News Old

Online opportunists have wasted no time in sussing how to use QR codes to commit cybercrime. As quick as counting to three, this way they can access your personal details and use them in a number of ways that can wreak havoc.

Fake QR codes are increasingly creating chaos with regular reports of unsuspecting users finding a zero balance on their bank accounts overnight.

QR stands for Quick Read or Quick Response and the method is designed to do just that – provide you or a service with information. Similar to POS (Point of Sale) products which have bar codes, the QR codes have been tailored for smartphones. It is made up of digital square dots and black modules on a square white background and can be read by your phone’s built-in camera or a QR code reader application.

Real QR in Print

Legitimate companies use them to track and identify products and direct consumers to their websites. They are often found in magazines, flyers and business cards. Newspapers often use a Quick Read code to save on print costs. By scanning the code you are able to read more articles and even access videos on the subject you are interested in.

Real QR in Track and Trace

A QR code is proving invaluable to the NHS too, for its COVID-19 track and tracing. It can be found clearly displayed in restaurants, pubs and leisure venues. It is compulsory to display this QR code to record your contact details, which will only be used to inform you if COVID-19 outbreaks occur at that particular venue.

Real QR in Marketing

The Quick Read method is also beneficial for brand marketing. The code will give the consumer the option for finding out more about the product by clicking on the code that will direct them to the relevant website.

QR Click Jackers

Sophisticated cyber crooks have developed variations of fraud via the QR code route. They substitute legitimate Quick Response codes with bogus codes. As soon as you point your smartphone at the image you will have been click jacked. You might be directed to malicious sites which are almost identical to the real deal. These may include malware giving the criminals access to all your personal data that is stored on your phone. In this age where most of us have our bank’s app on our smartphones, it is even easier for them to infiltrate and retrieve sensitive data for fraudulent means.

QR Phishing

Fake QR codes could lead you to a bogus website, which might convincingly mimic a trusted brand or service. Here, you will be asked to provide certain personal details that will enable the fraudsters to commit their crimes. Even an email address is enough for them to drill down to your personal information. Once they have this data it will be used in the form of identity theft.

Here are ways to avoid a QR Code Scam:

• Never scan a standalone QR code. Don’t let your curiosity get the better of you by clicking on a box which isn’t linked to a service or product.
• Don’t scan in public places. If you chance upon flyers or posters with QR codes on bus stops and buildings, for example, avoid them at all costs.
• Check if the QR code is on a removable sticker. If it is, walk away because it is almost certainly a fake.
• Download a scanner app that can check the website the QR code is directing you to.

The value of digital ID verification is well known and proven by and for governments, border agencies and large financial institutions. In terms of national and financial security, robust ID checks keep whole populations and economies safe, in a very real way. What is perhaps not so well appreciated is the actual economic value that digital identification brings with it.

The ongoing global health crisis is highlighting to a perhaps unexpected extent exactly how valuable digital ID and ways of its verification can be. Latest research by international economists, however, is shedding some light on exactly that. Governments of both developed and developing countries should take heed of their findings.

Unlocking Potential Economic Activity

Governments place a great deal of importance on their individual countries’ gross domestic product (GDP). This is perfectly understandable, as GDP represents, according to Wikipedia: “… a monetary measure of the market value of all the final goods and services produced in a specific time period”. Other national economic indicators may be obtained from this base, but GDP is regarded as the very best indicator of the health of any nation’s economy.

A recent report by esteemed global economic think tank McKinsey Digital was based on a study of what it considered to be seven of the world’s most indicative economies; they were Brazil, China, Ethiopia, India, Nigeria, the UK, and the USA. The report found that, across these nations, between 3% and 13% of hidden, potential economic activity could be realized by better digital identification.

These figures are extremely important, for many reasons. Any responsible government wants economic prosperity for its citizens; if this can come without having to rely on outside help, so much the better. In effect, the McKinsey report shows that each of these countries has its own, untapped, natural resources.

Inclusive Benefits of Digital ID

If this in itself was not good enough news for citizens in these countries, even better news is that those economic benefits can actually be realized by individuals who have a “good” digital ID. Perhaps more than any other recent technological development, McKinsey Digital reports that up to half of the economic benefit of national digital ID improvement will find its way to individual citizens and their families.

This proportion is far higher than any other major infrastructure investments, which tend to benefit people in certain geographical locations within a country. If, for instance, a new road project is announced, only those living proximity to the services to which it gives access will feel any benefit; this is especially true in large countries like Brazil, India and the USA.

Investment in digital infrastructure, however, can literally benefit any citizen who has the ability to access and use it properly. This can make any individual a customer, supplier, worker, entrepreneur, taxpayer, tax beneficiary, participant in civil society, or asset owner.

Privacy and Other Concerns

Of course, with the adoption of digital ID in wider society always comes the need to protect individual privacy. Issues of civil and human rights need to be rigorously addressed by governments keen to improve their citizens’ access to digital services. It is to be hoped that confidence in secure online checking systems will help administrations make the right choices.

Gone are the days when forging someone else’s signature was the most common form of identity theft, but these days this art of impersonation has found far easier routes and these don’t always involve illegal online operations.

Closer than you think

Hacking or exploiting a computer system is probably the hardest for the crooks to crack. These crimes are often committed when your personal details are accessed through a public Wi Fi connection. Going out for a few drinks after work or treating the family to a Sunday roast could prove far costlier than you think. If you need to go onto the internet and its not your own broadband connection, you should be aware of the risks. Sophisticated cyber criminals can access everything from your bank statements, card details, date of birth and passwords while you are out and about.

Minimise the risk

Despite the internet being a fairly recent invention, most of us use it in some form or another. Some might think that the convenience of it all outweighs the risk, but there have been far too many horror stories of the unsuspecting losing their entire life savings. So, it is wise to find ways of minimising the chance of someone taking advantage of the ease of personal information access.

Cover all bases

When looking at ways perpetrators can plunder your personal details, think outside the box and whilst forging a signature is passé these days, you’d be surprised at how even the most basic ways personal identity fraud can be carried out.

Don’t bin it

After you have finished with your bank statements, utility bills, council tax correspondence and wage slips, don’t chuck them in the bin. Canny criminals can spot a pile of paper through refuse sacks and after a quick rifle through your rubbish, they can have everything from your date of birth to your sort code and account number.

Secure sites

Where possible, ask for paperless correspondence from your bank and from reputable organisations. They provide secure sites and go to great lengths to protect your personal details. If there is any untoward activity on your accounts, then they will take responsibility for any losses you might incur.

To prevent this, choose to have your accounts online with strong passwords to support them. Most banks and reputable organisations have secure sites and if there is any fraudulent activity on your account they will take responsibility for it.

Invest in a shredder

For all those hard copy accounts that you have on file, invest in a basic shredder. These telltale document details can safely be rendered undecipherable in no time at all. Investing in a shredder is a small price to pay for keeping your finances safely out of the way of scammers.

Memorise your PIN

Once you have received a new PIN number in the post be sure to memorise it and destroy it as soon as possible. You would be surprised how many of us keep evidence of our personal identity numbers in our purses and wallets.

In the age of the selfie, it makes sense for many members of the online ID verification community that they be part of the onboarding process. With timestamps and high quality digital images, there is a strong argument that a selfie can be a legitimate element of the verification process. This is especially true if applicants have limited access to other forms of ID due to technical or access reasons.

However, the issue of selfie adoption is quite complicated across different nations and global regions. Governments can have different priorities, based on perceived levels of threat from terrorism and organized crime, to name but two. Whether taking a selfie will make inroads into official recognition systems is still very much a moot point.

Selfies and the Financial Sector

One area of particular difficulty for selfie recognition is the financial sector. In particular, many countries’ regulatory authorities are very keen to enforce strict anti money laundering (AML) laws. This in turn is a result of the growing recognition that previously unchecked sources of revenue have come from illegal activity; specifically, terrorist organizations, drug runners and modern slavers.

The issue of AML security is particularly important to authorities in the USA. In that country, there have been many high profile cases of money laundering over the last few years, leading successive administrations to demand much tighter regulations against this type of financial criminality. As the US has itself suffered from terrorism and drug related problems, this is an understandable stance.

Against this background, the federal government is insisting on a three tier security system for identity verification, the highest of which is face to face checking. It is hoped that reliable proof of identity will stop criminals setting up bank accounts and laundering illegal funds. Selfies, in this context, are only permitted as part of the lowest level of checks, provided they are backed up by other security measures.

National and Regional Standards

The situation regarding selfie recognition is more complicated depending on different countries and regions around the world. For example, there are seven national regulators in Europe which have slightly different standards of facial recognition for financial business purposes.

There is a push by the European Union to standardize such online recognition across the bloc, but at present these are being resisted by certain countries, whose governments are particularly concerned about money laundering and its sources.

Technical considerations play a part in the online recognition systems of some nations. Germany, for example, is moving towards a video based verification system, supported by documentary evidence. In this case, the likelihood that selfies will be adopted in Germany is almost non existent.

Worldwide Picture

Elsewhere in the world, Mexico is the only Latin American state to have its own banking and security regulator, while Asia has four, based in those Asian countries which rely heavily on the financial services industry. Outside of these five regulatory authorities, it is much more likely that selfies will be legitimate sources of online verification; it appears that, at the present time, financial institutions and countries which rely on them are very much looking the other way.

You might have heard of this new phrase on the cyber block but have never really understood what it meant.

Phishing is as flaky as it sounds – it is a fraudulent attempt to obtain sensitive data such as usernames, passwords and credit card details under the guise of a trusted entity via electronic communication.

Electronic communication is by and large done via the internet these days, so it is this platform that makes phishing particularly prevalent and pretty easy to do if you aren’t in the know.

Phishing in the Pandemic

As if COVID-19 were not enough to cause devastation, phishers are riding this tragic wave to malicious ends. Reports of phishing have risen dramatically since the onset of the pandemic and this art of deception seems to be becoming more sophisticated too.

Here are a few ways to keep yourself safe from phishing:

Spell check

Spelling mistakes or typos scream scam. If you receive an email supposedly from your bank and it is full of spelling mistakes and bad grammar, then it is more than likely a scam. Multi-billion-pound corporations such as banks have teams dedicated to presenting clean and clear correspondence. Even though cyber criminals are stepping up their game, they are still going to slip up somewhere.

Getting personal

Major organisations value your personal details almost as much as you do, and they won’t ever ask you for your credit card details or national insurance number by email.
If you receive a seemingly genuine email asking for this type of personal information, see it as a red flag. The email might lure you in with promises of a refund or rebate, but don’t jump at replying with the data they require.

No room for panic

Professional phishers will often try and get you to do what they ask by putting you under pressure. One way of doing this is claiming your bank account will be frozen due to fraudulent activity. Your knee jerk reaction might be to agree to move your money into a “new” account, which, you will soon find out, has nothing to do with you.

When you receive requests like this, report them immediately to the relevant organisation the emails are pretending to be from. If you don’t, these sorts of shenanigans will be able to escalate and the next person might not be as savvy as you are.

Too good to be true

If you receive an email with a link for you to claim an astounding cash prize, you should pause before you click. An unsolicited email should be shady enough, but one promising you that there is gold at the end of your rainbow is even more so.

Just have a good look at the actual email address and the link itself. There should be some clues in both of these to make you realise that you were right to be cautious. Simply hover the mouse over the link without clicking on it and the full URL will appear. If this doesn’t match a company or organisation’s website, then it’s fake.

Also, check even more carefully for slight alterations to URLs you visited often. It might be as simple as instead of http://www.bigdaddycompany.com it might appear as http://www.bigdadycompany.com.

In the digital age, verification of identity is an ongoing battle. Unlike previous eras, the issue of trust – be that of people or documents – is something that has to be checked with every single new contribution or application. Sophisticated hackers and algorithms are a constant threat, meaning that veracity of source material must be proved every time.

The rise of social media also means that memories are short, both for people and devices. For these reasons, verification of online identity is a task which needs updating on a minute by minute basis.

Too Much Information

There is only so much information that a human brain can hold. This is the complete opposite of potential digital storage, which in theory is almost limitless. On a day to day basis, therefore, users of online resources need a series of filters in order to have any hope of dealing sensibly with all the facts and opinions out there.

This situation, of course, has led to the vexed issue of “fake” or “false” news. Lack of the right kind of filters, or verifiers, can lead the unsuspecting internet user down some dangerously dark alleys. Because all internet and media output in many ways looks and feels the same, it’s human nature to trust each one equally.

Real vs. Fake

Because online identity is so important, the fact that so much fakeness exists on the internet leads to a reaction against it. If anything, users and businesses viewing a person’s application for the first time online are likely to be more suspicious than trusting of its authenticity. As bots can create and use thousands of fake IDs every day, security conscious users are perhaps understandably skeptical of every individual applicant for services.

This distrust of online identity is something which younger generations almost take for granted. As Facebook approaches its second decade of existence, many under 25 year olds have grown up with it, plus other social media platforms. This perhaps comes with an inbuilt distrust of things and people presented for the first time; the pendulum has swung the other way.

Middle Ground

Rather than veering between paranoia and blind faith, businesses and individuals who rely on identity verification to function properly need a way of restoring some sort of normality. Provable software and processes which themselves have shown time and again that they work against online fraud can give people the reassurance they need in this uncertain world.

The fact is that businesses which offer protection from online ID fraud can prove their record, for all to see. This is, of course, an ongoing process, and one which needs to improve every minute to keep its reputation. One of the good things about big data, after all, is that it never goes away.

When suppliers and consumers of products and services looking for trustable users want somewhere to go, they will rightly search for providers with the best track record. In a world of understandable paranoia, success in online verification is still a record which should be provable beyond doubt.

Artificial intelligence is widely accepted as being the development which will take online IT systems to the next level, with its massive potential to predict trends and reproduce user activity. Usually mentioned in the same breath or sentence is the term machine learning, or deep learning. These terms refer to the depth of information available in big data, and automated, AI attempts to learn from it.

Sadly, if not unpredictably, there are security concerns associated with deep learning; specifically, the emergence of the Deepfake. Thanks to big data, people’s identity can sometimes be replicated to such an extent that even victims themselves can’t believe it’s not them. Needless to say, deepfake needs to be taken seriously by the online verification industry.

Deepfake and Onboarding

Fraudulent identity creation of the sort represented by deepfake is potentially most likely to be attempted during onboarding. This is when meticulously recreated human behaviour can be generated using CGI, enough (it may be hoped by the fraudsters) to fool electronic know your customer (eKYC) software systems.

As documents themselves become ever harder to fake, hackers may now be hoping to use deep learning to take it to the next stage, having skipped as many of the documentary checks as possible. With the continuing arms race being fought to create unforgeable e-docs, it is at least conceivable that a fake human being may help get through the onboarding process.

For the more paranoid (or, careful) members of the online security community, a fake video of Barack Obama talking about flying saucers will no doubt send shivers down the spine. With CGI and deep learning so highly advanced, surely this could represent a potential threat to onboarding?

Likelihood of Deepfake Succeeding

Fortunately, at least for the moment, security experts do not see deepfake techniques being a threat to online identity verification. As things stand, there are two factors which mitigate against the likelihood of an artificially generated online human presence managing to fool eKYC processes.

Firstly, biometric identification technology is extremely effective. Finely tuned mathematical modelling enables security checking software to detect whether a video stream is the result of real time, real person activity, rather than a pre-recorded file generated by computer. Ironically, the computer doing the detecting knows when it’s watching something created by another computer.

Secondly, the amount of information needed to create deepfake is huge. Hoaxes posted online of politicians and celebrities saying things they didn’t are only possible because those individuals have thousands of hours of high definition video files available for the deepfakers to work with. For the average individual, this amount of video is impossible to find.

The Battle Continues

As with so much else in the world of online identity verification, there is no room for complacency. Fraudsters and hackers continuously strive to find ways to fool checking systems, which in turn become ever more efficient.

At present, hologram technology is just one of the many hidden features which careful security software can employ to verify documents, and streaming of real people in real time for onboarding separates the genuine from the fake. For the moment at least, deepfake is not fooling the online verification industry.

Businesses, no matter how small, need an online presence these days, often making them fair game for cyber confident tricksters.

There is no doubt that e-commerce paves the way for businesses to reach their target market, but on the downside it’s these business that fraudsters find easy to target.

It Comes at a Price

By introducing an efficient e-commerce option on your website, you must be confident that your product or service is viable. Your aim is to increase sales through your online presence. This is all well and good and is likely to reap benefits but be aware that you could be the victim of e-commerce fraud. Experian, the credit reporting company, reported that there was a 30 per cent increase in this type of fraud in a 12-month period between 2016 and 2017. It claims that a reported 11 per cent of the UK’s population were victims of identity fraud over the same period.

It goes without saying that e-commerce is a blessing for any budding business, so don’t let online fraud stand in the way of your business making a healthy profit.

The main e-commerce threats are identity theft and friendly fraud.

Identity Theft

Fraudsters in possession of a credit card’s relevant details are sure to go down the online route. This is because it eliminates any personal contact with the retailer Making authorisation mandatory with each payment can go a long way to protect you from scams.

A standard authenticity test isn’t foolproof though and it won’t necessarily stop any shady transactions unless the card is reported lost or stolen. As long as there’s sufficient funds in the account and the card number and three-digit security code is correct, it will result in a done dodgy deal.

Adding the authenticity layer, however, does mean you won’t be liable for reimbursing the full amount to the genuine cardholder. If you do have to refund the actual cardholder the money this is known as a “chargeback” and you should keep records of these transactions so that you won’t be stung by the same fraudster again.

Friendly Fraud

Watch out for this because it can have an impact on your profits. A friendly fraud means that your customer pays for a product and then claims it was never delivered or that it was damaged in transit. This results in refunds or even replacing and delivering the product again.

This type of fraud is so prevalent it has been categorised into:

• Accidental fraud – when the buyer can’t recall initiating the transaction and demands a chargeback.
• Family fraud – when a member of the family purchases items without the consent of the cardholder. This fraud is often carried out by young children.
• Opportunistic fraud – when a customer makes an online purchase such as a plane ticket, knowing that they can negotiate an upgrade rather than a refund.

It is inevitable these challenges will come your way and it is make or break depending on how you approach them. Don’t forget the backbone of your business is customer loyalty. It will pay in the long run if you see this type of fraud for what it is – friendly.

Government authorities and other major institutions are increasingly looking for means of identity verification online due to the social distance rules applied since the global Covid 19 outbreak. For some, this means playing catchup; and for many others, the processes available are either too slow or too weak to suit their purposes.

Of the many shortcomings exposed by the pandemic, the issue of identity verification is certainly one causing a lot of headaches for professionals and organisations concerned with avoiding fraud and criminal access. It is to be hoped that relevant agencies learn lessons about the importance of robust, trustable and convenient online ID verification.

Widespread Demand for Online Checks

In times of limited face to face contact, the issue of identity is probably more important than ever. That’s certainly true in the opinion of law enforcement and border control agencies, and also for financial institutions in both the public and private sectors. As anyone involved in online security checking knows, it is often far too easy for criminals of various backgrounds to assume the identities of innocent citizens, and use this theft for their own purposes.

Of course, just because there is a global pandemic of a deadly disease, many aspects of society must still function as near to normal as possible; this includes legal action, employee recruitment and, in some cases, processing of travel documents such as visas. Without these essential processes, societies would suffer more than could be reasonably expected, illness notwithstanding.

It is at just these interactions with applicants and services users, however, that the issue of identity verification comes to the fore. Many societies still rely on face to face document checking, which has now suddenly become impossible. Slightly too late in the day for some, relevant agencies and businesses are suddenly looking for remote, online checking procedures.

Mismatch of Supply and Demand

For those new to the world of online ID verification, its differences from the face to face version can be something of a wake up call. The fact is that physical documents such as passports can come with many tens of inbuilt, sometimes hidden, security features. This ranges from the look, feel and weight of the material the document is made from, to more modern artefacts like contactless chips.

From this level of security used in physical documentation, suddenly checks used for online checking drop dramatically in number; often less than 10 for a virtual document or image. More recent improvements such as biometric checks are also far from common in online verification systems.

Heightened Need for Catchup

Of course, security agencies and financial institutions cannot lower their standards because the level of checks available online differs from that in the “real” world. For this reason, demand from those organizations is increasing, both in terms of the checks available, and training for their staff in how to apply them. Suddenly, the importance of being able to trust the provenance of an image presented as ID verification, for example, acquires great significance.

With the effects of the current pandemic likely to change society forever, those institutions which will always need robust ID checks are themselves experiencing something of a revelatory moment.

The 2020 Covid 19 pandemic and subsequent measures to deal with it in the UK have led to a reprisal of previously touted and abandoned national ID schemes. As the online element of any such scheme would be cited as one of its main strong points, potentially this could have major implications for the online identity verification industry.

However, as with previous incarnations of any British identity checks, talk of resurrecting or designing a new online verification system are problematic. For reasons highlighted already during the pandemic, the pros and cons of online ID checking are provoking much debate.

British Identity and the State

The UK has a rather unique relationship with its own residents. Often referred to as “citizens”, in fact anyone born in the country is a Crown Subject. Citizenship became a widely used term when the UK was part of the EU, but now that relationship has ended. With it has also gone the idea of citizens and their “rights” in the widely held usage of the terms.

British subjects have civil liberties, not rights. This is one of the many technical and legal niceties with which the UK’s constitution (which remains unwritten) is riddled. Some of the liberties involved date back to the middle ages, while others are rarely brought to the surface. To do so in the light of the internet is bound to provoke a whole lot of questions about identity and intrusion.

Previous Attempts at ID Verification

The last attempt at a UK identity card scheme began in 2006 with the Identity Cards Act. This was hailed as a way of moving the country’s population forward in the digital age, with every “citizen” able to easily prove their identity, in person or online. The motivation behind the scheme was to prevent fraud of many kinds, but specifically fraudulent access to NHS services by foreign nationals.

The Identity Cards Act 2006 was repealed in 2010. The incoming administration scrapped it immediately in a move popular within its own party and in the wider community. This action seemed to strike a cord with a perceived British distrust of the “surveillance state”. It also had the advantage of saving the new government billions of pounds of investment in a newly austere financial environment.

Coronavirus and Identity

The Covid pandemic, lockdown and ensuing developments have led to calls for a revival of digital ID checks from some quarters; including the previous Prime Minister who introduced the 2006 Act. With public spaces being asked to impose restrictions on customers, verification of identity and residence has taken on added importance and urgency.

In the opinion of its proponents, a digital ID card and scheme would enable business owners and other premises managers to quickly check their customers’ appropriateness, as well as avoiding potential fines and other penalties.

To opponents, however, renewed calls for a national ID scheme are using a time of national crisis as an excuse to erode civil liberties. With a poor track record of testing and tracing technology in the UK, and evidence of abuses elsewhere, any attempt at a UK digital ID scheme faces serious hurdles.