Adam Jones|HomeBlog

How to fix proof of address

Headshot of Adam Jones

Adam Jones

My previous article explained why it’s easier to forge a ‘proof of address’ than it is to get a genuine copy.

Here, I’ll present three different proof of address methods that are much more secure, cheaper and generally faster. None of them rely on any special systems that don’t exist already, and all are surprisingly simple.

Method 1: Post something to the address

Security: Very high

Speed: 1 working day / 2-3 working days

Cost: 97p / 61p. Or free*

The process:

  1. Generate a unique code or token (like ‘088705’)
  2. Send a letter containing this code to the claimed address.
  3. Require the receiver to provide the code to prove their address.

This method is similar to the way Google requires businesses to verify their address for Google Maps. You can see an example of what the letter looks like here.

This does kind of look different to other methods: rather than sending in some evidence, it requires some action on the part of the verifier. Should this be burdensome for the verifier, it could also delegate this to a provider that can verify the address. This system might look like the UKVI share code system.

*What’s the free version?

Many services where you need to perform address verification also need to send you something already. For example, opening a bank account involves them sending you a debit card.

These two functions can be combined into a single letter or process. For example, activating your debit card could be considered proof of address given it was posted to you.

I believe, but I’m not certain, this is effectively what DVLA does when you update your driving licence address with them, i.e. you’ll only get the updated licence if you can access the post at the new address.

What vulnerabilities exist here?

The main concern most people have is false positives, where a fraudster is able to verify a false proof of address:

AcceptedRejected
Genuine✅ True positive
A genuine proof of address is accepted.
😒 False negative
A genuine proof of address isn’t accepted. Annoying, but manageable if there are other usable methods.
Fake🚨 False positive
A fake is accepted. This is usually more serious, as presumably the proof of address verification aims to protect some service, and this means that protection is breached.
✅ True negative
A fake is rejected.

I will focus less on false negatives given their lower impact (at least per decision). Although we do want to minimise these too - it’s good for:

  • businesses: less friction during onboarding = more customers
  • consumers: less frustration and better access to services

Providing more methods for verification, like the ones listed in this article:

  • may slightly increase the false positives (given there is slightly more surface area for fraudsters to attack)
  • will reduce the number of false negatives (given more simple methods make it easier for genuine customers to verify address)

Replacing existing verification methods will:

  • significantly reduce false positives (given these methods are much more secure)
  • likely reduce false negatives (given more simple methods make it easier for genuine customers to verify address)

Fraudsters aiming for a false positive outcome could:

  • bribe or infiltrate the letter printers or postal service, to access verification letters
  • physically steal letters from unprotected letterboxes
  • set up false redirection services to get access to others’ post

These are all real weaknesses of this method. However, all these actions are:

  • far more difficult than opening up a PDF editor, which is the current benchmark to beat
  • also break current proof of address methods, because stealing or redirecting a posted utility bill or bank statement is equivalently difficult

Temporary access to a property like renting an Airbnb is another vulnerability. Like other vulnerabilities, this still requires much more effort than current methods to create a fake proof of address. This could also be mitigated by requiring periodic random re-verification that would make this much harder (but only where doing so really is proportionate to the risk).

When might this be unsuitable?

This should not be the only method available for proof of address.

Some people may need reasonable accommodations for disabilities. For example, they may require letters in large print, braille or with audio attachments.

Additionally, some situations can make receiving post difficult. For example, victims of domestic abuse may want to open a bank account discreetly (so they can gain some independence to leave their abusive partner). Post may be screened by an abusive partner, preventing someone from doing so if this was the only method available.

Method 2: A video of entering the property

Security: Very high

Speed: 5 minutes

Cost: ~£11

The process:

  1. The user uploads a video that includes:
    • Showing the property number or name clearly
    • Using a key, fob, code or similar to enter the property
This method provides strong evidence of residence while being difficult to forge.2

Again, Google provides a good example of how this can be implemented.

What vulnerabilities exist here?

Again, the main concern here is people being able to verify a false proof of address. Denying someone the ability to verify an address is easily mitigated by offering alternative proof of address methods.

Fraudsters trying to verify a false address could:

  • bribe verification services, e.g. by uploading a video that promises the reviewer cash for approving it
  • get keyed access to addresses, e.g. by stealing keys from estate agents or renting Airbnbs

Again, these actions are far more difficult than opening up a PDF editor, which is the current benchmark to beat. A bribery scheme would likely be difficult given identity verification services (at least in financial services) usually keep records for a long time, and are often subject to random auditing. Getting keyed access to properties massively increases the costs of any illegal scheme, making the return on criminal activity much lower.

How can this be made more secure?

A unique code or token (like ‘088705’) can be generated, and be required to be spoken aloud, or shown in the video. A deadline for uploading the video could be set (e.g. 5 minutes) from issuing the code. This would make it hard to reuse videos, tamper with the footage or generate it with AI tools. This technique is already commonly used for digital identity verification.

Geolocation and camera metadata could also be used to further evaluate the authenticity of the video.

Both of these security improvements would need to be balanced against usability and privacy concerns.

When might this be unsuitable?

This should not be the only method available for proof of address.

Some people may need reasonable accommodations for disabilities. For example, they may need a carer to perform the necessary verification, or to verify using a different method.

Less tech-literate people, or people living in complex multi-unit buildings (e.g. student halls) may find this method more challenging. They should be provided alternative methods.

Method 3: Leverage open banking

Security: Low (but strictly better than bank statements)

Speed: 5 minutes

Cost: ~£0.143

Process:

  1. Require the user to sign in with their banking app
  2. Get the address details from the bank’s API
This is similar to checking someone’s bank statement, but being able to be confident that it isn’t forged. However, it still suffers from the problems of trusting address data from banks.4
How does this work?

Open Banking is where banks and other financial institutions offer APIs so third parties can access banking information. Large UK and EU banks are forced to provide open banking APIs under the EU’s second Payment Services Directive (PSD2), with some prodding from the CMA.

This is similar to how some websites will allow you to ‘Sign in with Google’ - and once you’ve signed in, they can see things like your name and email. You can also optionally give them access to say your calendar or emails.

The same applies here: you could ‘Sign in with [your bank]’, and then this connection could be used to verify your address. You similarly choose what is shared - for address verification you’d only share your name and address (and not, for example, your transactions).

In the UK, this is overseen by Open Banking Limited who developed UK standards for open banking. This in turn is overseen by the UK financial regulators, including the FCA and PSR.

For the more technically inclined, you can take a look at the relevant API specification. Specifically, the field you’re looking for is OBReadAccount6/Data/Account/StatementFrequencyAndFormat/DeliveryAddress.

What vulnerabilities exist here?
The main problem is that addresses that banks hold can’t really be trusted.4 Implemented correctly, it does at least confirm a bank really does hold this address for an account the person controls.
When might this be unsuitable?

This should not be the only method available for proof of address.

Some users may not have a bank account or have set up online banking. There is also likely overlap here with people who are less tech-literate, who may also struggle here. Approximately 6% of homes in the UK don’t have internet, 2% of people don’t have a current account, and 31% of over 65s feel “uncomfortable” with the idea of banking online.

Finally, some users’ banks may not support open banking. This is incredibly rare - by law all large banks must support it (and they do), and there’s a long list of other financial firms that support open banking.

For comparison: Providing bank statements or utility bills

Security: Nearly none

Speed: 5 minutes to potentially months5 Cost: ~£11

Process:

  1. Require the user to get a specific document with their address on it (that is trivially easy to forge)
  2. Have the user send a photo or copy of this document

Adopting these better methods

It’d be great to see more firms adopting these methods for address verification. Several actors could help here:

  1. The FCA could issue or update guidance highlighting these methods as preferable (or at least acceptable) forms of address verification.6
  2. Banks themselves can start offering these methods for address verification. This would both improve the quality of their customer due diligence checks, while also making onboarding processes easier for consumers.
  3. UKSV can update Annex A of the baseline personnel security standard (BPSS) to allow these proof of address methods. This would speed up onboarding talent into the civil service - by several weeks in some cases I’ve seen.
  4. UKVI should accept these improved and simpler proof of address methods for updating visa addresses.
  5. A non-profit group could be set up to act as an aggregator of proof of identity and address information. This could mean checks could be reused, and some default checks could be done much more cheaply (e.g. open-banking style checks). This would reduce the burden of checks on consumers, and bring down the cost of checks for businesses.

These actions would enable important institutions to have more secure, cheaper and easier-to-use systems in place: a win for everyone involved (except maybe fraudsters).

Footnotes

  1. This would be the cost of a salary for the human to review the video or photo submitted. 3rd party providers like Sumsub or Stripe offer this for between £1 and £1.25 per verification. AI tools may also bring down this price further, as more ‘obvious’ cases might be decided automatically by AI, at least for lower risk verifications. 2

  2. AI tools like Sora have gotten better at generating convincing looking videos. However relatively few people have access to these tools, and it’s still a big step up in difficulty to fake. This may need to be revisited if this situation changes.

  3. This is using a commercial 3rd party provider. The underlying APIs are free to use, so it could be cheaper.

  4. Briefly touched on in the last article. In short: users can change these addresses without verification. 2

  5. I know one person who took months to prove their address this way, for some employment checks. They were required to provide stamped copies of bank statements, but didn’t have an existing UK bank account.

    Specifically they had to:

    1. Set up a bank account at Lloyds, because they were the only bank that allowed them to set up an account using a university letter (as they had no other proof of address). However, Lloyds does not offer stamped statements.
    2. Set up a bank account at NatWest, using the Lloyds bank statements as proof of address.
    3. Travel to a different city to go to a NatWest branch, which could then give them stamped statements.

    It took months to figure out this was even a possible route, and manage to make appointments in the narrow opening hours of banks. This ultimately delayed them from starting the job, denying them income and the organisation a productive employee.

  6. Currently, the FCA does not explicitly state what is and isn’t acceptable proof of identity or proof of address - they say ‘neither the law nor our rules prescribe in detail how firms have to do this’, and promote a ‘risk-based approach’.

    However, they can nonetheless issue guidance or clarify what their position is on this - and perhaps discourage less secure means of verifying addresses should they be important to a firm’s customer due diligence processes.

    For example, they suggest (but do not prescribe) some ways to verify addresses in the credit union sourcebook, specifically CRED 12.3.4.