TABLE OF CONTENTS


This article gives an in-depth explanation of anti-tampering, anti-fraud, and biometric checks conducted on an individual and their ID document as part of the electronic identity verification (EIV) process. These checks help to ensure the authenticity and legitimacy of individual identities and their associated ID documents.


Anti-tampering

The anti-tampering report employs data integrity, visual authenticity and database record checks to verify identity documents such as passports, national ID cards and driver's licences. The report can also compare the data extracted from the document with data provided by the end user in other capture tasks or the workflow input data, as an additional way of identifying potential discrepancies and fraudulent documents.


The majority of Document reports are automated and processed in seconds. If, however, our third party encounters document images that use sophisticated counterfeiting techniques, or the capture is of poor quality (blurred, low resolution, obscured, cropped, or held at an unreadable angle), our software is supported by our third party’s external expert manual review team to ensure an identity verification is subject to a thorough analysis to maximise fraud detection. Manual review can also be configured to be applied to all document verifications.


Anti-tampering Record Checks Results

The results of anti-tampering reports are generated in the form of breakdowns and sub-breakdowns. A Document report can have an overall result of CLEAR or CONSIDER.


The anti-tampering report uses the sub_result property to provide a more specific description of the overall report result. These sub-results and their meanings are described below:

  • CLEAR: If all underlying verifications pass.
  • REJECTED: If the report has returned information where the check cannot be processed further (for example, poor image quality or unsupported document).
  • SUSPECTED: The analysed document is suspected to be fraudulent.
  • CAUTION: If any other underlying verifications fail, but they don't necessarily point to a fraudulent document (for example, the name provided by the applicant doesn't match the one on the document).

Breakdowns are made up of sub-breakdowns. A breakdown will have a CONSIDER result when at least one of its sub-breakdowns contains a CONSIDER or unidentified result.


Please see the below example image that includes a REJECTED result with the sub-results listed above.



Anti-tampering Breakdown Reasons & Explanations


BREAKDOWN
SUB-BREAKDOWN(S)
DESCRIPTION
DECISION
Age validation
Minimum accepted age
Asserts whether the age calculated from the document's date of birth data point is greater than or equal to the minimum accepted age set at the account level. The default minimum age is 16 years old. 
Rejected
Data comparison
Date of birth
Indicates whether the information points extracted from the document match the information supplied when creating an applicant through the API.
Caution
Last name
Part of data validation
Suspected
First name
Part of data validation
Suspected
Data validation
Date of birth
The engine asserts whether algorithmically validatable elements are correct. For example, MRZ lines and document numbers.

It determines whether the data point is the expected length and format for this document type.
Caution
Document numbers
Part of data validation
Suspected
Machine Readable Zone (MRZ)
Part of data validation
Suspected
Gender
Part of data validation
Suspected
Expiry date
Part of data validation
Suspected
Document Expiration
Validates the expiry date extracted from a document, flagging if a document's expiry date has passed.
Caution
Image Integrity
Conclusive document quality
Measures the ability to make a fraud assessment based on the quality of the applicant's document. Applied by our third-party expert manual review team when documents are unclassifiable as fraudulent or genuine.

This includes the following sub-checks:
- Document missing back
- Digital document
- Punctured document
- Corner removed
- Watermarked digital text overlay
- Abnormal document features
- Obscured security features
- Obscured data points
Caution
Colour picture
Flags if the image is black and white. This is because black-and-white documents prevent a full fraud assessment as the majority of security features are colour.
Rejected
Image quality
Flags if there is a low-resolution image where the document information is not readable, the MRZ (Machine Readable Zone) is obscured or unreadable or vital data points are obscured or unreadable.
The most common reason for a document to be deemed “unprocessable”, is the fact that key data points might be obstructed, cropped, or not visible. Such documents are rejected for poor image quality.
Rejected
Supported document
Indicates whether the submitted document type is supported by First AML, or whether the document is issued by a country subject to comprehensive sanctions.
Rejected
Video Document Presence
Asserts whether there is at least one document with video and none of the documents has a video whose signature was checked and is invalid.
Rejected
Data consistency
Date of expiry
Indicates whether data that appears in multiple places on the document, for example in the MRZ and printed on the front, is consistent in both places.
Suspected
Document Type
Part of data consistency
Suspected
Nationality
Part of data consistency
Suspected
Issuing country
Part of data consistency
Suspected
Document numbers
Part of data consistency
Suspected
Gender
Part of data consistency
Suspected
First name
Part of data consistency
Suspected
Last name
Part of data consistency
Suspected
Date of birth
Part of data validation and Part of data consistency
Suspected
Multiple data sources present
Suspected
Visual authenticity
Face detection
Indicates whether a face was detected on the document.
Suspected
Original Document Present (ODP)
Indicates whether the provided image is an image of the original document or, for example, a photo of a photo of a document or a photo of a computer screen.
We deploy several texture analysis algorithms to detect whether or not an image contains any of the following:

- screenshots
- pictures of pictures or screens
- printouts or scans
Suspected
Fonts
Indicates whether fonts in the document match the expected ones.
The machine learning models are constantly refining their ability to recognise, categorise and distinguish between fraudulent fonts and genuine travel document font types such as OCRB.
Suspected
Picture face integrity
Flags if the pictures of the person identified on the document show signs of tampering or alteration.
We deploy a number of algorithms designed to analyse whether the picture in a document image may be a physical insertion or otherwise digitally tampered with.
Suspected
Digital tampering
Flags, when security features expected on the document, are missing or wrong and are suspected to be tampered with digitally.
We analyse a document to recognise if the document is suspected of being created digitally or digitally tampered with as opposed to being created physically or tampered in a physical manner.
Suspected
Security features
Flags if security features expected on the document are missing or wrong.
The engine is trained to pick out a number of distinct security features in each document and is supplemented by the work of our third party’s manual team of experts.
Suspected
Template
Indicates whether the document matched the expected template for the document type and country it is from.
The template breakdown is triggered by algorithms trained to recognise genuine templates and formats of documents and is supplemented by our third party's manual team’s expert knowledge.
Suspected
Other
Flags when other sub-breakdowns under visual authenticity are flagged. Returned for backwards compatibility.
Suspected
Compromised document
Document Database
Asserts whether the document is publicly available as compromised
Suspected
Repeat Attempts
Asserts whether the document has been reused in a suspicious way
Rejected
Police Record
Indicates whether a document has been reported as lost, stolen or compromised to the UK Metropolitan Police
Suspected 



Anti-Fraud

Device Intelligence & Police Record Checks

Our Device Intelligence check assesses non-document and non-biometric signals to capture sophisticated fraud, without adding user friction to an identity verification. The Device Intelligence report works alongside our anti-tampering reports capturing digital, passive fraud signals from things such as:

  • Device information (unique ID, hardware and software attributes, camera feed info, media fingerprinting & metadata etc)
  • Document data (document number and information)
  • Location of IP Address, and likelihood of any VPN or Proxy in use

We are enabling these features to help our customers reduce the risk of fraudulent activity going unnoticed.

  • Application authenticity: Helps identify potential malicious actors who may be using unlawfully obtained authentication credentials.
  • Device integrity & reputation: Helps identify behaviour that may signal fraudulent intent, such as the use of emulators or suspicious traffic from the device’s IP address.
  • Police record: Identifies if the document being submitted matches a document reported as lost, stolen or compromised by the UK Metropolitan Police
  • [Coming Soon] IP & Geolocation: Provides visibility of the City, Region and Country of the IP Address being used for the transaction, which can be compared to the individual and document country to help assess risk and potentially fraudulent activity.


Device Intelligence Check Results

  • CLEAR: The applicant used a valid device and is not associated with suspicious behaviour, indicating they are a genuine user.
  • CONSIDER: The applicant was detected to have used an invalid device or is associated with suspicious behaviour, indicating they may be a fraudulent user.


Device Intelligence Consider Reasons & Explanations 

CONSIDER Reason
Explanation
Application authenticity
Displayed if Fake network request is true.
Fake network request
When the device used stolen security tokens to send the network information.Child of Application authenticity.
Device integrity
Displayed if any of the below are true.
Randomised device
When the device provided false randomized device and network information.Child of Device integrity.
Emulator used
When evidence is found that an emulator was used.Child of Device integrity.
Multiple devices used
When the associated document and biometric media weren't uploaded from the same device.Child of Device integrity.
IP reputation
When there is highly suspicious traffic related to the IP address.Child of Device integrity.


Police Record Check Results

  • CLEAR: The applicant used an ID document that has not been reported to the UK Metropolitan Police
  • CONSIDER: The applicant was detected to have used an ID document that matches a document reported as lost, stolen or compromised by the UK Metropolitan Police


Biometrics

Our biometrics and facial similarity reports compare the most recent live photo, live video or motion capture provided by an applicant during an identity verification flow to the face on their most recently captured identity document (such as passports, driving licences or national ID cards).


Where the document has two sides, we will search both sides of the document for a face. Biometrics reports are designed to prove identity document ownership so that only the owner of the identity document can use it to verify their identity and access services.


In addition to extracting images and data from identity documents, Facial Similarity Motion provides added security for high-risk users or transactions, in a fully automated fashion. In addition to confirming a user's face matches their document upload, Motion also assesses liveness by asking users to complete a simple head turn pattern in both directions.


Biometric Motion Check Results

The result for Biometric reports can be CLEAR or CONSIDER, returned in the output object of a Studio workflow run. The report result is determined by the results of individual breakdowns and sub-breakdowns.


Please see the below example image that includes a CONSIDER result with the sub-results listed above.

 

Biometric Motion Consider Reasons & Explanations

BREAKDOWNSUB-BREAKDOWN(S)DESCRIPTION
Visual authenticityAsserts whether the person in the motion capture is real (not a spoof) and live.
Spoofing detectionContains a score value between 0 and 1 which expresses the likelihood that the motion capture is real, where 0 represents a spoofed capture and 1 represents a real motion capture.
Liveness detectedAsserts whether the head turn completion pattern was executed correctly.
Face comparisonAsserts whether the face in the document matches the face in the motion capture.
Face matchContains a score value between 0 and 1 which expresses how similar the face in the document image and motion capture are, where 1 represents a perfect match.
Image IntegrityAsserts whether the quality and integrity of the uploaded files and the content contained within them were sufficient to perform a face comparison.
Face detectedAsserts that a single face of sufficient quality was found in both the document image and the motion capture.

Source Integrity

Asserts whether the source of the live photo is trustworthy. For example, it has not been digitally tampered with or was not taken from a fake webcam. This sub-breakdown also asserts whether the applicant's document is issued by a country subject to comprehensive sanctions.