A comprehensive work on how the biggest names in Identity Verification industry were tricked, trolled and fooled by a simple method.
I never imagined that one day I would conduct fake identity verification demos in the name of investigative journalism online. But that’s what we did and as it came out it’s not too easy to secure online marketplaces. I thought that ID verification is foolproof, but clearly, it’s not.
Identity verification has been the talk of the town ever since terrorist funding and terrorism increased in the world, so we decided to see how reliable these services are.
In this digital age, identity theft, cyber crimes, and ID fraud are a commonly occurring phenomenon in the digital landscape and it requires a permanent deterrence against such issues.
Since more business transactions are occurring online. Customers don’t have to be physically present to conduct business, creating many opportunities as well as challenges for businesses. One of the major challenges online businesses face is the verification of customer identity. Several verification services provide expert solutions when it comes to identity-, document-, and or other types of verification.
Businesses verify user identities to create trust online and offline, prevent identity fraud, and comply with privacy and anti-fraud regulations. Identity verification can be accomplished through different means such as photo-based identity document verification, face authentication, and checking against the public databases. We tried our luck with the most advanced technologies available today.
A tabular representation of the services provided by the top Identity verification service providers:
We compiled a list of top identity verification solution providers and conducted extensive testing on their platform to check if businesses can trust these services providers to perform a crucial task of ID verification on their customers. After contacting these services and performing ID verification on their platforms we divided these providers into three subsections and ranked them on the scale of 0–5 depending on parameters like: Pricing, duration of verification, authenticity of verification and customer service.
Disclaimer: The demo video is available for proof. The identity of the person is hidden due to security and privacy concerns. These rankings are based on parameters devised by us and do not represent or imply anything.
To our surprise, some service providers simply verified the fake documents and declared them original. Here are those providers:
Jumio uses the power of AI, biometrics, machine learning, and liveness detection to stop fraudsters from infiltrating your online ecosystem and get in compliance with KYC/AML. Even though Jumio has its fair share of legal trouble and bankruptcy along with the mass clearing of employees in India. It still is regarded as one of the top services
Financial Services, Retail, Travel, sharing economy, Gaming, Telcos, Mobility & Healthcare.
It was quite hefty to get a demo from Jumio. They interrogate prospects deeply by asking different sorts of verification documents which is quite good because if you are looking to establish business relations with someone you need to ensure everything but the process was very much like a criminal interrogation. Anyhow their verification process is required to be done on different devices. After downloading the software on the phone the results have to be updated on the link provided by them. The process of sending selfies was slow and results were displayed after 5 minutes. When the data was finally uploaded, they verified the fake ID card which was quite interesting because Jumio is regarded as the top verification firm in the sector.
Cynopsis solution automates your client on-boarding and screening processes and conducts ongoing due diligence and record-keeping. Theirs is a product based on screening against AML lists.
Financial Services Sector (including FinTech start-ups) and the Professional Services Sector
They claim to be the oldest Asian firm. However, their system is easy to surpass. We used a $2 dollar proxy and free online verification number to get through their system.
There was no other language found apart from English and the system had no other option. For a country that doesn’t have the option of expiry in their document, they didn’t have the option to deselect it. We had to put a fake expiry date there and the verification process took 15 minutes. Ironically the camera was not getting the liveness detection of a real person so we had to get a studio light to clear the liveness process and get it done twice. With all these hurdles and strict process we never thought they will authenticate fake ID documents but that’s clearly what they did.
Cynopsis demo — Showing the result of a ‘verified fake’ ID card
ID Scan is enhancing environments and experiences through identity verification and information gathering to improve compliance, safety, and customer satisfaction.
Healthcare, Automotive, Dispensaries, Education, Finance, Gaming, Property Management, Hospitality, Law Enforcement, Night clubs & bars, Non-profit, Retail.
US and Canada only
While talking to their representative we got a sense that they don’t have any idea about the verification or there was some communication gap because the representative was speaking in a Russian accent and at once, we thought that they might be based in Russia. However, this is purely an assumption based on our experience, after all, America and Canada are a land of diverse people. But they were unable to verify ID from non-American countries.
They are one of the leading providers for identity verification in Europe. The IDnow platform offers complete flexibility across a wide range of KYC services, from fully automated to agent-assisted solutions as well as design solutions.
Finance, Insurance, Automotive, Mobility, Telecommunications, eCommerce, Gaming, Digital Contract Management.
The story of getting a demonstration from IDnow is quite long and interesting and may need a full report to explain the difficulties. Nonetheless, keeping things simple and short we had to do some real work to get their demo. The main issue, however, is that they also verified the fake ID. We tested their services from our “imaginary” identity documents and as explained earlier they verified our document.
ID Now — Showing the result of a ‘verified fake’ ID card
Some rejected the fake IDs, still do they satisfy client requirements?
Shufti Pro is the youngest of the names mentioned here. According to them they are gaining the market share rapidly owing to the “fast and secure” document verification.
Financial Services, Peer to peer economy, Gaming, Crowdfunding, Telecommunication, Travel
Getting their demo was not instant, but we got an email with details after 15 minutes. We used European origin cards. Their back-office was complicated but we got our first rejection in 60 seconds. Then we tried with a proxy location and different cards. After the result, we got a message “Too many declines, seek expert advice”. Then to get rid of them we had to verify with one real ID. The average of 3 verification times was 50 seconds. But we were a bit surprised that they didn’t verify any of the fake documents.
Sum & Substance is a KYC/AML platform that helps businesses verify IDs through facial biometrics, document screening, and background checks of new customers in compliance with rules & regulations.
Fintech, Trading, Gaming, Transportation, Market-places
Our call was received by a guy with a Russian accent, whereas we thought there would be a British guy. He was quite helpful however we can’t say the same about their system. This is visible from the result shown in the image below. They declined the card based on the time taken for them which was 13 minutes. However, they failed to mention the issue with the image: was it quality or something else. We found no guidelines regarding the quality of the image and neither did sum and substance provided us with such. Fake documents were passed easily in terms of identity check.
Au10Tix is a global provider of security services to environments such as aviation, border control, and sensitive facilities with more than 20 years of experience.
Financial, Marketplaces, Sharing economy, Telecommunication, Crypto-currency
In the call, we were told by their team that: “this is the best service”. They are completely based on Artificial Intelligence unlike their competitors and equipped with many other “technical jargon” which are hard to recall by a journalist but after 5 server failures.
They finally provided us with the system which was working, well at-least, it took the image, and again the issue was low light. We took the image in sunlight with a benchmark phone and it still was rejected. The result as displayed in the picture shows the data of a completely different person. After seeing the OCR we decided not to waste time on them.
Onfido uses AI-based technology to assess whether a user’s government-issued ID is genuine or fraudulent and then compares it against their facial biometrics. That’s how they onboard customers remotely and securely by providing KYC/AML services, identity verification, and fraud detection.
Financial services, Market places and communities, Gaming, Transport, Retail & eCommerce, Healthcare, and Telecommunications
They responded very quickly in the first attempt. A greek guy asked for more than $20k minimum purchase before the start. When we said that we have low volume he simply muted our queries. We went again this time with a big volume and a different company. We found them racist because the company was Non-American and European. They refused to contact us and we had to get in touch with their senior management for a reply.
After that, they fired a barrage of documents and still no demo. They asked us to send them complete details (images, codes of website, etc) which are very risky for a small business owner and a technopreneur. Code can be sabotaged and the lady leading the conversation was discriminating toward the person because the chosen location check was an Arab country.
No demo available.
Trulioo helps businesses meet compliance requirements, mitigate fraud risks, and increase trust and safety online through AML watchlist check, ID document verification, Electronic identity verification, Business verification, and Data partners.
They were very good on call and customer support was excellent. They cordially deal with EU companies. Whereas their dealings with Asian clients were far from satisfactory. When we pursued as an Asian, the response was quite disappointing, still, after too many questions asked by them, fellow journalists decided not to pursue after too much documentation requirements. Also, we were asked to deposit a fee before getting a demo.
No demo available.
Zeal ID is an electronic signature, it is an in-app registration. Accepted by all public authorities in the EU. And admissible as compliant identification for any licensed bank or financial provider in the EU.
Banks, Financial institutions
25 markets in the EU
Zeal ID appears as a Google Ad when searching for Trulioo. After getting their demo we encountered a major issue, their link was not working, we got stuck at the first step of facial recognition. So we had to abandon our attempts to get our documents verified. We are sure this might be good in the future but at the moment it seems nothing more than an unfinished launched product.
GBG establishes trust between businesses and their customers to help organisations quickly validate and verify the identity and location of customers.
E-commerce, Fintech, Gambling, Public sector, Retail banking
They are just another giant who added KYC service in their portfolio, not a product for everyone because there is no product for small and medium buyers just imagine the cost of a custom system.
They provide customised solutions as per the requirement of the clients. So, No demo available.
Jumio perhaps is the biggest name when it comes to the verification service providers. One would think that they would have covered all the issues. However, it might not be that true as only recently Jumio was called upon a platform saying:
This is one of the biggest scandals there can be, it also shows callousness when it comes to handling data especially sensitive data. It is up to you when it comes to data. The company was sued by its own investor in 2016. So a company that has a tricky past can cause big problems for your brand in the future. In the other news:
Jumio had to reach a settlement under a class-action lawsuit as reported by the biometric update. This is shameful as it shows the grey areas of the giant even though they claim to be extremely cautious when it comes to data privacy. Employee security is another thing that matters when you are handing your business to someone with such a sketchy past.
Onfido is a well-known name in the industry and has a reputation to consider, but at this moment that reputation is on the line:
So what is the Informed Consent Act that Onfido has allegedly breached? The Biometric Information Privacy Act was passed by the Illinois General Assembly back in 2008, it makes a collection of data without informed consent as an unlawful act, it specifically refers to biometric information. Now if you look at the title it shows an alleged breach of collection of data without consent. Biometric information is personal information so it is a privacy breach also. Onfido looks like they are in deep water and they will have to dig their way out of it.
This work is based upon our research and how we reached these big guns, your experiences might differ but we have looked into these every possible way. You might not agree with it but you must understand that as an individual work, it is all based on experiences, the intention of this report is not to demean anyone but a mere comparison amongst the big boys in the industry.
This article may contain affiliate links or referral tracking links. We make no warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability concerning the directory or the information, products, services, or related graphics contained in the report for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Furthermore, the opinions here belong to the author alone and don’t reflect the views of the Hacker Noon organization.