TransUnion Fraudcast Episode 2: Deepfaking Document Verification with Erich Lambert

Jason Lord:
Welcome to the TransUnion Fraudcast, your essential go-to for all the absolute linkages between the day’s emerging fraud and authentication topics, trends, tropes and travails delivered with all the straight talk and none of the false positives.

I’m your host, Jason Lord, VP of Global Fraud Solutions and a 15-year veteran of the fraud and marketing ecosystems.

If you’re tuning in for the first time, let me give you a quick overview.

Each episode we narrow in on a specific subtopic within the fraud and authentication universe, bringing on a special guest to help us dive in while keeping it high level enough that you don’t need a PhD in data, or linguistics for that matter.

We’ll be talking about deep fake AI and its implications for document verification.

So, new account fraud –– or sometimes called phantom fraud –– is a type of deepfake that has already resulted in fraud losses of roughly $3.4 billion, according to FinTech Futures. With phantom fraud, fraudsters create a completely new identity using a forged birth certificate or driver’s license and prepaid SIM cards.

They then use these fake identities to open new accounts with a legitimate telecom provider and use deepfakes to give it the face of a person who doesn’t really exist, with their real telecom account and their fake identity.

They can then receive codes to beat all kinds of protections, including one-time passcodes, KYC and two factor authentication –– and use of these deep fakes is exploding.

It’s a 330% increase year-over-year according to DeepTrace.

And yet further fewer than 30% of businesses have a plan to combat deepfakes.

In fact, many document verification solution providers in the market today are completely unable to detect and mitigate deep fake fraud because they rely either solely or mostly on determining the authentication of the document through biometrics through visual inspections, which can easily be mimicked by deepfake technology.

So does this spell the end of document verification as we know it? Here to discuss this and much more is Erich Lambert, who has spent over a decade focused on fraud mitigation and identity resolution, with much of that time managing public response for several of the world’s largest data breach events.

Erich, welcome to the Fraudcast.

Erich Lambert:
Looking forward to the discussion.

Jason Lord:
Alright, so let’s start here. Where are document verification solutions used most often and what are they trying to solve for?

Erich Lambert:
You know that this is one of the one solution that can pretty much be used throughout the entire customer journey.

But what we see is the bulk of our clients and the bulk of the industry I think is using this as sort of a final step up.

It keeps the client engaged or the consumer engaged, if you will, and it gives the bank or the institution who’s requesting it sort of that ability to send out an engagement in session and say hey, we’re almost done, just need you to verify this is Erich –– for example.

And so a link would be sent out at that point and allow the client to go through and upload the document.

Take the selfie and then that pulls it back in.

So it’s sort of the end of the authentication step point of the application process, but I wouldn’t leave it there.

Like I said, this is a tool that can be used pretty much throughout the customer journey.

It could even be the beginning of the customer journey.

So when you first start, why not use the document itself to sort of start that application process? If the consumer gives you permission.

If you have pretty robust tool, it gives you a lot of capabilities to utilize it.

Jason Lord:
And I imagine with a lot of interactions moving to online only or online majority, you’re probably seeing a lot more of this technology being used ever than ever before.

Erich Lambert:
Yeah, it’s interesting. I was part of the team that helped build this up for TransUnion goodness.

This was probably five years ago and at the time there were a handful of vendors that were out in the market providing the service.

Today there’s a number of them, and it really is expansive depending on the application, meaning that sometimes you don’t need all of the images to be taken.

You don’t need the front, the back and the selfie if you’re in an in-person environment.

You can still use this, but if I’m standing in front of a banker, would they really need to for me to take a picture? Probably not.

They can verify that just visually in front of me, so it gives a lot of functionality and a lot of flexibility to our clients to be able to pull and choose when and how to utilize the service.

Jason Lord:

When we talk about deepfakes in AI and you speak to the clients and prospects, how concerned are they about deepfakes and their abilities to fake out the biometric authentication measures?

Is this a well-known, or a well-understood problem?

Erich Lambert:
I don’t think it’s a well-understood problem yet.

There’s a lot of concern around it. There’s a lot of press around it as well.

In fact, there was a great article that was released yesterday on LinkedIn from Frank McKenna on fraud.

He recorded a session and then the application actually translated it and his mouth movement and everything to French and Spanish.

It was really interesting, and when you look at the actual images and look at his mouth and how it’s moving, it looks realistic.

So I don’t think there’s been enough research to say how incredibly important or concerning is this going to be in the future.

Everybody’s looking at it. We heard recently, actually yesterday, as well.

I think Elon Musk and others were in front of the Senate talking about AI. So there’s a lot going on right now.

It is one of those emerging fields, both on the good side and bad side of fraud, if you will.

Jason Lord:
And knowing fraudsters who will find any loophole and exploit as much as possible.

If it’s not well understood by the industry and it’s as easy as we’re describing here, no doubt we’re going to be seeing a lot more of this type of fraud in the near future.

Erich Lambert:
Yeah, I would agree with that.

Even if you go back a couple of years, we saw a huge increase in the online movement.

Everybody was staying home, had to sort of transact with their banks via mobile or via web –– and through that we also saw the proliferation of this capability out there.

Even back at that time, we were seeing good fakes come through.

The licenses look good. The images look good, but that was sort of just the beginning of it.

In the future, I can only imagine that you can get a selfie that looks almost so realistic to Erich Lambert being right in front of you that it would allow you to get, you know, say wow…is this really him or not?

And can the technology break that?

Can it actually look into it?

So it is going to be one of those things that we’ve got to watch how to play with, how to work with.

But I think it also falls back to there’s not any singular point solution that can solve all the fraud.

So that’s where we talk to our clients and really go in and say look, there’s capabilities that you’ve got to look at layering, really looking at all of the tools in your fraud stack and how do those play with each other.

If you don’t mind, I’ll give you a quick example of how that looks. Take document verification on its own, much like a lot of the other services in the industry.

We look at the front of the license, we look at the back of the license and then we compare the selfie to the image that’s on the license itself, most of the time that catches good fakes because there’s stuff in the materials or the holograms or you know what we’re looking at the format of license that we can usually throw a signal and say, hey, this looks a little bit odd.

You need to do a little bit deeper investigation on it, but it still will allow good fakes.

Really good fakes to come through.

And if you’re only looking at that singular point of that solution, you’re going to let fraudsters come through. What we did on our side is also creating what we call triangulation of the service.

So what that means is we took the response that we got back in the document back on the selfie and then paired that with our other solutions that are built into this core capability, which is looking at the device and also looking at the identity itself.

Jason Lord:
When you say looking at the device, what types of what types of signals are you looking at?

Erich Lambert:

So it’s interesting, I mean, if you’re holding your device and you go into the settings, you can look at all the configuration that’s on that device itself.

We pierce even deeper within that.

So think of every capability that you’ve got to know within that device.

The huge thing on our side that’s driving a lot of our capabilities though is the consortium that all of our clients report back into.

And so what that means is if I, Erich Lambert, am a fraudster and I transacted at a bank down the road and I charge off, they can go back in and play evidence.

They now flag that device as being fraudulent.

Well, now if I go to the bank down the street and try to transact again online in there, using our tool they can see that the other bank already flagged my device as potentially risky or risky.

And at that point, it allows that bank to do a little bit more investigation on it or slow down the transaction, if you will.

So that’s a core component that’s built into this document verification solution and brings together the whole triangulation.

The one aspect though that yeah, a lot of people don’t look at is the identity itself.

And so that’s really where the strength of TransUnion comes into play, because not only do we have the credit bureau credit header–related data on all of the consumers out there, you also have a lot of alternative data that’s available, and so on that license, when we take the front and take the back, we’re scraping the data out of the back of that license and then we say, hey, let’s run that through our identity verification.

Do we have a match on the bureau? Do we have a match on the alternative data?

And if we do that, then gives you additional insight, additional clarity and make a better decision on that.

So I’ll give you an example here of how triangulation works.

If the license comes through and it’s an incredible fake and actually bypasses the document scan and we know there’s some fraudsters out there using the right materials, everything they’re going to get through the service, that’s going to come through as a pass.

If he’s done a good job, maybe his device comes through as a pass as well.

Unless he’s been flagged by some of these other clients.

But then when the identity comes across that allows us to go through and say hey, wait a second, these elements don’t really match up.

There’s not any individual you know on the bureau records or alternative records that has all of these different attributes meaning first name, last name, address, date of birth.

Those things that you found on the license that are truly combined and now it looks like these things are being mix between multiple consumers.

So even though the device might come through clean, even though the license might be able to come through clean, that identity check now throws a flag that allows the investor and you to say wait a second, something’s just a little bit wonky here. Let me do a little bit more due diligence.

And it’s funny because one of our clients, this was a couple of years ago, we went through and they asked us to investigate some of the transactions that were coming through on their side.

And again, the license looked perfect, the device was okay at first.

And then the identity was just marking way off the score, meaning that it didn’t match anything on that point.

So we then went back and were able to take the device tag and do a little bit more research deeper on just that device.

And we found five more transactions associated with that device.

They were all document verification uploads, and what was interesting is we were able to tie it back and we pierced through the IP that was coming through and actually saw that instead of it coming from Dallas or Chicago, which was the state of that IP, our device signal actually was allowing us to see this is coming from Lagos, Nigeria.

Once we did that, it gave us a great opportunity to say, hey, this is a risky device that’s coming from overseas and now help that bank slow down the transactions coming through and stop them.

Jason Lord:
You know, it’s interesting what you say because as I talk to more and more fraud experts on a variety of issues, not just this issue, it feels like triangulation is the motif we keep coming back to when we have these single-threaded approaches to fraud or authentication.

Inevitably, a fraudster will find its way around the barrier.

So it sounds like what you’re saying is an effective approach involves not just a visual inspection or the biometrics aspect, but also device reputation.

So it has this device associated with fraud in the past, and also PII or identity information.

Does this match the information that’s provided, and does it match a real person existing in the world? Did I get that right?

Erich Lambert:
Yeah, spot on. So it’s really relying not on any singular decision, but the aggregated group of that.

So even though our core document verification solution does combine all of that for a client or a bank or an institution that doesn’t have that capability, leverage the stack that you’ve got and don’t rely on any singular solution to make that final decision.

Understand what’s going on within the stack and how each one of the solutions –– you’re utilizing this sort of ranking, that long transaction coming through.

So it does provide a lot of power by really looking across what does everything telling you versus just this one thing.

Jason Lord:
So let’s come back to the market problem and be a little catastrophic for a second.

So if we assume that a lot of organizations don’t fully understand this problem and we are seeing the rise of deepfake technology, what do you think that portends for the next year or so?

Will document verification for a lot of organizations become unreliable and, if so, what does that mean for them?

Erich Lambert:

So if you are relying on a solution that’s only looking at is the document good, then quite possibly you are going to see deepfakes get through.

You’re going to see good fraudsters get through, just like we did on ours –– on the actual document check itself.

But if you’re relying on a solution that does what we’ve been talking about, that triangulation looking across three or multiple services to make that final decision, it really limits how deep a fraudster can go.

It limits because it at some point they’re going to make a mistake.

It’s not fail-proof and will still allow certain people, certain great fraudsters, get deepfakes possibly…but it makes it incredibly difficult for them.

And so I don’t think there’s any fraud fighter out there that would say hey, I can stop fraud 100%. It’s almost impossible. So at that point, how do you limit what the fraudsters can actually get into and stop?

And that’s by looking at the entire circle out there.

So if you’re looking at singular points solutions, yeah, it is going to be a little bit rough in the future if you start combining them.

Jason Lord:
Well, that point about 100% of fraud is interesting too, because presumably you could tighten the aperture tightly enough that no fraud would get through, but then the customer experience would be terrible, right?

Erich Lambert:
Horrible.

Jason Lord:
Your conversion rate would decrease, your false positive rate would go up, and so as you think about putting these checks in place, presumably you need to think not just about preventing fraud, but also how do you find more of the good transactions and let them through with less friction?

Erich Lambert:
That’s exactly right.

And so that triangulation comes back into play for the customer experience as well.

Let’s say you’re dealing with a slightly damaged driver’s license.

We all have them. We don’t really take care of them too well, that’s going to come through and potentially be scored as risky because it might have a little nick taken out of it.

And again, if you’re only relying on that one solution, you now have the potential of classifying a good consumer as bad that could be detrimental to your organization, definitely to that consumer, because they’re reaching out trying to get this credit or this product, and now you’re telling them no, just because their license is slightly damaged.

But in person you would say, yeah, this is Erich Lambert. I see his license. It feels right.

Everything’s right now that we layer in the triangulation, we could say his device is really good.

There’s no risk associated with it. We have an exact match on his identity, and there’s no identity concerns associated with this.

Now it allows that fraud investigator say this is actually a good consumer. I don’t want to stop them.

Jason Lord:
Makes sense.

Erich Lambert:
I want to actually help them and move through the process so that triangulation helps with stopping fraud, but it also helps with improving the customer experience.

Jason Lord:
Well, I feel like we understand the problem and I feel like we have an idea of what the solution is, which is using multiple signals that are not just about visual inspection.

Also, including device reputation and identity checks. So that’s already very helpful.

As you think about the document verification issue and then the larger fraud issue, and you talk to customers and prospects, if you had to give one piece of advice to the organizations you talk with, what would that piece of advice be?

Erich Lambert:
Well, I don’t know if I’ve got a singular point…except for, rely on your entire stack.

Look at everything that you’re utilizing.
Reevaluate everything that you’re utilizing.

Does it pair together? Does it give you consistent signals throughout the customer journey? And if not, improve upon that.

But if you’re limiting yourself to, basically, technology that was great two years ago, five years ago –– fraudsters aren’t. They’re using the latest, greatest stuff out there, so just like we saw, we have fraud fighters out there using AI.

You’ve got to absolutely understand that your fraudsters are using AI, and you’re going to see a lot of those deepfakes going along.

So don’t rely on any one decision on its own –– look at it across the factor of what you’re utilizing.

Jason Lord:
Multiple solutions. Test and evaluate. Always be fighting.

Erich Lambert:
That’s exactly it.

Jason Lord:
Well, thank you so much, Erich. I feel like I learned a lot from this. Hopefully our listeners did as well. Thank all of you for tuning in. We hope you join us for upcoming episodes.

In the meantime, on behalf of the Fraudcast, stay smart and stay safe.