To Catch A Catfisher — Go Beyond CAPTCHA

Fake accounts and imposter profiles run rampant on social media sites, scamming money from innocent users or promoting fake products in support of illegal businesses. One person who found this out the hard way was former US army colonel Bryan Denny who found thousands of accounts using pictures of him over the course of two years. These fake accounts, on Facebook and various dating sites, lured dozens of single women into giving at least $347,000 to the scammers.

Col Denny's story is not unique. An analysis from the International Journal of Engineering Technology Science and Research says a significant portion of online dating profiles are fake. "It has been estimated that in every 10 online dating profiles, at least one is accounted as fake and per year more than $50 million is lost to romance scams [as a result]," it says.

Knowing Your Customer

Trust is important in any interaction between people, and the health of any online business depends on the safety and trustworthiness of its environment.

While there are many advantages to doing business online, bricks-and-mortar business owners have a leg up when it comes to establishing trust with their customers. Meeting someone face-to-face provides an opportunity to confirm their identity and employees can ask for identification or another form of identity verification.

To combat the ubiquitous fake account problem, businesses can take advantage of multifactor authentication to reduce the risk of fake identities. Requiring multiple forms of identification and verification creates a safer and more honest customer and user experience.

Fighting Fakes Online

Scammers can get away with using fake identities, known as catfishing, when the sites do not verify these identities.

At first it may appear somewhat surprising that more effort is not put into authenticating individuals who create user accounts. After all, software engineers spend substantial amounts of time coding data checks that keep us from entering numbers where letters are expected and other simple mistakes. Try to enter an invalid piece of data in virtually any field on a form and you'll be prompted to correct it. It's as if developers focus on the proverbial trees and miss the forest — applications protect against data entry errors but not intentional fraud.

Many sites accepting input from humans use challenges like CAPTCHA tests identifying stop signs in a series of outdoor images or typing in a series of visually distorted numbers and letters. These challenges help distinguish humans from bots but don't offer much protection when humans are the ones entering deceptive information.

Software developers have created tools for fighting online deception, like plagiarism checking sites which can identify unusually similar texts. Reverse image search services can check if a purported picture of a user is found elsewhere on the web. These kinds of tools are a step in the right direction but they are not sufficient as solutions. Reverse image searches could provide evidence of potential deception but it is not definitive. Raw information like that has to be reviewed and interpreted by humans to make an accurate assessment of evidence. Social sites cannot depend on humans in the loop if they expect to scale.

Proving Identity

The one technology that has consistently proven effective in establishing identity at scale is multifactor authentication (MFA). The basic idea behind MFA is that a person should present two or more pieces of evidence as proof of identity. Factors are typically chosen from something you know, something you have, and something you are. For example, a password is something you know and software token generated by an authentication app is something you have.

In many use cases, MFA adds an additional security control that a fraudulent user would have to bypass. It's possible to guess someone's password and it's possible to steal someone's phone (and know their device passcode) but it is much more difficult to do both. This is one reason MFA is one of the top three practices used by security experts to protect themselves online. When one of the factors used to authenticate identities on social sites is a software token, a piece of data generated using a shared secret, or one-time passcode sent to a mobile device, then we can link an identity to a device with a unique identifier such as a phone number.

Blocking Fake Accounts with Multifactor Authentication

Now consider how a catfisher could be blocked from creating false identities. A catfisher creates an account on a dating site, using photos and personal details found on the web. The fake identity has a compelling story and the catfisher is ready to finish creating an account when they are prompted to provide a second factor, like a series of numbers sent to an SMS device. The first time the catfisher uses that number, they can succeed but now that identity is associated with that number. Unless the scammer has a cache of active mobile phones at their disposal they will be unable to create additional fake identities. MFA blocks scammers from scaling up their operations.

Why don't more social sites use MFA? It could be concern about the difficulty implementing the system. But MFA services eliminate the need for sites to set up and maintain their own MFA infrastructure. Consumer adoption is another consideration. If there are too many steps to create an account, users may give up on registering. To resolve this, social sites should let users choose how to receive their one time passcode. Some users will choose SMS text message while others will opt to use an app. Users should have the option of choosing the solution that works best for them.

Being Different Builds Trust

Social sites can distinguish themselves by building trust between users through the adoption of MFA. Knowing the risk of being scammed is reduced because of the use of MFA, participants can engage more authentically and more frequently, which in turn will build a stronger, vibrant online community.