One day I decided to open a card using a “stolen identity”. Buying stolen personal details is elementary and cheap - it costs around £12 for a piece. Although stealing someone’s data or buying stolen details online was not in my plans. Instead, I asked a friend’s permission to use his details and open an account. Let’s see how easy that could be and what criminals can do with this information.
If you opened a bank account after 2017, you likely did it remotely without visiting branches – Neobanks don’t have such, and many traditional banks have also started to propose remote onboarding. To open an account remotely, you must pass electronic Know-Your-Customer checks (e-KYC). The majority of fintechs don’t review applications themselves but outsource the KYC to one of the service providers. The process consists of the Proof-Of-Identity and the Proof-Of-Address. Although requirements could vary from provider to provider, most providers will ask you to send photos of your ID and bills and take a picture of yourself. Other providers require video recordings of an individual and some operations with the ID to prove its genuineness.
All these steps were giving me the illusion of the robustness of e-KYC until last year when we showed one fintech how easy that is to open a fake account. I used my own ID and Photoshop in depicted scenarios and highlighted all consequences of such crime – money laundering, sanctions evasion and terrorism sponsorship. Then I started thinking, what if even these steps are redundant? What if there’re ways to open an account without a formal KYC verification?
Today I’ll show how easy it is to enrol a wallet and a virtual card using only publicly available data. We will use a Samsung Pay mobile wallet for this. Everyone heard about Samsung Pay, right? Maybe not each one of you if you live in the UK/EU. This wallet is not very popular here – less than ten banks support Samsung Pay in the UK, while in the US, hundreds of banks support Samsung Pay. That was a problem for Samsung. If you tried adding your card to Samsung Pay, you would get a notification, “Sorry, your bank is not supported yet”, and nothing you could do. Every bank needs to have an agreement with Samsung to be added to the Samsung wallet. A couple of years ago, Samsung partnered with Curve to confront that problem.
What a fresh hell Curve is, you ask? Curve is a card that replaces the whole wallet of cards! Quite a handy startup I use all the time myself. Once you’ve got your Curve card, you can add other cards to your Curve application. A “default” card chosen in the app will be charged when you pay with a Curve card. Don’t have money on the default account? You can select a rescue card that will be automatically charged next (“Anti-Embarrassing Mode”). Have you set the wrong “default” card? Curve can revert your transaction and take money from the correct account within three months. Superb!
Struggling from the lack of banks in its portfolio, Samsung has partnered with Curve. Now, when trying to add a card that Samsung Pay doesn’t support, a phone will enrol a Curve account and automatically add your card to Curve. And voila! Samsung Pay supports your card via the “proxy” Curve solution.
How does the account opening for Samsung and Curve look?
Step 1. Getting the latest version of the Samsung Pay app – now it’s called Wallet: