Community Blog Fiends, Frauds, and Fakes: Better eKYC With ZOLOZ - Friday Blog, Week 49

Fiends, Frauds, and Fakes: Better eKYC With ZOLOZ - Friday Blog, Week 49

See how you can detect attempts at fraud using ZOLOZ, a pre-built, accurate Know-Your-Customer (KYC) solution for mobile phones.

By: Jeremy Pedersen

ZOLOZ: An Easy Way To Do eKYC

A Crash-Course On KYC

I realize not everybody is familiar with "KYC"...so let's start at the beginning: what is KYC?

In most countries, companies that provide financial services (from banks to crypto startups) are required to make an effort to identify each of their customers.

KYC, or Know Your Customer, is the process that companies go through to do this.

Traditionally, KYC is an offline process. You go to a physical location (like a bank branch), present your ID, and another human being matches you against your ID.

But what happens when meeting in person isn't possible? Enter "eKYC".

eKYC: KYC Goes Online

Electronic KYC (eKYC) is used when you need to verify someone's identity online.

eKYC was already critical for FinTech startups that have no offline presence, but is also becoming increasingly popular with traditional banks, many of which started adopting eKYC during the worst parts of the COVID pandemic.

Of course, there are other benefits too:

  1. Easier entry to the financial sector for small startups.
  2. More inclusive: especially in areas like Southeast Asia - which is made up of thousands of islands - even traditional banks can't open offices everywhere. eKYC enables people on these islands to have access to new and better financial services.
  3. Accurate eKYC reduces the number of fake accounts created, which reduces the time and effort spent dealing with these accounts.

The problem with eKYC is that it's hard. Outside the financial sector, it's enough to collect photo ID for each of your users. This is the approach taken by cloud providers like Alibaba Cloud and Google Cloud.

Unfortunately this is rarely enough for KYC in the financial services sector, where requirements are much more strict.

Designing identitiy verification systems that can meet the needs of the financial services industry is very, very difficult. Luckily, ZOLOZ has already done this work for you!


ZOLOZ is a pre-built solution for more accurate eKYC on mobile devices.

Unlike simple systems that work by having a human being compare a user's photograph to their ID, ZOLOZ includes more sophisticated measures to detect fake and spoofed IDs.

ZOLOZ can read information from ID cards via OCR (optical character recognition), can spot signs of fake IDs, and requires users to move and blink rather than submit a still photo of themselves, making fraud much more dififcult.

Of course, the real secret sauce with ZOLOZ is its large cache of historical data. By comparing verification attempts with IDs, user photos, and transaction history that it has seen before, ZOLOZ can detect fakes more quickly and accurately. Changes to hairstyle, makeup, or environment aren't enough to fool ZOLOZ.

Now the exciting part: I'm going to try all this out myself - on both iOS and Android - and using IDs from two different countries. I'll evey try and fool the system with a fake (printed) ID!

Let's dive in and see what happens!

Getting Started: Downloading The ZOLOZ Demo App

ZOLOZ can be integrated into an existing mobile app, but obviously we don't have time to write a dummy app just for today's blog, so we'll be using the demo applications that ZOLOZ provides:

  • Get the Android version here, on the Google Play Store
  • Get the iOS version here on the Apple App Store

For the purposes of today's blog post, I have downloaded and installed both the iOS and Android versions of the demo app.

The Android app was installed on an older Huawei phone, and the iOS version was installed on a recent iPhone using the Mainland Chinese Apple App Store.

The Test Procedure

The test procedure for both apps was simple:

  1. Register the app with a ZOLOZ demo account by scanning a QR code (I don't show this step as I used a test account provided to me by the ZOLOZ team).
  2. From the demo app, choose "Real ID".
  3. Take a photo of an ID card (front and back) or Passport (information page).
  4. Take a photo of your face (actually, a video: you need to blink several times to help prevent fakery using photographs or printed masks).
  5. Wait for the system to verify that your ID card or passport is real and has not been tampered with, and to match your face to the ID.

That's it! Let's go through this process first in iOS:

Validating ID On iOS

First, we open up the iOS app:


There are multiple options here, but the one we want to try is Real ID, which will capture both our face and ID card details, and verify whether they match. Clicking on Real ID, we see this page, which lets us know what's going to happen next:


Next, we choose our ID type (in this case it's a Mainland Chinese ID card, called a "身份证" or "Shen Fen Zheng"):


We must now decide what type of verification to perform. ZOLOZ recommends 'Deep Scan + Blink' so we'll pick that:

If you are integrating ZOLOZ into your own application, you can decide what level of verification to perform. The demo app gives us these choices so we can play around with them and decide which level of security we feel is appropriate.

Next, we just need to photograph the front and back of the card. ZOLOZ uses the flash for this, which helps to detect the glossy coating real ID cards and passports have (printouts on standard printer paper won't have this sheen):



The next step is, of course, to scan your face:


This requires opening the front camera, centering your face in the frame, and blinking a few times (don't worry there's a clearer, non-blurred video later on in this post!):



In the screenshot above, "Verification Result: Success" tells us that the ID is valid and the user's photo is a match! Great!

Validating ID On Android

The process is very similar on Android, so I'll skip a few steps and go straight to the ID and face scans:


My name, sex, and nationality are not secrets, so I haven't bothered to blur them out here!

Next, I scan my face:


As before, the checks all pass. We're good to go!


My environment looks a little different in the photo above, because I had to re-run the process: the Android screen recording failed, and the phone wouldn't allow screenshots with the ZOLOZ app open. Whoops!

It's Crime Time! Trying To Fool The App

Let's try to go through the verification process with a fake ID. We will use a sample ID published by the local government in Hong Kong:


After a little bit of printing and scissor work, I ended up with this (admittedly not very convincing) fake ID:


Not surprisingly, matching against my face fails! We'll see more details about the failure in the next section, when I show things from the administrator's perspective.



From The Administrator's Perspective: A Look Inside The ZOLOZ Console

After logging into the ZOLOZ console, we can see a list of all verification attempts:




Here are the results from the successful iOS Real ID verification process, using a Chinese ID:



We can see the results of our test with Android also:



And also the results for our failed attempt:


Note that from the admin console, we can actually see that there are multiple reasons for the failure. ZOLOZ was able to detect both issues: that the ID was fake and that my face did not match the ID:



Wrapping Up

So that's it! In this week's blog, we have:

  1. Installed the ZOLOZ demo app on iOS and Android
  2. Tested it with ID from two different countries (the USA and China)
  3. Tested it on a fake ID

This scratches the surface of what's achievable with ZOLOZ: the SDK is very powerful. Key features include:

  • ISO 30107-3 Level 2 live detection
  • HTML5 support
  • Super small size (~5 MB)

ZOLOZ also does in-house R&D, meaning ZOLOZ can support regulatory requirements around "explainable AI". This is an important capability! Many countries now expect AI based decision systems to be able to provide the reasoning behind a decision. This type of transparency is critical to avoid biased AI, a growing threat that many governments are starting to regulate around.

Learning More

Today we focused mostly on ZOLOZ's existing demo applications, but the real power of ZOLOZ is in its SDK.

Using the ZOLOZ SDK, you can integrate eKYC in your own iOS and Android apps. Here are some handy resources for developers interested in trying things out for themselves:

I've Got A Question!

Great! Reach out to me at jierui.pjr@alibabacloud.com and I'll do my best to answer in a future Friday Q&A blog.

You can also follow the Alibaba Cloud Academy LinkedIn Page. We'll re-post these blogs there each Friday.

Not a LinkedIn person? We're also on Twitter and YouTube.

0 0 0
Share on


71 posts | 152 followers

You may also like



71 posts | 152 followers

Related Products