Cybersecurity researchers are urging companies to enhance their customer interaction protocols and tighten verification checks following the discovery of a major operation aimed at harvesting biometric data from shadow Internet sources.
The Biometric Threat Intelligence Service IPROOV reported that an underground group, whose name was not disclosed, had amassed a vast collection of identity documents and corresponding photos of individuals for the purpose of bypassing Know Your Customer (KYC) checks. The group’s activities pose significant challenges for organizations that rely on selfies for customer identity verification, as they now must not only detect fake documents but also prevent the misuse of authentic data by fraudsters.
Of particular concern is the voluntary sale of personal data by individuals for short-term financial gain. Andrew Newel, the chief researcher at IPROOV, highlighted the risks associated with such actions, noting that they not only jeopardize individuals’ financial security but also enable criminals to compile comprehensive data sets for sophisticated fraud schemes.
The hacker group uncovered by IPROOV primarily operates in Latin America, with local law enforcement agencies already informed about its illicit activities. However, similar fraudulent operations have been observed in Eastern Europe and beyond.
Moreover, cybercriminals are not only exploiting genuine documents to evade verification processes. According to a recent report by Entrust, deepfake technology generated by artificial intelligence accounts for a significant portion (24%) of attempts to deceive biometric tests based on movement. This technology is commonly used by banks and other service providers for user authentication.
Despite the growing threat of deepfakes, simpler authentication methods like selfies are targeted less frequently (5%) due to their susceptibility to traditional fake techniques. The exposure of operations involving the sale of biometric data underscores the imperative for stronger cybersecurity measures. Safeguarding personal identity is not solely the responsibility of organizations but also a matter of individual awareness about the value of digital data.