In the restaurant biz, CCPs or "Critical Control Points" are key individual steps in the food handling process to ensure that quality, safe food reaches our plates (good), or when not followed, can lead to potential spoilage and sickness (bad).
We all agree that we want our Sushi Chef to wash his hands before serving up a jeweled slice of expensive Tuna. But the step of washing his hands (a CCP) would be a moot point if the fish was spoiled before it got to him because it wasn't maintained at cold temperatures (another CCP) since being caught. As such, the successful operation of the sushi restaurant is reliant upon all CCP steps being followed, in the linear flow of food through the entire handling process chain.
A bank's customer identity authentication process has its own Critical Control Points as well.
While it is essential to perform a database check (CCP) to verify the information printed on a customer's ID document (e.g., government issued Driver License or Passport) before they are allowed to open a deposit account, apply for a loan, or to make an external money transfer, that data-only verification process is missing its essential precursor CCP -- the authentication of the PERSON behind that data and of the identity credential document itself.
At UVeritech, many of our customers become our customers because they experienced fraud and loss due to insufficient customer identity authentication processes. A common scenario would be where a front-line teller or loan representative scans or inputs the information from a person's ID into their "software" which consists of a credit check or other KYC database.
There are two immediate red flags in this process:
1) The ID document could be a fake, sourced from any number of online vendors, or via DarkNet Markets. Often, fakes like this can cost less than $100.
Try it: Google "how can I get a fake ID?".
2) Easy-to-obtain, cheap ID’s these days are almost all of very high quality. Such good quality, in fact, that a physical, visual inspection by a human is typically insufficient to determine an ID's authenticity.
States and countries continually revise / upgrade their issued ID documents to incorporate new covert security features (invisible ultraviolet and infrared fluorescing symbols, microprinting, encoded PII in 2D and 3D barcodes, etc) that are all now only detected by machines. In addition, this constantly changing of document designs makes it nearly impossible for any individual to truly know how to authenticate any identity that is presented to them.
As such, the fraudster could easily present a fake ID that passes human inspection muster, and the transaction continues to the next step. If the data on the fake ID matches an existing account, then the criminal could do all sorts of "account takeover" damage, such as wiring out funds, taking out loans, etc.
Fraudsters could also open new accounts with this fake ID and be confident that the data on the ID will match data in a credit check, etc system. How is this possible? The bottom line is that a failure has already occurred to allow fake data to be input into a credit check or other database system in the first place to create a Synthetic Identity.
Synthetic Identity is created by the Fraudster using these three general steps:
1) A fraudster, by means of a data hack or successful phishing, obtains components of a real person's identity -- their name or social security number or address or phone number, etc. This real data is combined with fake data to create an entirely new identity, which is then embedded on a physical fake ID with the fraudster's photo.
2) This "fake data" identity can be implanted into databases via fraudulent loan applications. The initial application will fail because there is no credit history to the account, but that initial application nonetheless establishes an identity and profile into the system.
3) Follow up attempts (small loans) eventually succeed, and the fraudster cultivates this synthetic identity over time, leading to a longer (and better) credit history and score, ultimately leading to one final fraudulent transaction (large personal loan, auto loan, etc) that they then "bust out" and have no plans to pay back.
(More information and insights can be found in our blog post "Synthetic Identity Fraud Challenges faced by Auto Dealers and Lenders". The article directly speaks to the pain and loss experienced by auto dealers, but the fundamental lessons are applicable to all banks / lenders.)
To recap, this incident of fraud was only made possible by skipping over the fundamental first "CCP step" -- to authenticate the identity of the actual person behind the data, before cross-checking that data with KYC platforms.
Partner with a Leader and prevent fraud through all the proper CCP Steps
Here at UVeritech, we want to help your company achieve every essential CCP step in your customer identity authentication process. We've been battling fraud and helping our customers prevent against loss and fines for over 2 decades. We have millions of authentication scanners deployed throughout the United States, at retailers, airports, banks, casinos, auto dealers, and numerous other industries. We employ the world's best document authentication hardware and software technologies to ensure you truly know your customer before they become your customer.