AI fraud fuels debate over continuous identity verification

Artificial intelligence allows organized fraud rings to manufacture thousands of synthetic identities, generate fraudulent documents and deepfake videos, and attack government benefit programs at a scale that federal identity systems were not built to withstand, according to authorities at a hearing Wednesday before the House Committee on Oversight and Government Reform’s Subcommittee on Government Operations.

The hearing exposed a central policy conflict over how far agencies should go in continuously evaluating identities and matching information across government programs and what safeguards would be necessary to prevent those capabilities from becoming a broader system for tracking legitimate users.

The proposals included wider use of biometrics, device and behavioral data, machine learning, and real-time matching across federal and state databases.

The measures were presented as necessary defenses against increasingly automated and transnational fraud operations. The testimony also raised concerns that stronger identity-verification systems, if combined with widely required digital identification, could create infrastructure capable of tracking Americans’ activities.

Subcommittee Chairman Pete Sessions, a Republican from Texas, said fraudsters can now create hundreds or thousands of synthetic identities and submit applications to multiple government programs simultaneously.

Deepfake technology can also be used to impersonate a legitimate applicant and circumvent safeguards intended to confirm that the person presenting an identity is its rightful owner, he said.

Sessions said agencies have traditionally treated identity verification as a check performed at the beginning of an application and urged them to consider whether identities should instead be monitored and verified continuously as fraud methods change.

Jordan Burris, vice president and head of public sector strategy at Socure, told the subcommittee the government’s identity systems remain largely organized around matching a name, date of birth, and Social Security number against government or commercial records.

That may validate that the information belongs to a real person, he said, but it does not establish that the person submitting it is the legitimate owner.

The underlying information may already be available to criminals through data breaches, underground markets, or publicly accessible records.

Fraud rings can then combine genuine stolen information with newly created email addresses, telephone numbers, bank accounts and digital devices to construct what appears to be a legitimate applicant.

In one case documented by Socure, a fraud ring conducted 38,241 transactions involving 465 organizations in 30 industries during a 90-day period.

In another case, Socure found a ring acquired 340 internet domains, used generative AI to manufacture 24,148 synthetic identities, and launched 35,894 application attacks against government and commercial targets within approximately 30 days.

Many of the attacks began less than 48 hours after an identity was created.

Socure’s researchers also found operations targeting several public programs at once.

One fraud ring carried out more than 60 attacks against government programs over approximately five weeks, using real stolen identity information with fabricated contact details and foreign virtual private network infrastructure, Burris said.

Fraudsters are also making their Internet activity appear more local and legitimate by routing applications through residential proxy networks.

David Maimon, head of fraud insights at SentiLink, said the criminal infrastructure developed to steal pandemic relief funds has been redirected toward permanent federal programs.

Online markets now offer stolen identities, fabricated documents, bank accounts, money mules, and application assistance as separate services that can be combined into a complete fraud operation.

Maimon described criminals using AI-generated faces, fraudulent driver’s licenses, and deepfake video to defeat remote identity checks. The techniques are being used in tax refund fraud, according to Maimon.

Federal student aid has also become a target of organized fraud operations.

Maimon described a scheme known in online fraud communities as “Pell Running,” in which criminals use stolen or synthetic identities to enroll purported students at colleges, submit Free Application for Federal Student Aid (FAFSA) forms, and collect living expense disbursements without attending classes.

He said online services sell identity packages prepared specifically for student aid fraud, sometimes accompanied by fabricated high school transcripts, application instructions, and assistance moving the proceeds.

The Department of Education introduced real-time, risk-based identity screening in the FAFSA process in April. Burris said Socure supported Federal Student Aid in building the capability, and that legitimate applicants are passing through the process automatically at a rate above 92 percent.

The department separately estimated that the broader effort would save more than $1 billion during the current FAFSA cycle.

Congress was urged to shift from identity checks performed only when an account is created toward continuous, risk-based analysis.

Under such a system, agencies could examine document authenticity, biometric and liveness results, device and behavioral information, and other risk signals at the time of a transaction and reevaluate them as risk changes over the life of an account.

Burris also called for agencies to end their remaining use of knowledge-based authentication, in which applicants answer questions about former addresses, relatives, vehicles, or other personal history. Data breaches and commercial information services have made much of that information available to criminals, he said.

Maimon recommended real-time matching across tax, Social Security, unemployment, student aid, health care, motor vehicle, and correctional records.

The same identity, address, business, or bank account can currently appear in several programs without agencies identifying the connection, he said.

He urged Congress to expand the Treasury Department’s Do Not Pay system, which allows agencies to compare payment information against data used to identify deceased, incarcerated, or otherwise ineligible recipients.

Maimon said additional matching should be limited to narrowly defined information and accompanied by access controls, audit logs, retention limits, and procedures allowing applicants to correct errors.

The Government Accountability Office (GAO) offered a measured assessment of Login.gov.

Marisol Cruz Cain, director of GAO’s Information Technology and Cybersecurity team, said GSA has acted on all but one of the recommendations GAO made after examining the service in 2024 and 2025.

GSA brought Login.gov’s remote identity-proofing process into alignment with federal digital identity guidance and began testing its data backup procedures. The remaining recommendation concerns technical problems reported by agencies using the service.

The American Civil Liberties Union (ACLU) warned that efforts to stop fraud should not lead to a digital identification system that Americans must present throughout daily life.

Jay Stanley, a senior policy analyst with the ACLU’s Speech, Privacy, and Technology Project, told the subcommittee that a digital ID could become a de facto national identity card and allow governments or companies to track when and where it is presented.

The risk would increase as digital identification became easier to demand for government services, commercial transactions and online activity, he said.

Stanley said digital identification should remain optional in both law and practice, and that government agencies should continue to accept physical documents and provide meaningful in-person alternatives for people without smartphones, reliable Internet connections, or the technological ability to complete remote verification.

He also called for systems that prevent issuers from seeing where an identification credential is used, allow people to disclose only the information required for a transaction, and prevent separate presentations from being linked together.

Wallets and verification systems should use open and interoperable standards so that Apple, Google or another company cannot become an unavoidable identity gatekeeper, he said.

Stanley also cautioned against treating all improper payments as identity fraud.

Federal agencies reported approximately $186 billion in improper payments during fiscal 2025, but GAO found that about $153 billion, or 82 percent, consisted of overpayments.

Improper payments include administrative errors and incorrect amounts as well as fraud, and stronger identity verification would not prevent every type of payment error.

GAO has separately estimated that direct annual financial losses to the federal government from fraud range from $233 billion to $521 billion, based on fiscal 2018 through 2022 data.

The range reflects uncertainty in measuring undetected fraud and the differing risk environments during the period, which included the rapid expansion of pandemic relief programs.

The unresolved question is whether government can build the persistent and interconnected identity infrastructure sought by fraud prevention specialists without also creating a system capable of continuously tracking and judging law-abiding Americans.

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News


 

BOYLE Sports has selected Jumio to verify new online gambling players across the UK and Ireland to meet regulatory requirements….


 

U.S. Sen. Edward Markey is pressing Congress to restrict how AI companies collect and use information from children and to…


 

A new annual report from the UK’s Office for Digital Identities and Attributes (OfDIA) refreshes its commitment to support biometrics…


 

Generative AI has made robust biometric detection systems increasingly critical for fraud prevention. According to new data from Surfshark, deepfake…


 

Regula Forensics has announced the launch of an enhanced, multimodal biometric verification service with integrated liveness detection. A release says…


 

European Union governments remain divided over a proposed agreement that would allow U.S. authorities to query national databases containing fingerprints…

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *