses and match them with the country of residence. Some of these methods included:
Verification via document uploads:
In this step, users upload their documents to the app, which then uses Optical Character Recognition (OCR) to verify the details with the database available in the region. The databases used for referencing could even be sourced from the regional motor vehicle department.
However, we already know that these static databases can be hacked into, and the data withdrawn is put up for sale on the Dark Web.
IP addresses:
Crypto apps still use IP address tracking to check if users are indeed filling up the forms from the location they claim to be from. Some apps even monitor the ZIP code of the new user at the time of account creation.
However, all this may be in vain, as we just saw how locations can be as easily bounced to bypass this step.
The Incognia study mentions that the 19 apps they tested have been using ineffective and fragile security measures that pose no challenge to fraudsters. 10 out of 14 exchanges directed new users to input address information, whereas only 4 asked for the country of residence and ZIP code. Of the 10 apps that did require addresses to be fed, only 5 went so far as to ask for a picture of the users’ driving licenses for address verification.
However, none of the 19 apps demanded proof of location using geolocation techniques. They did not even ask users to upload recognized address proof documents such as utility bills – telephone bills, electricity bills, etc.
App developers consider KYC and AML regulations the primary cause for user drop-offs during the onboarding process. Therefore, they resort to a more user-friendly process that is not too demanding. This approach is known as ‘progressive boarding’ – a framework wherein further verification is done when the user wishes to deposit or withdraw funds from their accounts. Progressive onboarding is also very common in India.
Growth in awareness is crucial for warding off scammers, and users must, therefore, strive to remain abreast of the developments and concerns associated with crypto exchanges.
You must be logged in to post a comment.