A recent survey by Pew Research found that more than 86% of Americans are now aware of cryptocurrency, and the number of cryptocurrency users is now estimated to be over 300 million. The awareness has also attracted the attention of fraudsters, with crypto fraud reaching a peak in the past year. With a profuse array of fraud techniques and creative scams, fraudsters have managed to not only access and withdraw funds from victims’ crypto accounts, but also open new accounts to use for money laundering. Crypto app fraud has never been higher. Crime related to cryptocurrencies grew by 79% in 2021, with more than $14 billion of money deposited in crypto wallets being linked to criminal activity. In a recent Telegram interview, fraudsters admitted opening between 1,500 and 2,000 accounts per month on crypto exchanges using synthetic identities. These are false identities constructed from stolen personal information, and such accounts are used for money laundering or other forms of profitable crime. Today, on professional hacker forums, it is possible to buy a synthetically verified crypto exchange account for $150 and read tips and advice on how to open a new account using a fake, synthetic identity. Know your customer and your fraudster Know your customer (KYC), and Anti-Money Laundering Regulations (AML) require financial services companies to verify customer identities. As part of opening a new account; however, the current fraud detection leaves the door open for fraudsters on crypto apps. Balancing the need for security and busting fraudsters at the doorstep is a challenge when trying to onboard new users as quickly as possible. Currently, one of the KYC obligations for crypto exchanges is address verification, according to the Bank Secrecy Act (BSA). In addition, the Crypto Exchanges must have a Customer Identification Program (CIP), and one of the necessary information in the CIP is the address and proof of address. Andre Ferraz, co-founder and CEO at Incogna provides frictionless mobile authentication to banks, crypto exchanges, fintech and wallets for more mobile revenue and less fraud losses. Says, “At Incogna, we took a closer look at 19 crypto mobile apps to see how they balanced security and friction by reviewing their onboarding process to see how user address is verified as part of identity verification.” The fraudulent techniques used to pass address validation when opening a new account include: – False and Synthetic IDs – A synthetic ID consists of a combination of stolen pieces of personally identifiable information along with false information – for example, a stolen SSN, address , name, false driver’s license. Individual ID items can be real, stolen or bought on the Dark Web, they can even come from different people and they combine to create a synthetic identity. Using this synthetic ID, it is possible to pass document checking with composite documents and to fool less sophisticated facial recognition systems. Real IDs and Faces – Fraudsters only pay $7 for people who are willing to pass verification on a crypto exchange using their own real identities, genuine identification documents, and list and deliver the account for sale. Location spoofing – When recruiting students to fake ID, professional fraudsters explain another go-to and usually effective way to fake compliance: fake cell phone location. Some of the instructions on dark web forums state that the perpetrators must use a virtual private network (VPN) to hide an IP address so that they can spoof their location when opening the account. So any fraudster on the other side of the world could open an account with a fake ID and pretend they are in New York City for example. The location spoofing part of the account opening factories is essential as successfully detecting location spoofing is a quick way to detect a fraud. If a user fakes their address, that’s a big red flag during identity verification. Address verification is not only for KYC compliance but is also a powerful tool to prevent fraud. During onboarding, the tested crypto apps used different techniques to verify a new user address and check compliance with the country of residence. The most commonly used techniques are: – Address verification using uploaded documents – Require the user to upload an ID or document to verify, via Optical Character Recognition (OCR), to match the uploaded data with the information collected during the onboarding has been provided. The information in the ID can be compared to static databases, such as the DMV or agencies. One problem with relying on pinging static databases is that address databases may not be available online in many international jurisdictions. Even if directories exist, they may be incomplete and sometimes contain outdated information. The bigger problem is that most of these static databases have been leaked in the past and the data is available for purchase on online forums, making it easy for fraudsters to use this information to create accounts using fake or synthetic identities. IP address – It’s one of the most common ways that mobile apps can still determine if a person opens a new account from which they are claiming, be it country of residence or zip code. The information entered by the user is matched with the location of the IP address. Today, the location is routinely faked using various techniques. There are five common techniques that fraudsters use to fake their location, including VPNs, proxies, GPS spoofing apps, emulators, instrumentation, and app tamper. VPNs and proxies are the best solution for fraudsters against IP address location verification. In the recent Inconia study, we found that the current address verification techniques used by 19 leading crypto mobile apps are one of the most vulnerable forms of KYC during onboarding. Ten of the fourteen exchanges required the new user to enter the specified address information, and four apps required the country of residence or zip code to be entered. Yet none of the 19 apps required proof of address via geolocation or via uploaded documents such as a utility bill or credit card statement. In other countries, such as the UK, uploading a document to prove the address is required, but in the US this is usually not requested, presumably because it irritates onboarding. Of the ten apps that required address information, only five required a driver’s license photo, which could also be used to verify the address via OCR and link the data to a static database such as the DMV database. Usually, static information in databases is incomplete or outdated. The requirements of KYC and AML regulations are the main source of friction for onboarding on crypto exchanges. And this is the main reason why most apps use a gentle onboarding process. This is also called progressive onboarding, an approach where the toughest part of identity verification is left to when the user makes their first attempt to deposit funds or trade crypto. Notably, the two exchanges that did not support progressive onboarding and required an ID scan were also the ones with the greatest friction during onboarding. To learn more about the techniques used by leading crypto apps for identity verification in onboarding and also, which were the mobile apps that gave users more friction, download the Incogna Crypto Mobile App Friction Report – Onboarding. This blog contains excerpts from the Incogna Crypto Mobile App Friction Report – Onboarding. To download the full report, click here.