Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity leaks and automated fraud: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Large-scale identity leaks turn names, emails, and phone numbers into reusable fraud inputs, while OTP-centric recovery and static attributes fail under automated abuse, according to Prove Identity. The core issue is that identity programs still assume copyable data can anchor trust after it has already been widely exposed.

NHIMG editorial — based on content published by Prove Identity: Why Prove Matters When Identity Data Leaks Become Critical Infrastructure Failures

By the numbers:

Questions worth separating out

Q: How should identity teams reduce fraud when personal data has already leaked?

A: Treat exposed attributes as compromised inputs, not trust anchors.

Q: Why do OTP-based recovery flows fail under automated fraud?

A: OTP flows fail when attackers can intercept, reroute, or socially engineer the delivery channel and then repeat the attempt at scale.

Q: What do security teams get wrong about using phone numbers as identity factors?

A: They often confuse possession of a number with durable identity assurance.

Practitioner guidance

  • Reassess recovery journeys as attack surfaces Map every step-up and account recovery flow where leaked PII, OTP delivery, or support intervention can be replayed.

What's in the full article

Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:

  • How Prove ties phone ownership continuity to recovery and onboarding decisions across real customer lifecycle changes.
  • The specific trust logic used to distinguish legitimate device upgrades and number porting from borrowed or recycled identity.
  • Examples of where static attributes and OTP-centric flows fail under repeated abuse.
  • The product framing behind persistent, cryptographically anchored identity across changing customer states.

👉 Read Prove Identity's analysis of why identity leaks are becoming fraud infrastructure risk →

Identity leaks and automated fraud: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Identity leakage has become a fraud infrastructure problem, not just a privacy problem. Once the same attributes are exposed repeatedly, attackers can industrialise onboarding abuse, account takeover, and recovery attacks. That changes the economics of fraud because the cost of each attempt drops while the number of attempts rises. Practitioners should stop treating leaked identity data as damaged information and start treating it as a reusable attack substrate.

A few things that frame the scale:

  • Humans can only spot deepfakes correctly about 40% of the time, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.

A question worth separating out:

Q: How do you know if an identity verification flow is too fragile?

A: If it can be satisfied by copied attributes, reused OTPs, or support scripts that rely on past history, it is too fragile for automated fraud conditions. A resilient flow should still hold under repeated attempts, device changes, and recycled contact details, because attackers will test all three.

👉 Read our full editorial: Identity leaks are turning KYC into fraud infrastructure risk



   
ReplyQuote
Share: