Identity fraud is a game of cat-and-mouse. For every new technique you develop to keep bad actors out, they’ll come up with a new way of getting around it.
A lot of those techniques are fairly rudimentary. But overall, fraud is getting harder to catch. Data from our Identity Fraud Report 2023 shows that the bar is getting higher. There’s now a greater volume of unsophisticated fraud, and the small volume of sophisticated fraud is more convincing than ever.
One area where we’ve seen an increased volume of fraud over the last year is replay attacks, which are a type of Man-in-the-Middle (MitM) attack. Simpler access to tools to perpetrate the fraud have enabled fraudsters to send the same fraudulent documents and biometrics repeatedly. Businesses need to be aware of these ‘brute force’ attacks, and have systems in place to defend against them.
What are replay attacks?
There are lots of different ways to perform a replay attack. Replay attacks can happen physically or digitally, and involve the same false information being captured and resubmitted repeatedly.
Physical attacks involve repeatedly submitting the same identity document, but with one detail changed each time. Fraudsters will often try to use falsified identification documents at an airport’s security checkpoint or fraudulent documents during an employee onboarding process. These can often be caught thanks to inconsistencies in formatting and data validation.
But digital replay attacks are often more sophisticated and can be harder to catch. With these kinds of replay attacks, the fraudster “listens” in on a network, intercepts data, then changes the data and resends the initial request.
How digital replay attacks work
There are three main ways we’ve seen fraudsters perpetrate digital replay attacks this year. Replay attacks aim to avoid device and network detection, repeatedly, by either:
- changing the device’s identifying information;
- changing the fraudster’s network information or conditions; or
- sending fraudulent information to the identity verification system.
They can be performed on mobile or desktop devices, each of which provides different attack vectors for fraudsters to exploit. And they can be easily automated to be exploited multiple times.
Common examples of digital replay attacks include the routing of money from a payment application to a fraudster’s own bank account, or the theft of encrypted login credentials. Here’s how it works for the latter:
- A consumer tries to log in to their email account online using an encrypted username and password. Their browser sends a data packet with this information to the website’s corresponding server.
- A fraudster monitoring the network communication with special software and tools — like a packet sniffer or network analyzer — captures the data as it’s sent to the server.
- Because the fraudster is operating without the consumer’s knowledge, the user successfully logs in, checks email, and closes the browser window.
- The fraudster resends the data packet with the consumer’s credentials to the website’s server at a later time and successfully logs in to the account.
Unmitigated access to banking information, sensitive credentials, and other personal information can cause irreparable damage to an individual or business’s finances and reputation.
How to protect against replay attacks
Replay attacks are easier to conduct on desktop than mobile because desktop devices are naturally more vulnerable to malware. You’ll notice that while you can run into malware or bloatware on a mobile phone, desktop environments are especially susceptible to digital replay attacks.
One way to mitigate replay attacks is to avoid public, unsecure Wi-Fi networks. On top of that, you should always be using a secure and private browser for any online activity. And when browsing, you should always try to avoid page URLs that use HTTP instead of HTTPS, as the latter is much more secure and uses SSL/TLS encryption. Other preventative measures include:
- Require a session key so only the sender and the recipient have access to the specific communication
- Implement 256-bit AES encryption for all data transmission to hide and scramble your data
- Attach timestamps to the data you send to track the data and time of each transmission
- Require one-time passwords (OTPs) to protect sensitive information when recovering passwords or other critical bits of data
- Ask for a digital signature when communicating with the recipient to verify origin, status, and validity
While you should follow these same practices on your mobile devices, they’re rarely the target of or fall prey to viruses. On mobile, iOS offers more protection than Android. That’s because Androids have a Developer mode which allows certain systems to be overridden and modified. This might be handy for some, but leaves them more open to attack. Likewise, Androids need to be able to accept different types of camera software, which provides multiple potential routes for fraudsters.
By contrast, the more rigid iOS doesn’t allow devices to be bypassed, or for information to be sent to other applications without the user’s knowledge.
How to spot a replay attack before it happens
Replay attacks are nearly impossible to identify as they’re happening, but the preventative measures listed above can keep your identity and sensitive information safe. In addition to those techniques, users should always try to mask internet traffic from third parties with a VPN. And when opening emails, they should be aware of phishing attacks that expose personal information with the click of a button or submission of a form.
The future of replay attacks
Certain devices may be vulnerable to replay attacks, but most also contain a lot of information that, if used well, could help us head off replay attacks.
Biometric signals are limited – once you’ve worked through selfie and video liveness, there are only so many other unique biometrics you can capture to cross-reference an identity. While layering on things like fingerprints and iris scanning can add more certainty, they also add more friction for the user.
Instead, device information could be used to match against and sense-check biometric information. There’s a lot of information a mobile device can give you via an SDK – like time, GPS, accelerometer, barometer, metadata, browser information and so on. Comparing something like time of day with the amount of light in a selfie could help determine whether an image is likely to be fraudulent or not. But while these types of fraud prevention techniques are still a developing field, they’re one IDV professionals are watching with interest.