No Photoshop required
How to issue a debit card using stolen ID details

One day I decided to open a card using a “stolen identity”. Buying stolen personal details is elementary and cheap - it costs around £12 for a piece. Although stealing someone’s data or buying stolen details online was not in my plans. Instead, I asked a friend’s permission to use his details and open an account. Let’s see how easy that could be and what criminals can do with this information.

If you opened a bank account after 2017, you likely did it remotely without visiting branches –  Neobanks don’t have such, and many traditional banks have also started to propose remote onboarding. To open an account remotely, you must pass electronic Know-Your-Customer checks (e-KYC). The majority of fintechs don’t review applications themselves but outsource the KYC to one of the service providers. The process consists of the Proof-Of-Identity and the Proof-Of-Address. Although requirements could vary from provider to provider, most providers will ask you to send photos of your ID and bills and take a picture of yourself. Other providers require video recordings of an individual and some operations with the ID to prove its genuineness.

All these steps were giving me the illusion of the robustness of e-KYC until last year when we showed one fintech how easy that is to open a fake account. I used my own ID and Photoshop in depicted scenarios and highlighted all consequences of such crime – money laundering, sanctions evasion and terrorism sponsorship. Then I started thinking, what if even these steps are redundant? What if there’re ways to open an account without a formal KYC verification?

Today I’ll show how easy it is to enrol a wallet and a virtual card using only publicly available data. We will use a Samsung Pay mobile wallet for this. Everyone heard about Samsung Pay, right? Maybe not each one of you if you live in the UK/EU. This wallet is not very popular here – less than ten banks support Samsung Pay in the UK, while in the US, hundreds of banks support Samsung Pay. That was a problem for Samsung. If you tried adding your card to Samsung Pay, you would get a notification, “Sorry, your bank is not supported yet”, and nothing you could do. Every bank needs to have an agreement with Samsung to be added to the Samsung wallet. A couple of years ago, Samsung partnered with Curve to confront that problem.

What a fresh hell Curve is, you ask? Curve is a card that replaces the whole wallet of cards! Quite a handy startup I use all the time myself. Once you’ve got your Curve card, you can add other cards to your Curve application. A “default” card chosen in the app will be charged when you pay with a Curve card. Don’t have money on the default account? You can select a rescue card that will be automatically charged next (“Anti-Embarrassing Mode”). Have you set the wrong “default” card? Curve can revert your transaction and take money from the correct account within three months. Superb!

Struggling from the lack of banks in its portfolio, Samsung has partnered with Curve. Now, when trying to add a card that Samsung Pay doesn’t support, a phone will enrol a Curve account and automatically add your card to Curve. And voila! Samsung Pay supports your card via the “proxy” Curve solution.

How does the account opening for Samsung and Curve look?

Step 1. Getting the latest version of the Samsung Pay app – now it’s called Wallet:

Step 2. Adding the Revolut card that doesn’t support Samsung Pay to the Wallet:

Step 4. We will use a fresh mobile number and an email to register. Then we use the “stolen identity” details – First and Last name, Date of Birth and home address:

Where could anyone get this information from? I don’t want to point the finger, but there are a couple of easy ways. For example, criminals could get these pieces from different public databases.

And this is it! We got a virtual card to pay online and a mobile wallet to pay in stores! What about the Proof of Address and the Proof of Identity? We got used to them so much with Neobanks like Revolut or Monzo. Curve still uses Onfido for these checks, but when they partnered with Samsung, both came up with a shortcut named Progressive or Tiered KYC. There are not many references to this concept on the Internet. I didn’t find any other Neobank that implemented such a solution. However, you can read about this approach from GSMA (telecom compliance body) and FATF (Financial Action Task Force):

https://www.fatf-gafi.org/media/fatf/content/images/AML%20CFT%20measures%20and%20financial%20inclusion.pdf
In Canada, customer identification (and verification) is required for remittances of CAD 1 000 or above. Some remittance companies introduced a “progressive approach” to CDD where sending more than CAD 1 000 required customers to provide additional information, including their occupation and source of funds. 

Tiered KYC allows Curve not to carry out many checks until you spend your first £100. After that, a formal Proof of Address and Identity will be made using the Onfido service provider.

Secure enough, FATF thinks, until criminals will learn how to add stolen cards to Curve. By the time this research began, I had already sent a few security reports to Curve, most of which they had ignored. Maybe it was something to do with constantly changing members of the security department. When you add your cards to Curve, it might only look secure, but it’s not. One of the vulnerabilities allowed me to add stolen cards by knowing the long card number and expiry date. Another vulnerability allowed bypassing additional 3D-Secure verification when you add your card. To bypass this check, criminals would need live access to a stolen card's transaction statements. 

These are pretty standard pieces of information that are sold across dark markets:

So it would be possible to add a stolen card to the Curve account without the CVV2 code or the 3D-Secure code.

Finally, I knew that Curve has a blindspot around simple logic and math in their backends. So I assumed, I will be able to spend more than £100 without any verification. So I made three payments in total of £135 before the account was suspended:

But even the £100 limit is an illusion. Using the same phone, I registered three different accounts with information from people who kindly provided their names to me for testing purposes. Over and over again on the same device, without any suspicions. So no one stops criminals from opening hundreds of accounts and moving more than £100 from each using stolen cards.

To reiterate, how could criminals with Samsung Pay use stolen identities and cards?

1.    Buy a device that supports Samsung Pay.

2.    Create a fresh digital account (phone number and email).

3.    Download the Curve app and create an account using information from the stolen identity (First and Last Name, Date of Birth, Address).

4.    Add stolen cards to Curve by knowing only the long card number and the expiry date and having real-time access to bank statements.

5.    Make in-store or online payments within the £100-£135 range.

6.    Resell purchased goods or apply a known money movements scheme.

7.    Repeat steps 2-6 using the same device but different identities and phone numbers.

What COULD Samsung and Curve have done better?

Technological and marketing advantages sometimes open doors for criminals. It’s important to counteract these by implementing additional checks. There’s nothing bad in the Tiered KYC itself until criminals can start adding stolen cards or applying money movement schemes that are possible because of the specific fintech features. The answer is to raise risk thresholds for these features and fix your enrollment process to deter criminals.

I am less apprehensive that any malicious actor would start utilising these techniques as recently Curve fixed some of the most serious issues, and now it’s much harder to enrol stolen cards into the app (but not impossible). But there are other threats unlimited access to virtual cards could pose. We will share that in our next article!