Cybercriminals on the Dark Web buy IDs to bypass KYC methods
- Researchers from iProov found a group that bought consumer identity data
- The data is used to circumvent KYC processes
- Companies will have to opt for a multi-layered approach, says iProov
Hackers have found an easy way to obtain people’s sensitive information and then use it to bypass Know Your Customer (KYC) processes by purchasing the information directly from victims.
New research from identity verification and fraud prevention company iProov revealed an “advanced approach to compromise identity verification systems” through a “systematic collection of real identity documents and images.”
iProov said it has discovered a dark web group engaged in the mass collection of identity documents and associated facial images, effectively compensating victims for the information. It didn’t say how much money they gave for one set of data.
Multi-layered approach
The group operates in the Latin American region, but the researchers said they also observed similar operational patterns in Eastern Europe and shared their findings with local authorities.
Commenting on the findings, Andrew Newell, Chief Scientific Officer at iProov, warned against selling personally identifiable information to anyone.
“When people sell their identity documents and biometric data, they are not only putting their own financial security at risk – they are providing criminals with complete, authentic identity packages that can be used for sophisticated impersonation fraud,” he noted. “These identities are particularly dangerous because they contain both real documents and matching biometric data, making them extremely difficult to detect through traditional authentication methods.”
iProof hinted that organizations will need to implement a multi-layered authentication approach in the near future as current identity verification systems can be easily spoofed. This approach would require people to first confirm that they are human, and then that they are the right person, all of which would have to happen in real time.
“This multi-layered approach makes it exponentially more difficult for attackers to successfully spoof identity authentication systems, regardless of their level of sophistication,” iProov concludes.
“Even sophisticated attacks struggle to defeat all of these security measures simultaneously, while still preserving the natural hallmarks of real human interaction.”