Deepfakes are causing massive disruption across industries and are threatening companies’ security, reputation and bottom line. Every day there are new reports of criminals breaking through online security protocols and defrauding businesses and their customers around the world.
InfoSec and IT departments are scrambling to put better policies and systems in place to prevent deepfakes. But fraudsters use a variety of sophisticated techniques such as deepfake faces, face morphing and face swapping along with video injection to bypass the camera and inject these digital attacks into the selfie process. This enables them to impersonate employees and customers, making it very difficult to spot that the person isn’t who you think they are.
To make matters worse, there are dozens of deepfake tools available that are inexpensive (some are even free) and easy to use, creating a low barrier to entry for fraudsters. Unless you’re using AI to fight AI and taking a multi-pronged approach to identity verification, you’re fighting a losing battle.
Following are the steps you must take to help stop deepfakes from taking down your business.
1. Check user’s ID + selfie + liveness during onboarding.
If your company is a likely target for deepfakes, it’s essential that you stop fraudsters at the front door. When a new user is setting up an account with your business, it’s no longer enough to check their ID and let them upload a picture of their selfie. You need to be able to detect deepfakes of both the ID and the selfie.
Your identity verification solution must use sophisticated ID document verification algorithms that catch manipulated IDs (such as when the fraudster uses photo editing software to change the data on a legitimate ID) or synthetic IDs (those that have been completely fabricated), including those that have real photos or AI-generated images. For example, Jumio examines image metadata and uses a pipeline of machine learning models to look for different types of fraud attacks.
It’s also essential that you use advanced selfie verification and liveness detection that can catch spoofing attacks. Solutions that let the user take a selfie image and upload it as a file simply can’t cut it anymore. To prevent deepfakes, the solution must control the selfie process and take a series of images to determine whether the person is physically present and awake — not sleeping, not a mask, photo or video, and not a deepfake. The liveness detection step must use advanced AI and machine learning models that have been trained on a variety of real-world data. This step is absolutely crucial for stopping fraudsters who can now easily create very lifelike deepfakes that easily fool older identity verification technology. The selfie verification step should also offer other biometric checks such as age estimation to flag selfies that don’t appear to match the data on the ID.
2. Layer in risk signals for additional assurance.
We are in a technological arms race with fraudsters, and spoofing attacks are getting more sophisticated all the time. That’s why we recommend adding another layer of assurance with risk signals. Passive risk signals can run in the background and assess the level of risk with no friction to the user journey. For example, you can verify personally identifiable information (PII), check the age and reputation of the user’s email and phone number, verify the user’s location through their IP address, and even check the trustworthiness of the device they’re using before they’ve entered any information at all. If the signals indicate elevated risk, you can then perform more stringent checks on the user. This means you can have a streamlined onboarding journey for your low-risk customers and only introduce friction as needed, which is essential for onboarding your legitimate customers quickly and efficiently.
3. Perform biometric authentication for high-risk activities.
After the customer has onboarded, how can you make sure their account stays safe? If their account is only secured with a user name and a password, chances are a fraudster is buying that information on the dark web and will be logging in to their account soon.
You can help prevent account takeover by implementing multi-factor authentication. But even more important than keeping fraudsters from logging in is keeping them from performing high-risk activities. If a criminal logs in and looks around but can’t change the user’s password, withdraw or transfer money, or do anything else harmful, they will quickly move on.
That’s why we recommend implementing biometric authentication before any of these potentially high-risk activities. For example, Jumio’s authentication solution simply prompts the user to take another selfie, which is then compared to the biometric template that was created when they onboarded. Because this solution also uses advanced liveness detection, it is very effective at preventing criminals from using deepfakes for account takeover and provides much more security than other forms of authentication such as knowledge-based authentication (KBA), SMS, or two-factor authentication (2FA). And because it’s so fast and easy, it doesn’t create unnecessary friction for legitimate users.
Choosing the Right Technology to Stop Deepfakes
While no solution can stop 100% of fraud, it’s important to choose an identity verification vendor who stays on the cutting edge to lead the fight against ever-evolving fraud technology. That’s why Jumio invests so heavily into constantly improving our solutions and our machine learning models, including tracking the development of the families of generative models that are used as the engines for deepfake sites.
Jumio’s industry-leading technology maximizes protection from deepfakes through a variety of approaches.
- Document Analytics: Jumio performs AI-driven fraud checks on government-issued ID documents to ensure that each submitted ID conforms to government templates and does not exhibit signs of fraudulent tampering, such as text and photo manipulation. Using informed AI, our advanced machine learning models can detect sophisticated attacks that are undetectable by the human eye.
- Biometric Analytics: Jumio’s face-based biometric technology compares specific facial features from the selfie — such as the distance between the eyes, nose, and ears — against those of the ID photo, ensuring they’re the same person. Our advanced liveness detection technologies can spot sophisticated attacks including face swaps, face morphs and other advanced spoofing attacks. We leverage state-of-the-art technologies — including active illumination, camera injection detection, and eye and face motion analysis — to defeat these attacks and confirm that the person and their ID are physically present.
- Data Analytics: Jumio uses advanced optical character recognition (OCR) to extract data from the user’s ID. We cross-check repeated instances of that data in the human-readable zone (HRZ) as well as the machine-readable zone (MRZ), barcode and NFC chip, if available. We also calculate the user’s age for age verification. We then check the data against a wide array of industry-leading, third-party data sources to provide an unmatched level of assurance and fraud protection to businesses worldwide.
- Predictive Analytics: Jumio 360° Fraud Analytics uses AI-driven predictive analytics to identify fraud patterns across our cross-enterprise network and accurately predict the likelihood of fraud whenever a user goes through our ID verification process. This approach goes beyond assessing the user’s ID and selfie and adds sophisticated behavioral analytics to determine how each identity transaction fits within our vast network. This makes it simple to spot much more complex connections and is especially effective at detecting fraud rings.
Once you choose a vendor, it’s also important to select the right integration channel. For example, Jumio enables businesses to implement identity verification into their existing workflows through a Web Client, Web and Mobile SDKs, and REST APIs. Each channel has its advantages, but to provide maximum security against deepfakes, we recommend using the Mobile SDKs.
To learn more about Jumio’s solutions and how we can help you safeguard your business from deepfakes, contact us today to set up a time to speak with one of our solution experts.