Identity fraud is a game of cat-and-mouse. For every new technique you develop to keep bad actors out, they’ll come up with a new way of getting around it.
A lot of those techniques are fairly rudimentary. But overall, fraud is getting harder to catch. Data from our Identity Fraud Report 2022 showed that the bar is getting higher. So while there might be more volume at the bottom end, what’s at the top is now more difficult to identify than ever before.
One area where we’ve seen an increased volume of fraud over the last year is replay attacks. Simpler access to tools to perpetrate the fraud have enabled fraudsters to send the same fraudulent documents and biometrics repeatedly. Businesses need to be aware of these ‘brute force’ attacks, and have systems in place to defend against them.
What are replay attacks?
There are lots of different ways to perform a replay attack. Replay attacks can happen physically or digitally, and involve the same false information being resubmitted repeatedly.
Physical attacks involve repeatedly submitting the same identity document, but with one detail changed each time. These can often be caught thanks to inconsistencies in formatting and data validation.
But digital replay attacks are often more sophisticated and can be harder to catch.
How digital replay attacks work
There are three main ways we’ve seen fraudsters perpetrate digital replay attacks this year. Replay attacks aim to avoid device and network detection, repeatedly, by either:
changing the device information;
changing the network information/conditions; or
sending fraudulent information to the identity verification system.
They can be performed on mobile or desktop devices, each of which provides different attack vectors for fraudsters to exploit. And they can be easily automated to be exploited multiple times.
How to protect against replay attacks
Replay attacks are easier to do on desktop than mobile because desktop devices are naturally more vulnerable to malware. You’ll notice that while you can often fall foul of viruses on your computer, you’ll almost never get one on your phone.
On mobile, iOS offers more protection than Android. That’s because Androids have a Developer mode which allows certain systems to be overridden and modified. This might be handy for some, but leaves them more open to attack. Likewise, Androids need to be able to accept different types of camera software, which provides multiple potential routes in for fraudsters.
By contrast, the more rigid iOS doesn’t allow devices to be bypassed, or for information to be sent to other applications without the user’s knowledge.
The future of replay attacks
But devices also contain a lot of information that, if used well, could help us head off replay attacks.
Biometric signals are limited – once you’ve worked through selfie and video liveness, there are only so many other unique biometrics you can capture to cross-reference an identity. While layering on things like fingerprints and iris scanning can add more certainty, they also add more friction.
Instead, device information could be used to match against and sense-check biometric information. There’s a lot of information a mobile device can give you via an SDK – like time, GPS, accelerometer, barometer, metadata, browser information and so on. Comparing something like time of day with the amount of light in a selfie could help determine whether an image is likely to be fraudulent or not. But while these types of fraud prevention techniques are still a developing field, they’re one IDV professionals are watching with interest.