André Ferraz. CEO at Incognia, a “privacy-first” innovator in location technology, enabling “frictionless” zero-factor authentication for mobile. recently commented on why location spoofing is critical for crypto companies amid sanctions on Russia.
He talked about why it is important to keep track of users’ activities on financial services apps and how it is becoming increasingly difficult to monitor online activity due to VPNs and other online tools.
Our discussion with André Ferraz is shared below.
Crowdfund Insider: Why is location spoofing a critical element for bad actors in the attempt to evade sanctions on Russia?
André Ferraz: The US Treasury recently sent out a Financial Crimes Enforcement Network FinCEN Alert to financial services companies to be on the lookout for financial transactions involving IP addresses in Russia, Belarus and other jurisdictions with AML/CFT/CP deficiencies or using IP addresses previously flagged as suspicious.
This alert is targeted at identifying fraudsters trying to circumvent and evade sanctions on Russia using financial services apps from Fintechs, banks and cryptocurrency companies.
Given this heightened attention on identifying and restricting financial transactions based on user location, bad actors are looking to use techniques to hide their true location. In today’s digital world, accurately identifying the location of a user is increasingly challenging given the easy access to location spoofing tools.
Crowdfund Insider: Can you discuss the top ways in which fraudsters spoof their location?
André Ferraz: Many users know about and have used Virtual Private Networks (VPNs) to obscure their true location online in order to gain access to services that are restricted for the user’s true location.
VPNs and proxies hide the IP address of the user and fool systems that check for IP addresses in order to assess a user’s location. The difference is that a proxy runs at the application level and a VPN runs at the operating system level. However, faking IP addresses through the use of VPNs or Proxies is table stakes for location spoofing.
With the rise of ride-sharing apps and location-based massively multiplayer online role-playing games (MMORPGs), GPS spoofing apps have become widely popular and available. These apps not only enable gamers to fake their position but can be used for fraud. Fraudsters using GPS spoofing apps don’t need to have sophisticated skills – they just need to put the device in developer mode to activate GPS spoofing apps.
More sophisticated techniques for location spoofing include the use of mobile emulators, instrumentation tools and app tampering. These techniques enable manipulation of the device data such as geolocation information.
Mobile emulators are typically used to emulate a mobile device for testing and development purposes however the same emulator can be used to adjust device characteristics to obscure and fake true geolocation information.
Similarly, tools such as Frida, a dynamic code instrumentation toolkit, primarily used by testers and developers, are now being used by fraudsters to fake geolocation. Finally, app tampering involves modifying the compiled code of an app and inserting custom code to report fake locations.
Crowdfund Insider: What red flags should crypto, Fintechs and banks be wary of to detect location spoofing attempts?
André Ferraz: Of most importance in detecting location spoofing is understanding that relying on IP address or GPS location to determine a user’s location is leaving the door wide open for fraud.
The most basic red flag for detecting location spoofing is whether a user will enable location permissions for the purposes of fraud prevention. Requesting use of location permissions to enable fraud prevention is an excellent filter of legitimate users and fraudsters.
Fraudsters will never want to share their true location and will be in the minority of users who opt-out from enabling location permissions, whereas the majority of legitimate users (85% or higher) willingly share their location when the purpose of fraud prevention is clearly communicated. Other red flags are detection of use of mobile emulators, and whether a device is rooted or jail-broken.
Watchlists are also an important tool in detecting devices and locations associated with fraud and cybercrime. Given that the average user has over 80 apps on their device, when apps tap into network watchlists they are able to share insights on users, devices and locations associated with fraud.
Crowdfund Insider: Why is user location behavior a critical element of KYC?
André Ferraz: Every user has a unique location behavior pattern, like a location fingerprint. Unlike static credentials that are easily stolen, or faked, each person’s unique location behavior pattern is dynamic and constantly changing, making it virtually impossible to mimic or forge. When a new user signs in for a new account on a financial services app, one of the pieces of information requested as part of KYC is the user’s home address.
A simple match of the user’s stated home address and their current location provides a very accurate risk assessment of whether the user actually lives at the address they provided. Analyzing data from the more than 150 million devices with Incognia deployed indicates that 85%+ of users open accounts from home.
Crowdfund Insider: Can you elaborate on how location spoofing has increased in use across industries including crypto and banks due to sanctions on Russia, and in general on gaming, social networks, etc.
André Ferraz: The economic sanctions on Russia have put the spotlight on financial services apps. In today’s interconnected world, users have easy access to apps that can instantaneously transfer money around the globe.
While KYC and AML regulations are aimed at detecting fraud online and include validation of address, bad actors are motivated to create fake accounts for the purposes of moving money in violation of the sanctions with the prospect of high financial returns.
The rapid rise of cryptocurrency represents a whole new front in the war on fraud. With no inherent geographic boundaries, cryptocurrency apps are particularly vulnerable to users faking location. During this time of economic sanctions extra vigilance is needed to assess the true location of cryptocurrency users in order to detect bad actors.
While cryptocurrency apps are a prime target for location spoofing, fraudsters are also profiting from faking their location in gaming and delivery apps. For gaming, fraudsters use location spoofing to collude on online games.
A gaming app with over 70 million users, detected and blocked over 50,000 accounts using location spoofing. Also for delivery apps, drivers are using location spoofing to share accounts between drivers and also to fake location to optimize and game the systems that determine which drivers get which orders.