Digital identity verification is becoming a fraud control problem

At a glance

What this is: This is a fraud-focused outlook on digital identity verification, with account takeovers, synthetic identities, and transaction signing emerging as the main pressure points.

Why it matters: It matters because IAM, IAM governance, and identity verification controls now sit inside fraud prevention, not beside it, and the same identity weaknesses affect human, NHI, and delegated access programmes.

By the numbers:

• Fraud costs consumers and businesses $52 billion per year in just the US.
• Fraudsters pilfered more than $11.4 billion through account takeovers last year.
• The average additional cost to US-based organizations now tops $9.44 million per incident.
• 80% of Fortune 500 companies will have formalized and budgeted passwordless projects in 2023.

👉 Read 1Kosmos's predictions on digital identity verification and fraud

Context

Digital identity verification is the control layer that checks whether a person is who they claim to be before access, account creation, or transaction approval is allowed. In this article, the core problem is fraud escalation: stolen credentials, synthetic identities, and weak verification steps are turning identity systems into loss channels instead of trust controls.

For IAM leaders, the implication is broader than consumer login hardening. Verification, authentication strength, and transaction trust now sit on the same governance surface as account lifecycle, fraud detection, and access assurance, which means identity programmes have to be designed with abuse paths in mind from the start.

The article's framing is typical of the current market: identity has become a fraud target because attackers can monetise access faster than organisations can verify intent. That makes identity assurance a business control problem, not just an authentication problem.

Key questions

Q: How should security teams reduce account takeover risk in digital identity programmes?

A: They should treat takeover as a lifecycle problem, not only an authentication problem. Strengthen proofing, step-up checks, recovery flows, and transaction approval so that a valid session does not automatically equal a trusted action. The strongest programmes align identity assurance with the value of the action being protected.

Q: When does passwordless authentication reduce fraud risk?

A: Passwordless helps when it replaces weaker shared secrets with stronger, phishing-resistant assurance and is backed by device binding or biometrics. It does not help if recovery and onboarding remain weak, because attackers will target the least protected identity step. The control only works when the whole identity path is consistent.

Q: What do organisations get wrong about synthetic identity fraud?

A: They often focus on detection after the account exists instead of proofing before the account is created. Once a synthetic identity has passed onboarding, it can build history and gain trust like a real customer. Prevention has to start at origination, not after the fraud is already active.

Q: Who should own identity verification when fraud and IAM overlap?

A: Ownership should be shared, but governance must be explicit. IAM teams control assurance design, fraud teams monitor abuse patterns, and risk or compliance teams define acceptable thresholds for onboarding and recovery. If those groups operate separately, attackers exploit the gaps between their controls rather than the controls themselves.

Technical breakdown

Why account takeover is an identity assurance failure

Account takeover happens when an attacker uses stolen credentials, hijacked sessions, or bypassed authentication to impersonate a real user. The technical weakness is not only the password or MFA method, but the fact that the identity proofing and recovery chain often remains weaker than the login path. Once the attacker gets through, downstream systems usually trust the session as legitimate, which lets fraud unfold inside approved workflows. That is why identity assurance has to cover recovery, step-up checks, and transaction context, not only initial authentication.

Practical implication: map recovery and step-up points as carefully as login points, because that is where takeover paths usually survive.

How synthetic identity fraud uses weak proofing

Synthetic identity fraud blends real and fabricated attributes to create a plausible but fake person. The abuse succeeds when proofing systems rely on isolated data checks instead of stronger evidence binding, device continuity, or verified credential sources. In practice, this means the attacker is not breaking authentication in the usual sense. They are constructing a believable identity that can later pass onboarding, credit, or account origination checks. Once accepted, the identity can age, build history, and then be used for higher-value fraud.

Practical implication: strengthen proofing at origination, because a bad identity that enters cleanly is much harder to detect later.

Why transaction signing changes the attack surface

Transaction signing adds user-confirmed context to the action itself, not just the login event. Instead of trusting the authenticated session alone, the system binds the approval to transaction details, which makes man-in-the-middle modification and some session abuse much harder. This matters because many fraud cases do not need a full account compromise after login. They only need the attacker to alter payment, transfer, or beneficiary details while the user still appears authenticated. Signing forces a second check on the actual act being authorised.

Practical implication: use signing for high-value actions where changing the transaction is as dangerous as stealing the session.

Threat narrative

Attacker objective: The attacker wants to monetise trusted identity, either by taking over existing accounts or by opening new fraudulent accounts that can be used for theft, laundering, or further abuse.

1. Entry begins with harvested credentials, reused passwords, or a synthetic identity that passes weak proofing and obtains initial trust.
2. Escalation occurs when the attacker pivots from access to account origination, session abuse, or transaction manipulation inside legitimate user flows.
3. Impact is financial loss, downstream breach cost, and fraud at scale across consumer and business accounts.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity verification has become a fraud control, not a login feature. The article shows that the real value of verification is no longer confined to authenticating a user once. It now has to resist account takeover, synthetic identity creation, and transaction manipulation across the full lifecycle of an interaction. That means IAM teams should treat identity assurance as a business-loss control, not a front-door convenience feature.

Account takeover exposes the fragility of trust after authentication. Once the attacker crosses the login boundary, many systems continue to treat the session as legitimate. That is a governance failure in the trust model, not just a technical weakness in MFA. Practitioners need to examine where the programme still assumes authentication equals trust, because fraud exploits everything that happens after the first check.

Transaction signing is a named control pattern for identity-bound actions. It shifts assurance from the session to the event, which is the right design move for high-value actions such as payments, transfers, and account changes. The broader lesson is that identity governance must understand the value of the action being protected, not just the identity performing it. Security teams should prioritise event-bound assurance where financial loss is the likely outcome.

Digital identity score thinking will force IAM and fraud teams to converge. The article points toward portable, user-held reputation data that can be verified without centralising every attribute in one platform. That creates a governance question around who can score, who can retain, and who can reuse identity evidence. The implication is that identity assurance, consent, and fraud prevention will increasingly share the same policy surface.

Fraud resilience now depends on verification depth across the entire identity stack. Stronger login controls help, but they do not solve weak onboarding, weak recovery, or weak transaction binding. The article reinforces a control model in which the weakest assurance step defines the attacker's easiest path. Practitioners should audit every identity decision point for exploitability, not only the authentication gate.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity oversight stops at the human layer.
• For a broader governance lens, see Top 10 NHI Issues for the most common control failures across machine identity programmes.

What this signals

Identity assurance and fraud prevention are converging around the same control points. The practical shift for programmes is that proofing, login, recovery, and transaction approval now need to be designed as one chain. When one step is weak, the attacker follows the weakest assurance boundary rather than the strongest.

Account origination is becoming the most valuable place to invest in trust controls. If a bad identity enters cleanly, later detection is always more expensive. Teams should treat onboarding standards, device continuity, and transaction context as part of the fraud architecture, not as separate IAM concerns.

With 90% of IT leaders saying properly managing NHIs is essential for a successful zero-trust implementation, the broader lesson is that trust cannot be left implicit anywhere in the identity stack. That same principle applies to human and delegated identity flows when attackers are looking for the cheapest path to abuse.

For practitioners

• Harden identity proofing at account origination Require stronger evidence binding for new accounts, especially where synthetic identity risk is high. Compare onboarding controls against later fraud outcomes so that the proofing standard is measured by downstream loss, not just pass rates.
• Review recovery and reset paths for takeover exposure Treat password reset, device replacement, and step-up flows as primary attack paths. Align recovery controls with the same assurance standard used for login, or attackers will simply bypass the front door and enter through the back.
• Add transaction signing for high-value actions Bind approvals to the specific payment, transfer, or account-change event. Use signing where changing transaction details is materially worse than stealing a session, and reserve it for the actions that can drive direct loss.
• Separate fraud signals from authentication signals Correlate device continuity, behavioural anomalies, and transaction context instead of relying on a successful login as proof of legitimacy. This reduces the chance that a compromised but authenticated session is treated as trusted.

Key takeaways

• Digital identity verification now functions as a fraud control surface, because account takeover and synthetic identity attacks turn trust decisions into loss events.
• The scale is material, with fraud costing $52 billion a year in the US and account takeovers already driving more than $11.4 billion in losses.
• Organisations should strengthen proofing, recovery, and transaction signing together, because any weak identity step becomes the attacker’s preferred path.

Key terms

• Account Takeover: Account takeover is the unauthorized use of a legitimate account after the attacker has obtained or bypassed the original credentials. In identity programmes, the risk is not just login compromise, but everything the authenticated session can still do once the attacker is inside.
• Synthetic Identity: A synthetic identity is a fraud construct built from a mix of real and fabricated personal data. It can pass weak onboarding checks, accumulate trust over time, and later be used to open accounts, move funds, or evade normal fraud detection patterns.
• Transaction Signing: Transaction signing binds user approval to the specific action being authorised, rather than only to the login session. It reduces man-in-the-middle manipulation and makes changes to payments, transfers, or account details harder to hide inside a trusted session.
• Identity Proofing: Identity proofing is the process of establishing that a person is who they claim to be before account creation or access is granted. In practice, stronger proofing uses multiple evidence sources and continuity checks so attackers cannot easily insert fake identities into the system.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: digital identity verification and fraud trends for 2023. Read the original.