Summary

OnlyFake, an underground website, employs neural networks to swiftly produce convincing fake IDs for just $15, potentially facilitating bank fraud and money laundering. Verified by 404 Media, the service allows users to input desired information and a passport photo, generating realistic IDs, even mimicking signatures. With its purported use of neural networks and generators, OnlyFake claims to churn out up to 20,000 documents daily, mainly for US identities. The IDs, backed by real-looking backgrounds, can pass online verification, posing challenges to platforms like OKX cryptocurrency exchange. While some companies, such as Jumio and Coinbase, aim to counter such fraud, OnlyFake’s AI-powered IDs present a formidable challenge. Wick, the service’s owner, aims to expand its capabilities, potentially including face and selfie generation. Discussions within OnlyFake’s community suggest a pursuit of solutions for video verification challenges. Senator Ron Wyden warns of the growing threat posed by AI-based tools, urging the adoption of secure authentication methods. This revelation comes amidst a broader trend of AI-driven fraud, exemplified by AI-generated voices and images, highlighting the need for robust cybersecurity measures.

    • BorgDrone@lemmy.one
      link
      fedilink
      English
      arrow-up
      33
      arrow-down
      1
      ·
      9 months ago

      ID cards without chip are pointless. I’d like to see them try to fake a chipped document.

      • shortwavesurfer@monero.town
        link
        fedilink
        English
        arrow-up
        21
        arrow-down
        2
        ·
        9 months ago

        Chip cards wouldn’t work online unless we had some sort of reader in electronics to insert the chip into like the credit card terminals. But yes, that would help a lot.

        • BorgDrone@lemmy.one
          link
          fedilink
          English
          arrow-up
          26
          arrow-down
          3
          ·
          9 months ago

          Chip cards wouldn’t work online unless we had some sort of reader

          Good news then. We do have a reader. Chances are you are looking at one right now.

          Almost all passports have chips (with the exception of a few developing countries, but even they are starting include them) and a lot of ID cards do as well (most ID cards in Europe already do and new ones are required to have then).

          You might not see them, as they are contactless chips. They can be read by the NFC reader in your phone.

          If you want to try it, search in the App Store or Play Store for an app called “ReadID Me” and test it on your passport.

          • bionicjoey@lemmy.ca
            link
            fedilink
            English
            arrow-up
            8
            arrow-down
            1
            ·
            9 months ago

            Isn’t NFC pretty vulnerable to short-range cloning attacks? Obviously it’s better than nothing but it still has issues compared with a chip that requires electrical contact in order to be read.

            • BorgDrone@lemmy.one
              link
              fedilink
              English
              arrow-up
              35
              arrow-down
              1
              ·
              edit-2
              9 months ago

              The chip in a passport or ID card is not a simple data storage device. It’s more like a tiny computer that the reader talks to. This is unlike a simple NDEF tag that you can easily clone, there are several layers of protection.

              First, you need a key to even access the chip. This key is derived from 3 pieces of information on the document: the document number, the date of birth and the date of expiry. The idea is that to get this data, you already have to be looking at the data page of the passport, that is: to access the privacy-sensitive data inside the chip, you already have to be able to look at that same data printed on the page.

              This data then goes into a key derivation function. Some handshake messages are exchanged which I won’t bore you with, and both the chip and the reader should at that point be able to derive another key that will then be used to encrypt any communication between chip and reader. There are actually 2 different mechanisms for this, the older BAC mechanism (Basic Access Control) and the newer PACE mechanism (Password Authenticated Connection Establishment). The latter uses newer and even more secure crypto.

              This prevents eavesdropping and ensures you cannot remotely read the document.

              Once the connection has been established, the reader can request certain chunks of data from the document. This includes everything that is printed on the data page, as well as a higher-quality color version of the photo on you document.

              The data that can be read from the document is digitally signed by the government of the issuing country. You can verify this signature against a list of trusted certificates. Only the government that issued the document should have access to the corresponding private key and as such you cannot forge this data (unless you are able to break certain cryptographic standards, but if someone can do that we have bigger problems than fake IDs). This is called ‘passive authentication’.

              Now, if you get your hands on someone’s passport, you could still copy the data, you can’t modify it, but you can clone it. To prevent this passports also have a clone detection mechanism. Again there are multiple versions of this, but the most basic form is called Active Authentication. Part of the data read from the passport, is a public key. The chip in the passport has the corresponding private key, but there is no way to read this key. You can confirm it’s not a clone by sending a piece of random data to the passport and asking it to sign that data with its private key. You then use the public key to check the signature and confirm the document is in possession of the corresponding private key. You can also confirm the authenticity of the public key, because that is also signed with the private key of the issuing government.

              Now, theoretically you could try to extract the private key used in clone detection from the physical document, you would need some extremely advanced tech to do this, and the chips in ID documents have all kinds of physical protections against these kind of attacks. Maybe some intelligence services would have this capability, but it would only allow you to clone a document, not forge one.

              • Cannonhead2@lemmy.world
                link
                fedilink
                English
                arrow-up
                9
                ·
                edit-2
                9 months ago

                After reading about all the trouble they go to for passports, social security numbers are hilariously fucking inadequate by comparison (or even in absolute terms, for that matter).

              • asbestos@lemmy.world
                link
                fedilink
                English
                arrow-up
                6
                ·
                9 months ago

                Thank you so, so much for this explanation! I’ve been wondering for years and years and I finally get it, it’s so cool to see public key cryptography being used for clone detection.

          • shortwavesurfer@monero.town
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            Okay, I was not aware of that and I can’t use the Play Store because I have lineage OS on my phone with no Google Play Services so it’s likely an app like that would break.

            • JackGreenEarth@lemm.ee
              link
              fedilink
              English
              arrow-up
              5
              ·
              9 months ago

              You can just use the Aurora store, and I’m sure there’s an NFC reader app that doesn’t rely on GPS, maybe even on F-Droid.

        • SlopppyEngineer@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          9 months ago

          $15 for a USB ID card reader on Amazon and many laptops ahead have this built in. It’s usually some unremarkable slit on the side.

        • cadekat@pawb.social
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          You use cards for offline authentication (bars/festivals/etc.), and use a different process for online authentication.

          Proving someone has the physical card in their possession (which is what a reader does) isn’t really useful for proving identity when you can’t also check the picture.

          • shortwavesurfer@monero.town
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            Mmm. Good point. Otherwise, somebody could just steal the card from you and insert it into the reader and would therefore be you. My guess is something like that would at least require some sort of OTP 2 factor authentication. If you were going to do it that way, and it would have to be application based and definitely not text based.

    • espentan@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      1
      ·
      9 months ago

      Mhm. We need everyone to submit to DNA sampling and iris scans, so our overlords can keep more reliable records of our doings. /s

    • rottingleaf@lemmy.zip
      link
      fedilink
      English
      arrow-up
      12
      ·
      9 months ago

      This shows that anything is pointless if the other side believes in kinds of verification which can be manufactured the way you can’t distinguish it from the real thing.

      Frankly I’m feeling a bit of love now to banks which don’t allow you to do anything scary without visiting their office in person.

      • shortwavesurfer@monero.town
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        7
        ·
        9 months ago

        And I’m on the completely opposite end where the person I trust to have my best interest at heart is me. So I have crypto and manage it myself.

          • shortwavesurfer@monero.town
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            4
            ·
            9 months ago

            Money is what people say it is. And enough people see crypto as money to make it money. As an example, I have been buying my groceries with it for over a year now. And if it were not money, I would have starved.

            • rottingleaf@lemmy.zip
              link
              fedilink
              English
              arrow-up
              4
              ·
              9 months ago

              I agree that money is what people say money is, but if it’s too volatile, it may still be a good asset, but bad currency.

              • shortwavesurfer@monero.town
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                2
                ·
                9 months ago

                I use Monero, which moves about 15% from its one year simple moving average before reverting. And while that is quite a large move for somebody from the United States, for people from other countries that is not a very bad move, but I do see your point. I base my expenses off of the one-year moving average and save some for when the price is below that and I need to use a little extra.

  • EmergMemeHologram@startrek.website
    link
    fedilink
    English
    arrow-up
    46
    ·
    9 months ago

    I like to thread the needle between “useful verification of identity” and “not a horrifying invasion of privacy that puts everyone in our society at risk”

    Reading these kinds of things will just result in is creating horrible identification laws like having to scan your face each time you want to watch porn.

    • Squire1039@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      17
      ·
      9 months ago

      Yeah, I hate how the institutions now ask for endless information and IDs to identify you. It does look like asking for a copy of an ID is about to get worse.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    1
    ·
    9 months ago

    The military already has a solution to this. Smart card ID cards. So it acts like a hardware security key that you plug into your computer to verify it’s you. Or at least the person possessing it. And it relies on the central authority to invalidate and verify the authenticity of that signature. Just like a yubikey

    Combine the ID card with a fingerprint scanner built into the ID card. You get the best of the security enclave. And public key verification.

    • ExLisper@linux.community
      link
      fedilink
      English
      arrow-up
      14
      ·
      9 months ago

      In Spain you just go to an office, show your ID and they give you a personal certificate you import into your browser. You can use the same cert on multiple computers and have multiple certs in the same browser. When you visit government pages it asks you which cert you want to use and voilà, you’re authenticated. You can also use the same cert to sign files and it’s a legally valid signature. It uses common standards and works on Linux.

      • LemmyRefugee@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        9 months ago

        Or if you buy a card reader you can use your ID (DNI) as your certificate because it has one saved inside

    • Squire1039@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      9
      ·
      9 months ago

      Not disagreeing, but for the US:

      1. Yubikey 5c NFC costs ~30-55 USD. Not cheap.
      2. Yibikey BIO, with the scanner built in, will be even more expensive.
      3. Need a central registration authority or federated authorities to verify electronic ID. If the feds don’t press the issue, this probably won’t happen.
      • mlg@lemmy.world
        link
        fedilink
        English
        arrow-up
        17
        ·
        9 months ago
        1. CA will get hacked and root certificate dropped because they paid morbillions to some credit card company to setup the system on windows server 2003 with password123
      • Landless2029@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        9 months ago

        And how much would a solution cost in bulk for millions/billions of people? Also you can always tack on $10-$20 as a fee and you’re done.