New from 404 Media: inside the underground site where "neural networks" churn out fake IDs
- I tested the service, called OnlyFake, made two IDs in minutes
- I then used one to successfully bypass the identity verification check on a cryptocurrency exchange
- Massive implications for crime, cybersecurity. What does it mean for us when fake IDs are a mouse click away?
Here is how I used it to bypass identity verification on the cryptocurrency service OKX:
- asks for passport
- take photo of this one I made on OnlyFake
- site reviews it
- success
@josephcox This kind of identify "verification" is such a joke. There are right ways of doing online ID verification and this isn't it.
A bunch of countries here in Europe have government-issued digital IDs that we use to sign in to all kinds of things. It's the only way to sign in to government services, banks, even your phone company. It's the only way to sign contracts online too. Protected by biometrics, of course.
There's no excuse for this not being implemented worldwide.
@josephcox Sites offering physical fake id’s, and images, aren’t something new. What is fairly recent though is we’ve reached a tipping point where image quality has become so good that even expert forensic review of an image can fail to spot that it’s fake.
What comes next is financial services no longer accepting an image of an ID as proof of identity. Instead, there will be a growth in the use of trusted eID’ tokens (e.g. BankID, Singpass, NDID, LuxTrust etc. )
@josephcox Shit... I expect to hear real-time video calls to verify identity will become trivial to bypass in the coming months.
The world isn't ready for this crap
@luis_in_brief @josephcox Thanks, that explains a lot.
Years back when we were making credit cards (legit ones) we used random metal particles in the plastic base. We would read the pattern of those particles - unique for every card and quite difficult to replicate - and use that as a form validation, but it required special readers.
(Apple // used a similar scheme, using the random flaws in floppy disk media in various forms of copy protection.)
@josephcox I'm glad for developments like this. Mandating ID photos online should not be legal outside of government and financial websites, and making IDs vulnerable to image counterfeiting weakens their utility as an easy option for something like age validation.
We deserve privacy. Government and banks can do in-person validation when it's truly needed.
@josephcox What bothers me most about this that I've known biometrics — both the fancy version, and the original "someone looks at the picture printed on your government-issued ID card" version — were a bad idea for years. I'll admit that back then, I was thinking more about how it would handle i.e. haircuts and body modification — yay being bad at faces on the best day — but this sort of scenario did cross my mind. And I'm sure many, many other tech people had the same sorts of thoughts.
And yet, here we are, trusting pictures and voices that can now be easily forged.
Why are we always _reacting_ to the future instead of anticipating and preempting it?
Yes.
I did not say though that Video-Ident is not hackable or was not hacked.
I said that pictures of ID cards generated by some AI will pass only the simplest checks and will not pass Video-Ident.
The Video-Ident hack does need much more than just some printed picture. It is (in opposite to what CCC states - somewhat puffery) way more complicated than the discussed ID generation by AI. Ordering a fake ID which would pass KYC checks would be indeed a big threat.
@Ann_Effes @josephcox Agreed. Mostly. 😁
The whole AI angle is BS. IDs are very formal, there is no point in using image generators. Best use regular image manipulation, I guess. The real problem is that they can pump them out in numbers.
Still, since the video isn’t hack is basically video manipulation and social engineering, it works work with those fake IDs as well. 🙂
Yeah, but I commented just one aspect:
Are AI generated ID Pictures a particular threat?
And my answer was: No, even Video-Ident can't be fooled by those alone. If an ID check can be fooled by those AI generated IDcard-photos than that procedure is particularly unsuitable.
What you say beyond that is correct, but was not the subject of the post or my answer.
@Ann_Effes Sorry, I probably mistook your comment and answer as „video ident would prevent that“, and wanted to provide a counter example to dampen expectations.
Also: I agree the AI part is irrelevant for the fake card. It may help to create a large number of unique backdrops, which will help keeping the picture service alive, but is probably mostly to hype the service.
Anyway, there is no way around a cryptographic solution, sind everything else is way too easy to compromise. 🙂
@ketchup71 LOL
Keine Ahnung.
Joseph Cox
Alanna 🏳️🌈🏳️⚧️
Mike Roach
Nyancient CthUwU
haifisch
jtorrex 
8 bit
junkman
Karl Auerbach
Luis Villa
Lesley Carhart 
Chris 
Kirils Solovjovs
Nazani
Nick B. 🇬🇧 🌳
tea 🌺
Thad
Aviva Gary
segv11
kechpaja
Ann Effes
ketchup71