The truth about OnlyFake and generative AI fraud
Whenever part of the fraud world pierces through the media noise, things get fascinatingly hectic. Case in point: earlier this year, the media’s discovery of OnlyFake and the reality of modern day document fraud sent risk and fraud teams in a panicked rush to “do something” about it.
But panic is generally the wrong reaction in the face of a sensationalized threat.
Before you get caught up in the hype and rush to deploy the first thing you come across, it’s worth taking a deep breath and to calmly look at what OnlyFake really is, how it works, and what it really means for the future of KYC and your own fraud controls.
What is Only Fake?
Brought to light by a 404 Media investigation, OnlyFake was a website which allowed anyone to quickly and easily generate very convincing ID documents of their choosing. “Customers” could choose a wide range of different ID types, from passports to driver’s licenses, and even batch create hundreds of them at a time. It promised to heavily streamline the creation of fake documents, and bring, as the developer stated in its Telegram account, “The era of rendering documents using Photoshop […] to an end.”
If you’re struggling to find the site, it’s been shifting domains after the recent media coverage, distributing its new address via private Telegram channels. Watch the replay of our Beyond OnlyFake Webinar to gain insider tips on combating generative AI threats and safeguarding your organization.
Does OnlyFake make use of generative AI to create fraudulent documents?
Partially. Interestingly enough, despite claims from the developer, there is actually very little evidence of AI being used in the creation of the documents themselves—a fact readily admitted by the original 404 Media investigation: “While OnlyFake says it uses ‘neural networks’ to create its fake IDs, 404 Media has not seen evidence that the service uses generative AI tools.”
Two areas where the use of generative AI does seem to be the case, if the developer’s marketing claims are to be taken at face value, is the a-la-carte generation of fake portraits and signatures—the trickiest parts of the forgery process—though would-be fraudsters could submit their own photos and signatures. Either would seemingly be added to a base template of an ID card.
Why OnlyFake doesn’t generate the full ID card via AI
Despite all the hype and promise around generative AI, the reality is that the technology is still not at a point where it can generate complete documents from whole cloth. By its very nature, it struggles with consistency across generative attempts. It can be at times a little humorous when given simple tasks to alter an existing image, but it is especially challenging when it comes to ID cards given the various security features—from holograms to machine readable zones—embedded in ID cards. Text in particular can be very challenging for generative AI to embed correctly into images, even though it is child’s play for it to generate on its own.
Given the limitations of fully generating an ID document via AI, it’s no surprise that OnlyFake didn’t rely on the technology alone. Nonetheless, as with all things in AI, the speed of progress will soon make shortcomings a thing of the past, and AI-enabled crime is essentially already a reality.
How OnlyFake really created fraudulent IDs
While parts of the ID card, such as portraits and signatures, may have been generated by AI in order to create consistent, high-quality cards, OnlyFake relied on a set of templates for each layer of the final image. These would be layered, from the top down:
- Text
- Portrait
- Signature
- Hologram
- Machine readable zone
- ID document template
- Background for the card
Ultimately, Photoshop is not dead, but instead operating in the background in an automated fashion, as revealed by the site’s FAQ, where the answer to the question, “Is it possible to download the finished PSD?” is “No. In this case, you can steal all of our templates.”
The truth is OnlyFake wasn’t unique or new
There are now hundreds, if not thousands of sites online that offer similar kinds of services—and they aren’t limited to ID documents. These template farms or document mills aren’t obscure dark web sites accessible only to the technically hyper-literate with a TOR address; they’re indexed and just a search term away.
We’ve documented many of these in our serial fraud white paper, which covers the scope of automated, repeated document fraud that the financial industry now faces as well as many different variations of automated fraudulent documents like those produced by OnlyFake.
Why OnlyFake is an escalation in automated fraud
OnlyFake did two things which are markedly different from what other fraud-as-a-service providers on the market had been doing and really upped the ante in the escalation of automated fraud vs. automated detections:
- The batch creation of documents
- The embedded generation of portraits and signatures
These two capabilities feed each other in dangerous ways and solve multiple criminal challenges.
First, the ability to submit an Excel sheet of data to generate documents in batches is a significant game changer. Aside from pure quantities, it meant that for purely fabricated identities, other generative AI tools could be used to randomly fill in all the fields of a document with unique addresses instantly at almost no effort or cost.
But combined with generated portraits and signatures, criminals could now leverage data leaks of personally identifiable information that might not include actual ID documents in order to create incredibly convincing synthetic identities at an unprecedented scale.
These approaches herald a new age of identity theft and pose significant challenges to KYC and identity verification (IDV) systems that have for years now been moving towards database lookups on the data extracted from the documents at the expense of assessing the authenticity of the documents themselves.
What can you do to stop OnlyFake ID document fraud?
In fraud or financial crime, there’s rarely a silver bullet, and that’s why you should always take a layered approach to defending your castle. This isn’t a new concept, and in fact, we take inspiration from our past as AI cybersecurity experts in building our products using a “defense-in-depth” approach, which essentially means interlocking layers of detectors that are incredibly difficult to evade.
Nonetheless, here are three layers you should absolutely consider when trying to solve this problem:
Have a First Line of Defense That Assesses Incoming Documents
It’s no longer enough to rely on database checks when the data may be real but the person and document are fake. Checking the document's authenticity is key. Look for document fraud detection solutions that take into account the full context of the image and are able to assess whether there are signs of image inconsistency across its quality, whether elements have been inserted or manipulated, and so on.
Put a Mechanism in Place for Comparing Incoming Documents
Like all automation, mass automated fraud relies on economies of scale and repetition. When facing tools like OnlyFake, which can generate armies of fake IDs, checking for repetitions in background, image characteristics, lighting conditions, lens geometry, and more is key.
Look at the Behaviors of the Document Submitters
How you receive documents is just as important as what documents you receive. Every aspect of the submission process—from device fingerprinting data to behavioral signals such as how customers are moving through your user journey—can be used to single out repeated patterns of suspicious behavior across accounts and inform your decision as to whether to accept or decline a document.
How Resistant AI detects OnlyFake documents
We practice what we preach, and use many of the techniques mentioned above. Every document gets analyzed over 500 ways to detect any sign of tampering, farming, or reuse. Resistant AI is able to detect Onlyfake documents by:
- Detecting the elements of the image that were generated by AI.
- Detecting the repetitive elements and characteristics of IDs generated in bulk.
- Detecting the specific characteristics of different document generators and template farms—including the tell-tale signs of OnlyFake generation specifically.
At Resistant AI, we are passionate about catching criminals. It's why we created the world’s most advanced AI-based document fraud detection, and some of the biggest identity verification services around rely on us to keep their customers safe.
Interested in seeing how we can keep your document processing safe? Reach out for a quick talk with one of our experts.