TABLE OF CONTENTS
This article gives an in-depth explanation of anti-tampering, anti-fraud, and biometric checks conducted on an individual and their ID document as part of the electronic identity verification (EIV) process. These checks help to ensure the authenticity and legitimacy of individual identities and their associated ID documents.
Anti-tampering
The anti-tampering report employs data integrity, visual authenticity and database record checks to verify identity documents such as passports, national ID cards and driver's licences. The report can also compare the data extracted from the document with data provided by the end user in other capture tasks or the workflow input data, as an additional way of identifying potential discrepancies and fraudulent documents.
The majority of Document reports are automated and processed in seconds. If, however, our third party encounters document images that use sophisticated counterfeiting techniques, or the capture is of poor quality (blurred, low resolution, obscured, cropped, or held at an unreadable angle), our software is supported by our third party’s external expert manual review team to ensure an identity verification is subject to a thorough analysis to maximise fraud detection. Manual review can also be configured to be applied to all document verifications.
Anti-tampering record checks results
The results of anti-tampering reports are generated in the form of breakdowns and sub-breakdowns. A Document report can have an overall result of CLEAR or CONSIDER.
The anti-tampering report uses the sub_result property to provide a more specific description of the overall report result. These sub-results and their meanings are described below:
- CLEAR: If all underlying verifications pass.
- REJECTED: If the report has returned information where the check cannot be processed further (for example, poor image quality or unsupported document).
- SUSPECTED: The analysed document is suspected to be fraudulent.
- CAUTION: If any other underlying verifications fail, but they don't necessarily point to a fraudulent document (for example, the name provided by the applicant doesn't match the one on the document).
Breakdowns are made up of sub-breakdowns. A breakdown will have a CONSIDER result when at least one of its sub-breakdowns contains a CONSIDER or unidentified result.
Please see the below example image that includes a REJECTED result with the sub-results listed above.
Anti-tampering breakdown reasons & explanations
BREAKDOWN | SUB-BREAKDOWN(S) | DESCRIPTION | DECISION |
|---|---|---|---|
Age validation | Minimum accepted age | Asserts whether the age calculated from the document's date of birth data point is greater than or equal to the minimum accepted age set at the account level. The default minimum age is 16 years old. | Rejected |
Data comparison | Date of birth | Indicates whether the information points extracted from the document match the information supplied when creating an applicant through the API. | Caution |
Last name | Part of data validation | Suspected | |
First name | Part of data validation | Suspected | |
Data validation | Date of birth | The engine asserts whether algorithmically validatable elements are correct. For example, MRZ lines and document numbers. It determines whether the data point is the expected length and format for this document type. | Caution |
Document numbers | Part of data validation | Suspected | |
Machine Readable Zone (MRZ) | Part of data validation | Suspected | |
Gender | Part of data validation | Suspected | |
Expiry date | Part of data validation | Suspected | |
Document Expiration | Validates the expiry date extracted from a document, flagging if a document's expiry date has passed. | Caution | |
Image Integrity | Conclusive document quality | Measures the ability to make a fraud assessment based on the quality of the applicant's document. Applied by our third-party expert manual review team when documents are unclassifiable as fraudulent or genuine. This includes the following sub-checks: - Document missing back - Digital document - Punctured document - Corner removed - Watermarked digital text overlay - Abnormal document features - Obscured security features - Obscured data points | Caution |
Colour picture | Flags if the image is black and white. This is because black-and-white documents prevent a full fraud assessment as the majority of security features are colour. | Rejected | |
Image quality | Flags if there is a low-resolution image where the document information is not readable, the MRZ (Machine Readable Zone) is obscured or unreadable or vital data points are obscured or unreadable. | The most common reason for a document to be deemed “unprocessable”, is the fact that key data points might be obstructed, cropped, or not visible. Such documents are rejected for poor image quality. | Rejected |
Supported document | Indicates whether the submitted document type is supported by First AML, or whether the document is issued by a country subject to comprehensive sanctions. | Rejected | |
Video Document Presence | Asserts whether there is at least one document with video and none of the documents has a video whose signature was checked and is invalid. | Rejected | |
Data consistency | Date of expiry | Indicates whether data that appears in multiple places on the document, for example in the MRZ and printed on the front, is consistent in both places. | Suspected |
Document Type | Part of data consistency | Suspected | |
Nationality | Part of data consistency | Suspected | |
Issuing country | Part of data consistency | Suspected | |
Document numbers | Part of data consistency | Suspected | |
Gender | Part of data consistency | Suspected | |
First name | Part of data consistency | Suspected | |
Last name | Part of data consistency | Suspected | |
Date of birth | Part of data validation and Part of data consistency | Suspected | |
Multiple data sources present | Suspected | ||
Visual authenticity | Face detection | Indicates whether a face was detected on the document. | Suspected |
Original Document Present (ODP) | Indicates whether the provided image is an image of the original document or, for example, a photo of a photo of a document or a photo of a computer screen. | We deploy several texture analysis algorithms to detect whether or not an image contains any of the following: - screenshots - pictures of pictures or screens - printouts or scans | Suspected |
Fonts | Indicates whether fonts in the document match the expected ones. | The machine learning models are constantly refining their ability to recognise, categorise and distinguish between fraudulent fonts and genuine travel document font types such as OCRB. | Suspected |
Picture face integrity | Flags if the pictures of the person identified on the document show signs of tampering or alteration. | We deploy a number of algorithms designed to analyse whether the picture in a document image may be a physical insertion or otherwise digitally tampered with. | Suspected |
Digital tampering | Flags, when security features expected on the document, are missing or wrong and are suspected to be tampered with digitally. | We analyse a document to recognise if the document is suspected of being created digitally or digitally tampered with as opposed to being created physically or tampered in a physical manner. | Suspected |
Security features | Flags if security features expected on the document are missing or wrong. | The engine is trained to pick out a number of distinct security features in each document and is supplemented by the work of our third party’s manual team of experts. | Suspected |
Template | Indicates whether the document matched the expected template for the document type and country it is from. | The template breakdown is triggered by algorithms trained to recognise genuine templates and formats of documents and is supplemented by our third party's manual team’s expert knowledge. | Suspected |
Other | Flags when other sub-breakdowns under visual authenticity are flagged. Returned for backwards compatibility. | Suspected | |
Compromised document | Document Database | Asserts whether the document is publicly available as compromised | Suspected |
Repeat Attempts | Asserts whether the document has been reused in a suspicious way | Rejected | |
Police Record | Indicates whether a document has been reported as lost, stolen or compromised to the UK Metropolitan Police | Suspected |
Anti-Fraud
Device Intelligence & Police Record Checks
Our Device Intelligence check assesses non-document and non-biometric signals to capture sophisticated fraud, without adding user friction to an identity verification. The Device Intelligence report works alongside our anti-tampering reports capturing digital, passive fraud signals from things such as:
- Device information (unique ID, hardware and software attributes, camera feed info, media fingerprinting & metadata etc)
- Document data (document number and information)
- Location of IP Address, and likelihood of any VPN or Proxy in use
We are enabling these features to help our customers reduce the risk of fraudulent activity going unnoticed.
- Application authenticity: Helps identify potential malicious actors who may be using unlawfully obtained authentication credentials.
- Device integrity & reputation: Helps identify behaviour that may signal fraudulent intent, such as the use of emulators or suspicious traffic from the device’s IP address.
- Police record: Identifies if the document being submitted matches a document reported as lost, stolen or compromised by the UK Metropolitan Police
- IP & Geolocation: Provides visibility of the City, Region and Country of the IP Address being used for the transaction, which can be compared to the individual and document country to help assess risk and potentially fraudulent activity. If the geolocation is different to the country of their ID Document, we'll present a warning indicating this as an indication of risk.
Device Intelligence Check Results
- CLEAR: The applicant used a valid device and is not associated with suspicious behaviour, indicating they are a genuine user.
- CONSIDER: The applicant was detected to have used an invalid device or is associated with suspicious behaviour, indicating they may be a fraudulent user.
Device Intelligence Consider Reasons & Explanations
CONSIDER Reason | Explanation |
|---|---|
Application authenticity | Displayed if Fake network request is true. |
Fake network request | When the device used stolen security tokens to send the network information.Child of Application authenticity. |
Device integrity | Displayed if any of the below are true. |
Randomised device | When the device provided false randomized device and network information.Child of Device integrity. |
Emulator used | When evidence is found that an emulator was used.Child of Device integrity. |
Multiple devices used | When the associated document and biometric media weren't uploaded from the same device.Child of Device integrity. |
IP reputation | When there is highly suspicious traffic related to the IP address.Child of Device integrity. |
Police Record Check Results
- CLEAR: The applicant used an ID document that has not been reported to the UK Metropolitan Police
- CONSIDER: The applicant was detected to have used an ID document that matches a document reported as lost, stolen or compromised by the UK Metropolitan Police
Biometrics
Our biometrics and facial similarity reports compare the most recent live photo, live video or motion capture provided by an applicant during an identity verification flow to the face on their most recently captured identity document (such as passports, driving licences or national ID cards).
Where the document has two sides, we will search both sides of the document for a face. Biometrics reports are designed to prove identity document ownership so that only the owner of the identity document can use it to verify their identity and access services.
In addition to extracting images and data from identity documents, Facial Similarity Motion provides added security for high-risk users or transactions, in a fully automated fashion. In addition to confirming a user's face matches their document upload, Motion also assesses liveness by asking users to complete a simple head turn pattern in both directions.
Biometric Motion Check Results
The result for Biometric reports can be CLEAR or CONSIDER, returned in the output object of a Studio workflow run. The report result is determined by the results of individual breakdowns and sub-breakdowns.
Please see the below example image that includes a CONSIDER result with the sub-results listed above.
Biometric Motion Consider Reasons & Explanations
| BREAKDOWN | SUB-BREAKDOWN(S) | DESCRIPTION |
|---|---|---|
| Visual authenticity | Asserts whether the person in the motion capture is real (not a spoof) and live. | |
| Spoofing detection | Contains a score value between 0 and 1 which expresses the likelihood that the motion capture is real, where 0 represents a spoofed capture and 1 represents a real motion capture. | |
| Liveness detected | Asserts whether the head turn completion pattern was executed correctly. | |
| Face comparison | Asserts whether the face in the document matches the face in the motion capture. | |
| Face match | Contains a score value between 0 and 1 which expresses how similar the face in the document image and motion capture are, where 1 represents a perfect match. | |
| Image Integrity | Asserts whether the quality and integrity of the uploaded files and the content contained within them were sufficient to perform a face comparison. | |
| Face detected | Asserts that a single face of sufficient quality was found in both the document image and the motion capture. | |
Source Integrity | Asserts whether the source of the live photo is trustworthy. For example, it has not been digitally tampered with or was not taken from a fake webcam. This sub-breakdown also asserts whether the applicant's document is issued by a country subject to comprehensive sanctions. |