Digital payment technology has made it faster, cheaper and easier to move money. But it’s also proved a goldmine for scammers. In this article we review three recent digital payment frauds that hit the headlines. Alarmingly, they all exploited weaknesses in biometric systems–the face and fingerprint scans we now use every day to identify ourselves.
Case 1: the Indian digital fingerprint scam
What happened?
The purpose of the Aadhaar enabled payment system (AePS), launched by the Indian government in 2014, was to provide financial services to people living in remote regions of India who do not have access to bank branches or digital technologies.
To enrol in Aadhaar, you have to allow a digital scan of your iris or fingerprints. In return, the Aadhaar system provides you with a 12-digit personal ID number. You can then make direct, real-time payments using your bank name, your 12-digit ID and by verifying your fingerprint or iris scan at the point of sale.
Aadhaar has been credited with unleashing an economic boom in India. It helped the country’s payment system leap from the colonial era to the 21st century in an instant. Money transfers, which used to take weeks, now happen in an instant, giving a big boost to commerce.
But the digital revolution has left a wave of victims too, often the poor, uneducated and elderly. A decade after Aadhaar was introduced, many thousands of villagers across India have been tricked into handing away their life savings.
the digital revolution has left a wave of victims, often the poor, uneducated and elderly
In a recent case reported on Boomlive.com, “Urmila Kumari, a resident of Nawada district in Bihar, lost 57,900 rupees to a scam where her fingerprints were cloned.”
Having caught the criminals, Boomlive went on, “the Nawada police […] recovered 512 cloned thumb impressions made of plastic-like substances. A scam has been brewing in the state of Bihar, and it targets the poor who are semi-literate and use the AePS for banking.”
It seems that the scammers would go around villages and collect fingerprints from residents using this special plastic. At the same time, they would casually ask for the prospective victim’s twelve-digit AePS ID.
The scammers would lure victims by promising instant loans and ration cards. In other cases, scammers were able to steal individuals’ digital thumbprints and Aadhaar numbers by bribing low-level employees at the Indian land registry.
To complete the fraud, the attackers would use a “customer service point”–an AePS-enabled retail store–to withdraw the cash. Of course, they could have used Aadhaar to transfer the money to their own bank accounts, but that would have left a trace.
The Indian scam likely relied on widespread collaboration between Aadhaar ePS operators, who are typically sellers in stores, and the scammers. Having an insider makes it easier for organised crime to take place.
The worst aspect of the scam? Many villagers didn’t know they’d been cheated until some time later, when they visited a bank and found their accounts had been drained.
What can we learn from the scam?
From the perspective of system security
One way of preventing the scam would have been to insist that Aadhaar payments require an iris scan (which is more secure), rather than falling back on digital fingerprints (which, as we have seen, can be cloned).
The Indian government could have invested in regular security attestations around its digital ID infrastructure, which would have helped highlight its weak points.
The widespread use of cash payments at Aadhaar ePS service points should have alerted the system operators to possible scams: if you see a lot of in-person payments, a merchant might be conspiring with criminals.
Could the victims have protected themselves?
Finally, a lesson for the victims: keep identity numbers (like your Aadhaar ID, US Social Security Number or UK National Insurance number) safe and do not share them with anyone unless you have to. If you give the numbers out, your chances of becoming a victim of fraud increase.
Case 2: The selfie bypass
What happened?
Last month, Which? magazine reported that two Revolut customers lost over £200k to scammers who managed to impersonate the victims while passing the e-money firm’s “selfie” security checks.
Revolut said it wouldn’t reimburse its defrauded customers. It said that in each case the customers had gone through multi-factor authentication checks. According to Revolut, the victims had:
- answered an email to their registered address asking them to confirm a login on a new device;
- entered an SMS security code sent to their registered phone number;
- and passed a selfie photo check, allowing access to the account.
Revolut told Which? that it was aware of a recent increase in “advanced account takeover scam” attempts by criminals across the industry.
I used deepfake photos of myself to bypass the verification process in a bank
I wrote about these techniques myself last year: in an experiment, I used deepfake photos of myself to bypass the verification process in a bank. I concluded that with open-source tools and commercial mass products, criminals with enough patience and even a shallow understanding of technology can bypass banks’ restrictions.
So what can we say about the recent Revolut case? It’s still not 100% clear what happened. Although bypassing selfie verification has become increasingly easy, it’s not so simple to utilise such methods with Revolut. This is because the Revolut app is unlikely to launch on a compromised device (it won’t launch if the phone is “rooted” or jailbroken). And Revolut uses machine learning to conduct “liveness checks”, aiming to protect its systems from the selfie bypass methods offered across dark web forums.
David Maimon, head of fraud insights at Sentilink, recently provided evidence of such dark web offerings: he showed how a Russian vendor advertised comprehensive packages containing Finnish passports and driver’s licences, accompanied by selfies and videos, designed to circumvent identity verification processes. Here’s another, similar offering. A “novel selfie bypass technique” was recently being promoted on dark web forums for $10,000. Payable in cryptocurrency, of course.
Revolut has been undertaking a hiring drive for machine learning experts, suggesting it’s investing heavily in this area. However, the recent scams suggest it still has work to do.
What can we learn from the scam?
From the perspective of system security
In a recent New Money Review article, I showed that each bank or payment firm has its own interpretation of multi-factor authentication when it comes to restoring access to an account. Some banks use SMS or e-mail confirmations to restore access, whereas others use video verification or require you to submit physical documents.
The effectiveness of each method depends on the capabilities of the attackers. If a hacker finds your phone, a selfie can be your best defence (though not, apparently, in this case). However, if the attacker is someone you know, such as a friend or business partner, then modern customer verification might not be enough. In any case, if you willingly give away your secrets, no anti-fraud measures can protect you.
each bank or payment firm has its own interpretation of multi-factor authentication
This disparity of methods makes it very hard to improve overall digital payment system security. Worse, it offers multiple points of weakness to the determined scammer.
Perhaps the best thing we can say is that banks should use multiple verification methods, rather than fewer, to confirm customers’ ID.
Could the victims have protected themselves?
In the fraud cases described in Which?, the victims thought they were doing the right thing by entering one-time codes and communicating with the scammers via fake live chats, even though they were inadvertently handing priceless information away. Revolut offered the following advice to the Which? journalists:
- Never share your password, passcode, PIN, selfie or one-time passcode (OTP) with anyone else;
- If you receive an email asking you to confirm your device, when you haven’t added one or don’t recognise it, please ignore it and flag it as spam;
- Don’t click on any links or buttons in an email like this, or forward it to anyone else;
- Never download remote access software to your device;
- Scammers will send fake emails asking for these things, or use your email address to fail a login attempt, so they can contact you pretending to help secure your account;
- If you think you have fallen victim to a scam, freeze your cards immediately.
Case 3: Hijacked Face ID
What happened?
Last but not least, an amazing recent New Money Review story by Peter Krijgsman caught my attention because of the arrogance of the scammers.
Using the victim’s own Face ID against him, they drained his bank accounts
Criminals targeted a sole trader and by pretending to help him upgrade his broadband service, managed to get him to install TeamViewer on his phone. Then they remotely activated the facial verification procedure in the victim’s app to capture his face and add a new payee (the fraudster). This verification passed in a split second, as the victim was indeed staring at the phone at the moment of the theft. Using the victim’s own Face ID against him, they drained his bank accounts using the now-compromised banking app.
What can we learn from the scam?
From the perspective of system security
Many banks prevent Android users from logging in if TeamViewer is launched, or they replace the video stream with a black box if they see that a third party is trying to see what’s happening in your banking app. iOS is apparently doing better than Android in this area, restricting users from remote operations on iPhone devices.
Could the victims have protected themselves?
In the case described by Peter Krijgsman, once the victim had installed a screen-sharing app, allowing the scammers remote control of his mobile, there was effectively nothing he could do. So there is little we can offer apart from the general advice to be vigilant. And if you are not sure who you are communicating with, DO NOTHING AND CLICK NOTHING.
That’s easier said than done in an era of totally convincing deep fakes.
Summing up–general advice for the banks and service providers
Use continuous threat intelligence. I can’t stress enough how lazy criminals are. But they still thrive in fooling banks and their customers. Why? There will always be some easy trick that could be scaled and bring lucrative profits to reckless scammers. So learn not only from your mistakes but also from those of others. Most sophisticated security systems can be tricked if you look at them from a different angle.
I can’t stress enough how lazy criminals are. But they still thrive
From the payment firm’s or bank’s point of view, a key take-away is not to rely on one specific technology. Customer due diligence is an ongoing process, involving various standards and procedures. It’s a huge mistake to ignore these due diligence steps to support a frictionless “onboarding” experience. Never rely 100% on automated systems: involve staff instead!
Keep and analyse your backlog. In my last attempt to bypass biometric verification, I succeeded because many factors lined up in one. One of these was the lack of backlog analysis. Why would a bank, for example, not notice 30 verification attempts within a short period of time? This and many other less visible signs of abuse should be cross-referenced and analysed each time holistically.
General advice for the audience
Do you see the similarities in all these cases?
In each one, the victim was unwittingly helping to facilitate fraud by giving crucial pieces of information to the fraudsters. Whether it’s “just a bank ID” or a one-time code, such digital information should these days come with a “DO NOT GIVE IT AWAY TO ANYONE” disclaimer. The same applies to installing some new software whilst you are on a call with someone claiming to be a support team member.
In many of these scam cases, it’s difficult to decide whether the fraud was the victim’s fault or it was down to the bank’s incompetence and poorly designed systems. Here’s a recent New Money Review article of mine on the subject–you read it and decide!
Cover photo by Laili Sadr.
In each thirty-minute episode, the New Money Review podcast brings you the best minds from the world of money.
From economics to payments, financial markets, technology, law, digital assets, crime and fraud, you’ll find an episode that interests you. Listen in.