What does Vashix actually prove about a photo?

Vashix proves four things: WHO took the photo (device identity), WHERE it was taken (GPS, verified against spoofing), WHEN it was taken (timestamp sealed at capture), and that it has NOT been edited after capture (hardware signature breaks if any pixel changes). It does NOT verify what is in the photo — a fraudster can take a genuine photo of pre-existing damage. Photo verification addresses evidence integrity. Claim validation still requires human judgment.

Can someone screenshot the capture screen and submit that instead?

No. Vashix does not accept uploads or screenshots. The link opens a live camera. The photo must be taken in real time through the Vashix capture flow. If someone points their camera at a screen showing an existing photo, our liveness detection (motion analysis and optical flow) catches it.

What if our field teams already use WhatsApp for photos?

WhatsApp strips all verification data — GPS, timestamps, device info, and provenance signatures — when sending photos. A WhatsApp photo scores 4/100 on the Trust Score. With Vashix, you send a WhatsApp message containing a capture link. The user taps the link, takes the photo through Vashix, and you get a verified result. Same delivery channel (WhatsApp), completely different proof level.

Does the person need to download an app?

Not for basic captures. They open the link in their phone's browser and take the photo (BRONZE tier, score 25-38). For stronger verification (SILVER/GOLD, score 60-95), the Vashix app is required — it's under 15MB and installs quickly on most connections. You choose the minimum tier per workflow.

Can AI-generated images be submitted through Vashix?

For SILVER and GOLD captures — no. The photo must be taken in real time through the device camera, signed by the phone's hardware security chip. There is no upload path for AI-generated images. AI images have no hardware origin and are rejected. For BRONZE (browser) captures, our multi-signal detection checks for AI indicators, but the score reflects the lower verification level.

What if the phone is rooted or modified?

Vashix checks device integrity using Google's Play Integrity API before every capture. Rooted phones, modified operating systems, virtual camera apps, and emulators fail this check. The capture is either blocked or automatically scored lower and flagged for review.

Is this admissible as evidence in Indian courts?

Vashix generates certificates designed to support Section 63 of the Bharatiya Sakshya Adhiniyam, 2023 (BSA) — the current law governing electronic evidence admissibility in India. Every capture includes a cryptographic chain of custody. PDF/A exports are available for legal proceedings. Admissibility in a specific case is always determined by the court, but the certificate ensures the evidence meets the technical requirements of Section 63(4).

Where is the data stored?

All data is processed and stored in Mumbai, India. No capture, no GPS coordinate, no device identifier ever touches a server outside India. Designed for DPDP Rules 2025 data residency requirements.

BRONZE browser capture works on iOS Safari. The Vashix app is currently Android-only — covering 95%+ of field devices in India. iOS SDK is on our roadmap.

How long does it take to start?

Dashboard and WhatsApp delivery: 5 minutes, zero code. REST API integration: your developer is making API calls in under 30 minutes. Android SDK embed in your own app: typically 4-8 weeks including testing.

We already use Truepic / Attestiv. Why switch?

Truepic and Attestiv are excellent products built for the US market. Vashix is purpose-built for Indian enterprise — with native Section 63 BSA certificate generation, DPDP compliance, WhatsApp delivery, and INR pricing designed for India-scale volumes.

Does Vashix work without internet?

The app captures and signs photos locally on the device. When connectivity returns, photos sync to the server. The anti-replay nonce requires a brief server check before capture begins, but the actual signing and storage happen on-device.

Does this work on older Android phones?

Yes. BRONZE and SILVER captures work on Android 8.0 and above — which covers virtually all phones currently in use in India. GOLD requires dedicated security hardware, available on most phones from 2020 onwards.

How long does SDK integration take if we want it in our own app?

Dashboard and API require zero integration — you can start in 5 minutes. REST API integration takes your developer under 30 minutes with our pre-built examples. SDK integration into your existing Android app typically takes 4-8 weeks including testing and security review.

Industry25 March 202612 min read

Photo Fraud in Insurance Claims: How Tamper-Proof Verification Prevents Evidence Manipulation

Insurance fraud costs the Indian industry an estimated ₹8,000–10,000 crore annually in health insurance alone. A significant share involves manipulated photo evidence. Learn how capture-time verification is replacing after-the-fact detection.

Every year, the Indian insurance industry processes a massive volume of claims backed by photographic evidence — vehicle damage after an accident, property condition before a policy renewal, health records for reimbursement. But a growing share of these photos are manipulated, reused, or entirely fabricated. According to a 2025 BCG and Medi Assist report, fraud, waste, and abuse in Indian health insurance alone accounts for an estimated ₹8,000–10,000 crore annually. Photo manipulation is a significant enabler of this fraud across motor, health, and property lines.

This isn't a new problem. But the tools available to commit fraud have become dramatically more accessible, while the industry's defenses haven't kept pace. This article breaks down how photo fraud actually happens, why traditional detection methods fail, and what a modern verification architecture looks like.

How Photo Fraud Actually Happens

Photo fraud in insurance isn't always sophisticated. In most cases, it relies on simple techniques that exploit the fact that digital photos carry no built-in proof of when, where, or how they were taken. Here are the most common patterns:

1. Recycled Photos from Previous Claims

A claimant submits photos of vehicle damage that were actually taken during a previous, already-settled claim. The same dented bumper photo gets reused across multiple claim IDs. Without a system that fingerprints each photo to a specific claim at capture time, there's no automated way to catch this.

2. Photos Taken at the Wrong Location

A field agent is supposed to inspect a property in Pune but never actually visits the site. Instead, they submit photos taken elsewhere — sometimes stock images, sometimes photos from a different property. Traditional EXIF GPS data can be spoofed with freely available tools like ExifTool, making location verification based on metadata unreliable.

3. Digitally Altered Images

With tools ranging from basic photo editors to AI-powered generative fill, it's trivial to add damage to a photo that wasn't there, remove a pre-existing condition, or alter timestamps embedded in the image metadata. A scratch becomes a crack. Minor damage becomes a write-off.

4. Staged Damage

In organized fraud rings, vehicles are intentionally damaged after a policy is purchased, and photos are carefully staged to look like an accident. This is a documented pattern in India — for example, a fraud ring in Jaipur was found purchasing trucks on finance, staging claims, and collecting payouts across multiple insurers. While staged damage is harder to detect from the photo alone, verification metadata — exact GPS coordinates, capture timestamp, device identity — provides critical forensic signals that investigators can correlate.

5. AI-Generated Photos: An Emerging Threat

Generative AI can now produce photorealistic images of damaged vehicles, flooded properties, or medical documents. These images have no original — they were never captured by a camera. While there are no widely documented cases of AI-generated photos being used in insurance fraud yet, industry bodies like Swiss Re (in their SONAR 2025 report) have flagged this as a growing risk vector. The tools are increasingly accessible, and the threat is real — even if it hasn't scaled to become a primary fraud method today. Traditional forensic techniques that look for editing artifacts are largely ineffective against AI-generated content because there are no editing artifacts to find.

Why Current Detection Methods Fall Short

Most insurers today rely on one or more of the following methods to verify photo evidence. Each has significant limitations:

Method	What It Checks	Why It Fails
EXIF metadata	GPS, timestamp, camera model	Trivially spoofed with free tools. Stripped entirely by WhatsApp and most messaging apps when sending as photos
Manual review	Visual inspection by claims team	Doesn't scale. Reviewers see hundreds of claims/day. Sophisticated edits are invisible to the eye
Reverse image search	Whether the photo exists online	Only catches stock photos or widely circulated images. Fails for original but manipulated photos
Error Level Analysis (ELA)	Compression inconsistencies from editing	High false-positive rate. Unreliable on re-compressed images. Ineffective against AI-generated content
Watermarking	Embedded identifiers	Can be cropped, stripped, or re-encoded. Not forensically binding

The fundamental problem with all these approaches is the same: they try to verify a photo after it has been taken. By that point, the chain of custody is already broken. You're analyzing a file that could have been copied, edited, re-saved, shared through messaging apps, or generated from scratch — and there's no reliable way to reconstruct what actually happened.

The Shift: Verify at Capture, Not After

The industry is moving toward a fundamentally different model: instead of trying to detect fraud after submission, make it impossible (or extremely difficult) to submit fraudulent photos in the first place.

This is capture-time verification. The core idea is that every photo is cryptographically signed, GPS-tagged, timestamped, and bound to a specific device — all at the exact moment the shutter fires. Not after upload. Not on a server. On the device, using hardware-backed security.

Here's what a modern capture-time verification system does:

1.
Hardware-backed signing: The photo is signed using the device's Trusted Execution Environment (TEE) — specifically, the Android Keystore backed by ARM TrustZone on most modern Android devices. This creates a cryptographic signature that proves the photo was captured on a specific, verified device. The private key never leaves the secure hardware. The signature breaks if even a single pixel is changed.
2.
GPS verification: Location is read from the device's GPS hardware (not from EXIF metadata, which can be spoofed). The system checks for GPS spoofing indicators — Android exposes whether a location came from a mock provider via the Location.isMock() API. On rooted or compromised devices, additional checks are applied.
3.
Timestamp binding: The capture time is cryptographically bound to the photo signature. It isn't stored as editable metadata — it's part of the signed payload. You can't change the time without invalidating the signature.
4.
Device integrity checks: Before capture, the system verifies that the device hasn't been rooted, that the bootloader is locked, and that no tampering tools are running. A compromised device can't produce valid signatures.
5.
Immediate upload with hash verification: The signed photo is uploaded immediately after capture with a hash that the server verifies. This eliminates the window between capture and submission where tampering typically occurs.

What This Prevents (and What It Doesn't)

To be clear about what capture-time verification can and cannot do:

It Prevents

Submitting edited or manipulated photos
Reusing old photos for new claims
Spoofing GPS location
Backdating photo timestamps
Submitting AI-generated images (they can't be signed by a verified device)
Submitting photos from compromised/rooted devices
Screenshots passed off as original captures

It Doesn't Prevent

Staged damage (intentionally damaging a vehicle before photographing it)
Fraudulent claims where the photo itself is genuine but the narrative is false
Social engineering (e.g., a claimant convincing an agent to photograph the wrong vehicle)

No single technology eliminates all fraud. But capture-time verification removes the entire category of evidence manipulation — which is one of the most common and most scalable forms of insurance photo fraud.

The Compliance Angle: DPDP Rules 2025

India's Digital Personal Data Protection (DPDP) Rules, notified in March 2025, add a regulatory dimension to this problem. Under the rules, organizations that process personal data — including geotagged photographs — must implement "reasonable security safeguards" (Section 8 of the DPDP Act) and maintain verifiable data processing records. Compliance timelines are staggered, with different obligations taking effect over a 1–2 year period depending on the category of Data Fiduciary.

For insurers, this means the photos collected during claims inspections are now subject to stricter handling requirements. A capture-time verification system that creates an auditable chain of custody — from device to server — directly addresses several DPDP requirements:

Data integrity: Cryptographic signatures prove that photo data hasn't been altered after collection.
Purpose limitation: Photos are bound to a specific claim session and cannot be repurposed without detection.
Audit trail: Every capture event is logged with device ID, location, time, and verification status — creating the records that DPDP audits require.

Industry Standards: C2PA and Content Provenance

The broader technology industry is converging on the C2PA (Coalition for Content Provenance and Authenticity) standard for verifying the origin and integrity of digital media. C2PA is a Joint Development Foundation project under the Linux Foundation, co-founded by Adobe, Microsoft, Arm, BBC, Intel, and Truepic. Google joined the steering committee in 2024. The latest specification (version 2.1, released April 2024) defines how provenance metadata should be cryptographically embedded in photos, videos, and documents.

For insurance, C2PA provides an interoperable framework. A photo signed using C2PA-compliant methods can be verified by any tool that supports the standard — not just the vendor's proprietary system. This matters because claims evidence often moves between insurers, investigators, TPAs, and regulators. A vendor-locked verification system creates friction. An open standard doesn't.

That said, C2PA alone isn't sufficient for insurance use cases. The standard defines how to sign and verify content, but it doesn't prescribe what signals should be checked before signing (GPS spoofing detection, device integrity, mock location prevention). A production system needs C2PA for interoperability plus domain-specific checks for insurance-grade verification.

What Implementation Looks Like

For organizations evaluating capture-time verification, the typical integration path is:

SDK integration: A verification SDK is embedded into the insurer's existing mobile app (or a standalone capture app). The SDK handles secure capture, signing, and upload.
Dashboard setup: A web dashboard gives the claims team visibility into capture events — who took what photo, where, when, and whether it passed all verification checks. Flagged photos are surfaced for review.
API integration: For automated workflows, a REST API allows the insurer's claims management system to query verification status, trust scores, and audit trails programmatically.
Policy configuration: Rules can be set for different claim types — for example, motor claims might require GPS accuracy within 50 meters, while property inspections might require multiple photos from different angles.

The ROI Question

Photo fraud prevention is one of the rare enterprise investments where the ROI is straightforward to calculate:

Direct savings: Fraudulent claim payouts that are prevented. According to Indiaforensic, total insurance fraud in India may be as high as $6.25 billion annually across all lines. Even preventing a fraction of photo-related fraud translates to meaningful savings.
Operational efficiency: Claims adjusters spend less time on manual photo review. Verification is automated and instant.
Faster settlements: Legitimate claims with verified photos can be fast-tracked, improving customer experience and reducing cycle time.
Regulatory readiness: An auditable chain of custody for photo evidence simplifies DPDP compliance and IRDAI audit responses.

The Bottom Line

The insurance industry's photo fraud problem isn't going away — it's getting worse as photo editing tools and AI make manipulation easier and more accessible. The traditional approach of trying to detect fraud after submission is increasingly difficult to sustain. The volume is too high, the tools are too accessible, and the edits are getting harder to spot.

The shift to capture-time verification — where every photo is cryptographically signed, GPS-verified, and device-authenticated at the moment it's taken — addresses the root cause rather than the symptoms. It doesn't try to catch fraud after the fact. It prevents fraudulent evidence from entering the system in the first place.

For insurers processing thousands of photo-backed claims every day, this is a fundamental infrastructure upgrade — one that pays for itself in prevented losses and positions the organization for the stricter data integrity requirements that are clearly coming under DPDP and evolving IRDAI guidelines.

Want to see capture-time verification in action?

Learn how Vashix helps insurers prevent photo fraud at the point of capture.

Talk to Us Read the Docs

← All Articles