Dark web services bypass KYC checks for $150

A year and a half ago, I wrote that for 150 bucks, anyone could buy a service on the dark web that bypassed your KYC vendor. People were shocked. Today, nobody's shocked. It's just another Tuesday. Actually, actually, today, it's even worse. The threat got cheaper, faster, and harder to spot. The question then is, what should fraud teams do about it? Today, I want to talk about the word layering and how it can mean several things. All of them are worth considering. So let's get the easy part out of the way. Document checks can be bypassed. Selfies can be bypassed. 3D liveness checks, the ones vendors who were unbeatable just two years ago, can be bypassed. The grant rate is $150 to $600 per verified account, depending on the vendor and how many checks need to be bypassed. The fidelity is good, really good. I've seen examples of fraudsters generating high quality 3D video from faded 2D photos. So if you're still building your fraud strategy on the assumption that a clean KYC pass means a clean user, you're already behind. But that's the part nobody really disputes anymore. The harder question is, now, what? And the answer to, how do I stop these kits? Is one word: layering. Layering doesn't mean buy more KYC vendors. Layering means introducing different approaches, defenses that ask different questions about the user. Think about like this. Your KYC vendor asks one set of questions, does this face match this document? Does this document pass as a genuine one? And so on. Now, let's take device intelligence as an example. It asks something completely different. Have we seen this device before? What was it doing? Was the device tampered with? Where was it located? The fraudster who beat the document check doesn't necessarily control the device the way they think they do. Different example, behavioral signals. Does this user act like a human? Type in rhythm, pasting versus typing hesitation. I'll give you another example. Identity intelligence. Do the email, phone, and address present a cohesive identity that matches what appears in the documentation? Does it match the device intelligence with layering different detection signals? We challenge the fraudster to a level of sophistication their tools might struggle to overcome. Now there's also another kind of layering we can resort to, one that has to do with the sequence of our defenses and specifically monitoring new accounts and how they behave after sign up. What is the user actually doing, funding an account at 3am requesting a payout from a high risk foreign country. If something suspicious surfaces, you should escalate it before you allow them to exit funds from your platform. Additional friction, additional verification, or a manual reviewer who looks at it with human eyes. Now, if you've done all of that, you cover the basics, and you're starting to look at optimization. In that case, you may want to think of another layering approach that involves orchestration. Here's the thing, once you've layered your defenses, your system can do something most in skip it can identify a small segment of users who are genuinely high risk, let's say 5% or less of your total onboarding events. That's a population worth spending extra money on. For that segment, what you can do is send those events to a second KYC vendor. Now, I realize it may sound like the opposite of optimization, but hear me out. These KYC bypass kits are designed to attack specific vendors. It's very likely that they would be much less successful against others. So not only that, you run two checks, but you also run a check that the fraudster doesn't expect and isn't prepared for. And if you're able to do so quite accurately again, targeting that small, high risk segment, then you can really mess with fraudsters ROI while keeping your costs relatively low. Now let me tell you what I usually see under the hood when I look at FinTech on a KYC vendor doing all the work, device intelligence that is collected but only used, best case for multi accounting prevention silo teams that manage onboarding and transaction separately, that stack fails every time, because, let's face it, the economics of fraud are getting better for the attacker every day, a stack that is designed around a single point of failure and KYC checks are just an example will eventually meet a kit designed to defeat that specific defense. So if you only remember three things from this video, remember this, one, a KYC check is a signal, not a verdict. A clean task should raise your confidence in the user, but it shouldn't close the case. Pair it with at least two other approaches before you treat someone as trusted. Two, don't treat the different signals as check boxes you need to tick, compare identity, intelligence to your KYC results, device telemetry to known addresses. It's about cross referencing signals and building a 360, degrees cohesive view of your user. And three, if you cover the above already consider vendor orchestration. Get the layer defenses in place first. Then for that small, high risk segment, those signals identified send it through a second KYC vendor, that's where the extra cost can earn its keep. Remember, a 150 bucks kit only works if the math works for the fraudster. That means that every layer you add is a tax on their ROI stack. Enough of them, and they take their business somewhere else. And that's the whole game. I'll see you in the next one.