A new and alarming threat to identity verification systems has emerged, as researchers at iProov 1 have uncovered an operation known as ‘identity farming’.
This scheme involves individuals voluntarily providing their identity documents and biometric data, such as facial images, in exchange for cash. Unlike traditional identity theft, where credentials are stolen without the victim’s knowledge, identity farming exploits individuals who are often in financial distress.
The practice has been observed primarily in regions where economic instability and high unemployment have created a pool of vulnerable individuals willing to trade their personal information for financial gain. Fraudsters present these exchanges as low-risk, downplaying the longterm implications.
Once these identity packages – consisting of authentic documents and matching biometric data – are collected, they are used to bypass verification systems, which are critical for financial institutions, government platforms, and other services requiring identity validation.
What makes identity farming particularly dangerous is the authenticity of the data involved. Genuine identity documents, paired with corresponding biometric data, are significantly harder to detect than forged or altered credentials, making them an attractive tool for fraudsters seeking to circumvent security protocols.
The operations behind identity farming span a spectrum of sophistication.
At the basic level, fraudsters rely on simple techniques such as static images, pre-recorded videos, or replaying legitimate interactions to trick identity verification systems. These approaches may be effective against less advanced systems lacking robust fraud detection mechanisms.
More skilled operators use tools like face-swapping software and lighting manipulation to bypass mid-level security features, such as liveness detection. For example, attackers may simulate real-time interactions by manipulating videos or using multiple devices to appear as though they are physically present.
The most advanced attackers employ cutting-edge technologies such as custom artificial intelligence models and 3D animations. These methods mimic human behaviour in real time, allowing fraudsters to bypass even sophisticated systems designed to detect anomalies in interactions, such as unnatural blinking or inconsistent movements.
Conventional verification systems are often unequipped to handle these advanced tactics. While they excel at detecting forgeries or altered documents, identity farming uses real credentials, which traditional forgery-detection algorithms cannot flag. Biometric matching systems, designed to compare facial images with identification photos, can also fall short when the data being compared is legitimate. Even advanced liveness detection systems face challenges from AI-powered attacks capable of responding convincingly to real-time prompts.
One defence against this new type of threat involves embedding enhanced liveness detection protocols into verification systems. These protocols assess whether the person interacting with the system is physically present and behaving naturally. Techniques like real-time challenge- response mechanisms, where users are prompted to perform random actions, such as turning their head or repeating specific phrases, can help confirm the presence of a real person.
Metadata analysis and embedded imagery provide additional layers of security. By examining the digital footprint of submitted credentials, organisations can detect anomalies that may indicate tampering or misuse, even when the documents themselves are genuine.
The unearthing of identity farming serves as a stark reminder that identity fraud tactics continue to evolve, often in ways that exploit both technological and social vulnerabilities. This unwelcome linking of physical documents and digital credentials should make us question whether, as an industry, we have become over-concerned about making physical documents support the convenience of digital identity. The realisation that document holders seem willing to sell their physical credentials should, perhaps, make us think again.
1 - https://www.iproov.com/press/discovers-major-dark-web-identity-farming-operation
