Bitcoin
Bitcoin (BTC)
$101,204.00 2.18131
Bitcoin price
Ethereum
Ethereum (ETH)
$3,960.63 5.91924
Ethereum price
BNB
BNB (BNB)
$714.93 3.66436
BNB price
Solana
Solana (SOL)
$231.46 2.35382
Solana price
XRP
XRP (XRP)
$2.41 1.29816
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000288 2.47564
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000246 3.48823
Pepe price
Bonk
Bonk (BONK)
$0.0000393 3.95782
Bonk price
dogwifhat
dogwifhat (WIF)
$3.08 3.82681
dogwifhat price
Popcat
Popcat (POPCAT)
$1.24 0.62048
Popcat price
Bitcoin
Bitcoin (BTC)
$101,204.00 2.18131
Bitcoin price
Ethereum
Ethereum (ETH)
$3,960.63 5.91924
Ethereum price
BNB
BNB (BNB)
$714.93 3.66436
BNB price
Solana
Solana (SOL)
$231.46 2.35382
Solana price
XRP
XRP (XRP)
$2.41 1.29816
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000288 2.47564
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000246 3.48823
Pepe price
Bonk
Bonk (BONK)
$0.0000393 3.95782
Bonk price
dogwifhat
dogwifhat (WIF)
$3.08 3.82681
dogwifhat price
Popcat
Popcat (POPCAT)
$1.24 0.62048
Popcat price
Bitcoin
Bitcoin (BTC)
$101,204.00 2.18131
Bitcoin price
Ethereum
Ethereum (ETH)
$3,960.63 5.91924
Ethereum price
BNB
BNB (BNB)
$714.93 3.66436
BNB price
Solana
Solana (SOL)
$231.46 2.35382
Solana price
XRP
XRP (XRP)
$2.41 1.29816
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000288 2.47564
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000246 3.48823
Pepe price
Bonk
Bonk (BONK)
$0.0000393 3.95782
Bonk price
dogwifhat
dogwifhat (WIF)
$3.08 3.82681
dogwifhat price
Popcat
Popcat (POPCAT)
$1.24 0.62048
Popcat price
Bitcoin
Bitcoin (BTC)
$101,204.00 2.18131
Bitcoin price
Ethereum
Ethereum (ETH)
$3,960.63 5.91924
Ethereum price
BNB
BNB (BNB)
$714.93 3.66436
BNB price
Solana
Solana (SOL)
$231.46 2.35382
Solana price
XRP
XRP (XRP)
$2.41 1.29816
XRP price
Shiba Inu
Shiba Inu (SHIB)
$0.0000288 2.47564
Shiba Inu price
Pepe
Pepe (PEPE)
$0.0000246 3.48823
Pepe price
Bonk
Bonk (BONK)
$0.0000393 3.95782
Bonk price
dogwifhat
dogwifhat (WIF)
$3.08 3.82681
dogwifhat price
Popcat
Popcat (POPCAT)
$1.24 0.62048
Popcat price

Fraud in Crypto Apps Has Never Been Higher

News
Fraud in Crypto Apps Has Never Been Higher

Cryptocurrency is rapidly becoming  mainstream, not only with record numbers of cryptocurrency users but also unfortunately with record fraud numbers.

A recent survey by Pew Research showed more than 86% of Americans are now aware of cryptocurrency and the number of cryptocurrency users is now estimated at more than 300 million. And this growth of awareness has also attracted fraudster’s attention, with fraud in crypto also reaching a  peak in the past year. With a bountiful set of fraud techniques and creative scams, fraudsters have been successful in not only accessing and withdrawing funds from victim’s crypto  accounts but also opening new accounts to be used for money laundering. 

Fraud in Crypto Apps Has Never Been Higher

Cryptocurrency-related crime grew 79% in 2021, with more than $14 Billion of the funds deposited in crypto wallets being tied to criminal activities.

In a recent interview via Telegram, fraudsters admitted to opening between 1,500 to 2,000 accounts per month in crypto exchanges using synthetic identities. These are fake identities constructed from a combination of stolen personal information. Such accounts are used for money laundering or other types of profitable crime. Today in professional hacker forums, it is possible to buy a synthetic verified crypto exchange account for $150, and also read tips and advice on how to open a new account using a fake, synthetic identity.

Know Your Customer and Your Fraudster

Know your customer (KYC) and Anti-Money Laundering (AML) regulations require financial services organizations to verify the identity of customers as part of new account opening, however today’s fraud detection is leaving the door open for fraudsters on crypto apps. Balancing the need for security and catching fraudsters at the front door is a challenge when faced with wanting to onboard new users as fast as possible. 

Currently, one of the KYC obligations for crypto exchanges is address verification, according to the Bank Secrecy Act (BSA). In addition, the Crypto Exchanges must have a Customer Identification Program (CIP), and one of the pieces of information required in the CIP is the address, as well as a proof of address.

At Incognia, we took a close look at 19 crypto mobile apps to see how they were balancing security and friction by reviewing  their onboarding process to see how the user address is verified as part of identity verification.

The fraudulent techniques used to pass address validation at new account opening include:

Fake and synthetic IDs – A synthetic ID is made up of a combination of stolen pieces of personally identifiable information along with fake information – for instance a stolen SSN, address, name, fake drivers license. Individual ID items may be real, either stolen or purchased on the Dark Web, they may even originate from different people and then are combined to create a synthetic identity. Using this synthetic ID it is possible not only to pass the document check with put-together documents, but also fool less sophisticated face recognition systems.

Real IDs and faces – Fraudsters pay as little as $7 for people willing to pass the verification on a crypto exchange using their own real identity real identification documents  and their face and deliver the account for sale.

Location Spoofing – Professional fraudsters, when recruiting apprentices to fake an ID verification, explain another go-to, and usually effective way to fake compliance: faking the mobile phone location. Part of the instructions in dark-web forums state that the perpetrators should use a virtual private network (VPN) to disguise an IP address, to allow them to fake their location when opening the account. So any fraudster on the other side of the globe could open an account with a fake ID and pretend they are, for example, in New York City.

The location spoofing part of the account opening factories is key, since successfully detecting location spoofing is a quick way to detect a fraudster. If a user is faking their address that is a large red flag during the identity verification process.

Address Verification is not just for KYC compliance but is also a powerful tool to prevent fraud

During the onboarding, the tested crypto apps employed a number of techniques to verify a new user address and also check compliance with country of residence. The most common techniques used include:

Address Verification Using Uploaded Documents – Requiring the user to upload an ID or document to verify, via optical character recognition (OCR), to match the uploaded data with the information provided during onboarding. The information in the ID could be cross referenced with static databases, such as the DMV or bureaus.

One problem with relying on pinging static databases is, in many international jurisdictions there may not be address databases available online. Even where address databases do exist, they may be incomplete and sometimes may provide dated information.

The bigger problem is that most of these static databases have leaked in the past and the data is available for purchase in online forums, making it easy for fraudsters to use this information to create accounts using fake or synthetic identities.

IP address – It is one of the most common ways still in place for mobile apps to determine if a person is opening a new account from where they are claiming, be it country of residence or zip code. The information filled in by the user is matched with the IP address location.

Today, location is routinely spoofed using a variety of techniques. There are five common techniques fraudsters use to spoof their location, including VPNs, Proxies, GPS spoofing apps, emulators, instrumentations and app tampering. VPNs and Proxies are the fraudsters go-to solution against IP address location verification.

What we found in the recent Incognia study is that the current address verification techniques used by nineteen leading crypto mobile apps is one of the most fragile forms of KYC during onboarding. Ten of fourteen exchanges required the new user to input declared address information and four apps required the input of country of residence or ZIP Code, but none of the nineteen apps required a proof of address using geolocation or via an uploaded document such as a  utility bill or credit card statement. In other countries, such as the UK, the upload of a document to prove address is required, but in the US it is not typically requested, presumably because it adds friction to the onboarding. Out of the ten apps requiring address info, only five required a driver’s license picture, which could alternatively be used to verify the address via OCR and matching the data with a static database such as the DMV database. It is usual that static information in databases is incomplete or dated.

The requirements of  KYC and AML regulations is the main source of friction for onboarding on crypto exchanges, and this is the main reason why the majority of apps are using a soft onboarding process, which is also called progressive onboarding, an approach in which the heaviest part of the identity verification is left for when the user makes their first attempt to deposit funds or trade crypto. It is notable that the two exchanges not supporting progressive onboarding and requiring an ID scan were also the ones with the highest friction during the onboarding.

To learn more about the techniques used by leading crypto apps for identity verification at onboarding and also, which were the mobile apps presenting more friction to users, download the Incognia Onboarding Mobile App Friction Report – Crypto Edition.

This blog contains excerpts from the Incognia Crypto Mobile App Friction Report – Onboarding.

Fraud in Crypto Apps Has Never Been Higher - 1

About the author: André Ferraz is co-founder and CEO at Incognia, a privacy-first location identity company that provides frictionless mobile authentication to banks, fintech and crypto exchanges and wallets, for increased mobile revenue and lower fraud losses.