In the digital world where seamless automation is the priority, organisations across banking, insurance and telecom rely on government provided authentication services. A crucial factor for relying on such an authentication mechanism, be it Aadhaar in India, UAE PASS in UAE or NAFATH in Saudi Arabia, is that enrolment to all these government provided platforms is controlled through biometric-based onboarding including retina and finger scan. This ensures that identity theft is ruled out.

Using such an authentication service is preferred over other methods, and this allows businesses to add more services to their customers digitally. It also ensures paperless authentication. A usual workflow for such an authentication service is outlined below.

How digital identity services are being compromised

Authentication using such a service “assumes” that the customer is aware of the service request for which the service provider has initiated the authentication, but it doesn’t solve the problem of social engineering.

Just like any other access validation tool, be it OTP, password, security questions, it doesn’t guarantee that a customer is aware about the type of service request. Fraudsters have found ways to exploit the vulnerabilities of government-issued identity authentication services, leading to rising cases of identity theft and deepfake-driven impersonation.

Fraudsters are using sophisticated, elaborate tools and techniques to trick customers into providing their digital identity without realising it’s a scam to compromise their bank accounts, cards, SIM, or digital access to a service provider.

Some of the trends in the Middle East include:

1.  Fraudsters conduct unauthorized transactions, open fraudulent bank accounts, or apply for loans in someone else’s name.

2.  Fraudsters undertake SIM swap, primarily opting for eSIM which doesn’t require a visit to the store of telecom service provider.

3.  Fraudsters leverage deep fake or spoofing to bypass biometric controls.

This problem gets compounded as usually authentication services are focused on identity verification and do not have fraud monitoring mechanisms other than service lockouts if incorrect credentials are used.

The missing layer in fraud prevention

As we have always been saying, there’s no single solution to solve the problem of fraud and cybercrime. The answer is to have layered controls wherein seamless authentication is conducted when the request is received by the service provider, and the request is fulfilled. Even if the authentication is successful but customer behaviour is unusual, it should lead to additional/alternate seamless authentication. I want to provide a case study below.

Telecom Service Provider (TSP) in UAE receives a request for an eSIM in the account of Charanjeet, who has a physical SIM issued for the phone number ending with 39. The request is placed through the app of the TSP and access to this app is compromised through social engineering. When such a request is received by the TSP, it initiates a confirmation through UAE PASS. Charanjeet (the customer) gets an alert and notification to authenticate the request through UAE PASS. Again, the customer is socially engineered and performs the authentication without realising the fraudster would get access to his phone number and can compromise digital onboarding and transactions at his bank. In such a scenario, the TSP/Bank could use behavioural intelligence to flag off if the request is placed by “Charanjeet” and that fulfilment is availed by “Charanjeet”.

To effectively combat these evolving threats, organizations must adopt advanced fraud prevention mechanisms, with behavioural intelligence emerging as a powerful tool to enhance identity verification and prevent fraud. I have listed some benefits of using behavioural intelligence as a tool to combat frauds.

1.  Continuous behaviour is monitored during all the interactions with digital channels rather than point in time authentication.
2.  Compliance with data privacy/security regulations and guidelines as no financial data is used for continuous monitoring.

3.  Exceedingly difficult to mimic the behaviour of users as each user behaviour is unique and consists of multiple combinations, including typing cadence, stroke pressure, and mouse movement, to name a few.

The following table summarises the differences between Government digital identity services and behavioural intelligence.

Regulatory and Compliance Considerations

Regulatory bodies in India, the UAE, and Saudi Arabia encourage the adoption of multi-layered security approaches.

•  India: The Reserve Bank of India (RBI) and the Unique Identification Authority of India (UIDAI) have introduced guidelines for financial institutions to implement enhanced fraud prevention measures beyond Aadhaar-based authentication.

• UAE: The UAE Central Bank and Telecommunications and Digital Government Regulatory Authority (TDRA) have emphasized the need for additional security measures beyond UAE PASS for financial transactions.

•  Saudi Arabia: The Saudi Central Bank (SAMA) and the National Cybersecurity Authority (NCA) advocate for advanced fraud prevention mechanisms to protect Saudi National ID-based authentication from fraud risks.

Conclusion: The need for a multi-layered fraud prevention strategy

While government identity authentication services in countries such as India, the UAE, and Saudi Arabia provide a good foundation for customer verification, relying solely on them exposes businesses to significant fraud risks. Behavioural intelligence offers a powerful, AI-driven approach to enhance fraud prevention by continuously analysing user behaviour, detecting anomalies in real time, and preventing unauthorized access.

To stay ahead of increasingly sophisticated threats, banks need to go beyond static identity checks. By layering in behavioural intelligence and AI-driven analytics, they can detect and stop fraud in real time—without adding friction for genuine customers. It’s a smarter, more adaptive way to protect trust at every stage of the digital journey.