Spotting a bad actor
The good news is that the majority of the people who submit their documents are legitimate people just going about their day. Because of this the majority of submissions are valid and straight forward, this makes them easy to approve and trains your team at the same time.
There are a variety of ways bad actors try to bypass security controls, fortunately, Validation helps our merchant partners catch a lot of them, a few real examples are below along with some high level insights.
Bad actors who do try to fool you usually stand out and are easy to spot, we’ve found that most will fall into one of 5 categories:
Hold The Phone
Of Course I Have ID
We’ll take a look at each of these one by one below, but keep in mind that this is not a definitive list of the type of bad actor you may encounter.
Bottom line, when in doubt play it safe. Ask for documents a second time, or decline the transaction.
“Hold The Phone
This is a more classical skilled form of fraud whereby the bad actor is manufacturing physical and digital ID with a photo editing program, a printer and photograph paper. The digital equivalent would be to take a picture of ID on a computer screen.
This helps illustrate the importance of a selfie when requesting documents.
Each piece of documentation you request is another piece of the puzzle.
“Of Course I Have ID”
For any merchant partners who sell age restricted products or services, a strategically placed thumb or finger to hide a birth date is likely something you’ve seen before.
Of course, covering the entire information section of the ID raises other questions, especially if you are verifying a second document and comparing first and last names, for example, if you are preventing an account take over, this submission would not be passable.
This is similar to the “Old School” fraud, but in this case, we’re looking at a picture of a bank card and a picture of a woman on a phone, held by a man.
Pictures of credit cards are often phished by bad actors, or images are compromised when various companies who have requested documents using less secure methods have been hacked. Pictures of the victim or a random person with the same name is found and presented as the person in the selfie.
Make sure to look for any evidence that the documentation is not physically possessed by the client.
When a bad actor has a single piece of ID and is looking to do some bad acting, they may try to trick the you and force a static image through their webcam.
When the bad actor tries this, the series of pictures at the bottom appear nearly static. When looking at the large images you will notice that pictures may jump around a bit, not move at all, or movement may look ‘off’ These are all reasons to fail a submission.
When in doubt, ask again. If the submission is the same after a period of time, chances are you should fail the submission.