Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI fraud, mobile possession, and what identity teams must change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: AI has reduced the cost of phishing, voice cloning, deepfake documents, and relay attacks to near zero, making knowledge-based authentication increasingly unreliable for banks, payment providers, and enterprise identity programmes, according to IDlayr. The practical shift is toward possession-based controls that remove human judgment from the fraud path and anchor trust in a device or SIM the attacker cannot replicate.

NHIMG editorial — based on content published by IDlayr: AI has changed the rules of fraud and digital identity

By the numbers:

Questions worth separating out

Q: How should security teams replace SMS OTP in AI-heavy fraud environments?

A: Teams should remove SMS OTP from high-risk journeys where phishing relay and voice cloning can intercept or coerce the code.

Q: Why do AI attacks break knowledge-based authentication so quickly?

A: AI reduces the cost of generating convincing lures, cloned voices, fake documents, and real-time relay attacks to near zero.

Q: What should identity teams do when mobile becomes the primary trust surface?

A: They should treat mobile as part of the identity control plane, not just a user endpoint.

Practitioner guidance

  • Replace SMS OTP in high-risk flows Prioritise customer login, recovery, and step-up journeys where AI-enabled relay attacks can exploit human interaction.
  • Bind recovery to a physical trust anchor Review account recovery paths for reuse of the same weak factors that attackers can fake, especially voice, knowledge questions, and SMS fallback.
  • Map agent actions to the originating identity Where AI agents can make purchases, trigger approvals, or move money, define how each transaction is tied back to a verified user and device.

What's in the full article

IDlayr's full article covers the operational detail this post intentionally leaves for the source:

  • The mobile possession-factor mechanics used to verify SIM ownership without user input.
  • The article's explanation of how Silent Network Authentication fits into fraud and account recovery flows.
  • The vendor's FAQ on passkeys, possession factors, and why synced passkeys differ from device-bound credentials.
  • The agentic commerce discussion that ties user identity, mobile trust, and transaction assurance together.

👉 Read IDlayr's analysis of AI fraud, possession factors, and mobile identity →

AI fraud, mobile possession, and what identity teams must change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

AI fraud is exposing a knowledge-factor trust debt that identity programmes have been carrying for years. Passwords, PINs, SMS OTPs, and challenge questions were designed for a world where humans could still reliably distinguish legitimate prompts from synthetic ones. That assumption fails when attackers can generate convincing lures, voices, and documents at machine speed. The implication is that assurance models built on user recognition are now structurally fragile, not merely overloaded.

A few things that frame the scale:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Who is accountable when an AI agent completes a fraudulent transaction?

A: Accountability should sit with the programme that authorised the delegation chain, not with the agent alone. Teams need explicit rules for which transactions the human approved, which the device verified, and which the policy allowed the agent to execute. If those boundaries are unclear, the organisation cannot prove who authorised the action or why.

👉 Read our full editorial: AI fraud is forcing identity to move beyond knowledge factors



   
ReplyQuote
Share: