How does CURP anti fraud API detect fake identities?

CURP anti fraud APIs detect fake identities by validating the CURP against RENAPO (catching non-existent CURPs), checking for format anomalies in the 18-character code, detecting velocity patterns (same CURP used across multiple applications), and flagging CURPs registered to deceased persons.

What percentage of fraud can CURP verification prevent?

CURP verification typically prevents 40-60% of identity fraud attempts in Mexican digital services. It catches fabricated CURPs and basic identity manipulation. For comprehensive fraud prevention, combine CURP validation with biometric checks, device fingerprinting, and behavioral analysis.

Can fraudsters create CURPs that pass format validation?

Yes. CURP format is deterministic based on name and date of birth, so fraudsters can generate syntactically valid CURPs. However, these won't exist in RENAPO's database. This is why API-based validation against RENAPO is essential — local format checks alone are insufficient for fraud prevention.

Dealing with synthetic identity fraud — does CURP API help catch fake identities?

fraud_ops_gabriel opened this thread · May 11, 2026 · 1 reply

anti-fraudsynthetic-identitycurp-validationfraud-prevention

Question

fraud_ops_gabriel Asker May 11, 2026

yo, we're getting hammered by synthetic identity fraud on our lending platform. about 8% of applications in the last month turned out to be fake identities — CURPs that look legit format-wise but don't correspond to real people, or worse, CURPs stolen from real individuals who never applied for our product.

currently we only do basic CURP format validation (regex check for the 18-character pattern) which obviously isn't enough. fraudsters figured out that CURP format is deterministic — given a name and date of birth, you can generate a syntactically valid CURP without it existing in RENAPO. our format check passes these every time.

what i need is an anti-fraud layer that goes beyond format validation. specifically looking for:

RENAPO existence check — does this CURP actually exist in the national registry?
deceased person detection — flag CURPs belonging to people who are no longer alive
velocity checks — is this CURP being used across multiple applications in a short window?
age reasonability — if the CURP indicates DOB of 2015, that's obviously not a valid loan applicant
cross-reference with application data — does the name the applicant entered match what RENAPO returns?

our fraud team manually reviews flagged applications but we're getting 200+ flags per day now which is unsustainable. need to automate the obvious rejections (non-existent CURPs, deceased, minors) and only escalate the ambiguous cases (valid CURP but name mismatch could be typo vs identity theft).

we're on a Node.js/Express backend with MongoDB. processing about 1,200 loan applications daily. latency budget is 1 second total for the fraud check pipeline — need the CURP validation portion to come in under 400ms so we have room for other fraud signals.

also wondering: do any CURP API providers maintain their own fraud databases? like, if they see the same CURP coming in from multiple clients in a short period, do they share that signal? that would be incredibly valuable for detecting identity theft rings that target multiple platforms simultaneously.

budget isn't an issue if it works — we're losing way more to fraud chargebacks than any API would cost. anyone solved this problem? what's your false positive rate looking like?

Answers

antifraud_valentina May 12, 2026

CURP validation alone catches about 60% of synthetic fraud — the obviously fake CURPs that don't exist in RENAPO. The other 40% uses valid CURPs belonging to real people (identity theft). For a complete anti-fraud stack you need: CURP RENAPO validation + biometric liveness check + device fingerprinting + behavioral analytics.

For the CURP portion specifically, look at providers on apipull.com API Hub that offer what's called "enriched validation" — they not only confirm the CURP exists but return a risk score based on velocity patterns across their client base. If a CURP was queried 15 times in the last 24 hours from different clients, that's a strong fraud signal.

Our false positive rate is around 0.3% with CURP validation + name matching + age check combined. That means out of 1,000 legitimate applications, only about 3 get incorrectly flagged. Acceptable for our risk tolerance. The key was tuning the name matching threshold — exact match is too strict (catches typos) but a Levenshtein distance above 3 lets too much through.

● Thread open · 1 reply

Question

Answers

Find API Providers on apipull.com