this post was submitted on 05 Feb 2024
214 points (97.8% liked)

Technology

59693 readers
2972 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Summary

OnlyFake, an underground website, employs neural networks to swiftly produce convincing fake IDs for just $15, potentially facilitating bank fraud and money laundering. Verified by 404 Media, the service allows users to input desired information and a passport photo, generating realistic IDs, even mimicking signatures. With its purported use of neural networks and generators, OnlyFake claims to churn out up to 20,000 documents daily, mainly for US identities. The IDs, backed by real-looking backgrounds, can pass online verification, posing challenges to platforms like OKX cryptocurrency exchange. While some companies, such as Jumio and Coinbase, aim to counter such fraud, OnlyFake's AI-powered IDs present a formidable challenge. Wick, the service's owner, aims to expand its capabilities, potentially including face and selfie generation. Discussions within OnlyFake's community suggest a pursuit of solutions for video verification challenges. Senator Ron Wyden warns of the growing threat posed by AI-based tools, urging the adoption of secure authentication methods. This revelation comes amidst a broader trend of AI-driven fraud, exemplified by AI-generated voices and images, highlighting the need for robust cybersecurity measures.

all 37 comments
sorted by: hot top controversial new old
[–] shortwavesurfer@monero.town 52 points 9 months ago (3 children)

Good. This just shows how pointless identity cards are.

[–] BorgDrone@lemmy.one 33 points 9 months ago (1 children)

ID cards without chip are pointless. I’d like to see them try to fake a chipped document.

[–] shortwavesurfer@monero.town 19 points 9 months ago (4 children)

Chip cards wouldn't work online unless we had some sort of reader in electronics to insert the chip into like the credit card terminals. But yes, that would help a lot.

[–] BorgDrone@lemmy.one 23 points 9 months ago (2 children)

Chip cards wouldn't work online unless we had some sort of reader

Good news then. We do have a reader. Chances are you are looking at one right now.

Almost all passports have chips (with the exception of a few developing countries, but even they are starting include them) and a lot of ID cards do as well (most ID cards in Europe already do and new ones are required to have then).

You might not see them, as they are contactless chips. They can be read by the NFC reader in your phone.

If you want to try it, search in the App Store or Play Store for an app called “ReadID Me” and test it on your passport.

[–] bionicjoey@lemmy.ca 7 points 9 months ago (1 children)

Isn't NFC pretty vulnerable to short-range cloning attacks? Obviously it's better than nothing but it still has issues compared with a chip that requires electrical contact in order to be read.

[–] BorgDrone@lemmy.one 34 points 9 months ago* (last edited 9 months ago) (2 children)

The chip in a passport or ID card is not a simple data storage device. It's more like a tiny computer that the reader talks to. This is unlike a simple NDEF tag that you can easily clone, there are several layers of protection.

First, you need a key to even access the chip. This key is derived from 3 pieces of information on the document: the document number, the date of birth and the date of expiry. The idea is that to get this data, you already have to be looking at the data page of the passport, that is: to access the privacy-sensitive data inside the chip, you already have to be able to look at that same data printed on the page.

This data then goes into a key derivation function. Some handshake messages are exchanged which I won't bore you with, and both the chip and the reader should at that point be able to derive another key that will then be used to encrypt any communication between chip and reader. There are actually 2 different mechanisms for this, the older BAC mechanism (Basic Access Control) and the newer PACE mechanism (Password Authenticated Connection Establishment). The latter uses newer and even more secure crypto.

This prevents eavesdropping and ensures you cannot remotely read the document.

Once the connection has been established, the reader can request certain chunks of data from the document. This includes everything that is printed on the data page, as well as a higher-quality color version of the photo on you document.

The data that can be read from the document is digitally signed by the government of the issuing country. You can verify this signature against a list of trusted certificates. Only the government that issued the document should have access to the corresponding private key and as such you cannot forge this data (unless you are able to break certain cryptographic standards, but if someone can do that we have bigger problems than fake IDs). This is called 'passive authentication'.

Now, if you get your hands on someone's passport, you could still copy the data, you can't modify it, but you can clone it. To prevent this passports also have a clone detection mechanism. Again there are multiple versions of this, but the most basic form is called Active Authentication. Part of the data read from the passport, is a public key. The chip in the passport has the corresponding private key, but there is no way to read this key. You can confirm it's not a clone by sending a piece of random data to the passport and asking it to sign that data with its private key. You then use the public key to check the signature and confirm the document is in possession of the corresponding private key. You can also confirm the authenticity of the public key, because that is also signed with the private key of the issuing government.

Now, theoretically you could try to extract the private key used in clone detection from the physical document, you would need some extremely advanced tech to do this, and the chips in ID documents have all kinds of physical protections against these kind of attacks. Maybe some intelligence services would have this capability, but it would only allow you to clone a document, not forge one.

[–] Cannonhead2@lemmy.world 9 points 9 months ago* (last edited 9 months ago)

After reading about all the trouble they go to for passports, social security numbers are hilariously fucking inadequate by comparison (or even in absolute terms, for that matter).

[–] asbestos@lemmy.world 6 points 9 months ago

Thank you so, so much for this explanation! I’ve been wondering for years and years and I finally get it, it’s so cool to see public key cryptography being used for clone detection.

[–] shortwavesurfer@monero.town 1 points 9 months ago (1 children)

Okay, I was not aware of that and I can't use the Play Store because I have lineage OS on my phone with no Google Play Services so it's likely an app like that would break.

[–] JackGreenEarth@lemm.ee 5 points 9 months ago

You can just use the Aurora store, and I'm sure there's an NFC reader app that doesn't rely on GPS, maybe even on F-Droid.

[–] SlopppyEngineer@lemmy.world 4 points 9 months ago

$15 for a USB ID card reader on Amazon and many laptops ahead have this built in. It's usually some unremarkable slit on the side.

[–] cadekat@pawb.social 1 points 9 months ago (1 children)

You use cards for offline authentication (bars/festivals/etc.), and use a different process for online authentication.

Proving someone has the physical card in their possession (which is what a reader does) isn't really useful for proving identity when you can't also check the picture.

[–] shortwavesurfer@monero.town 1 points 9 months ago

Mmm. Good point. Otherwise, somebody could just steal the card from you and insert it into the reader and would therefore be you. My guess is something like that would at least require some sort of OTP 2 factor authentication. If you were going to do it that way, and it would have to be application based and definitely not text based.

[–] espentan@lemmy.world 12 points 9 months ago (1 children)

Mhm. We need everyone to submit to DNA sampling and iris scans, so our overlords can keep more reliable records of our doings. /s

[–] shortwavesurfer@monero.town -1 points 9 months ago

Or maybe we need to overthrow the overlords and do what we want LOL.

[–] rottingleaf@lemmy.zip 12 points 9 months ago (1 children)

This shows that anything is pointless if the other side believes in kinds of verification which can be manufactured the way you can't distinguish it from the real thing.

Frankly I'm feeling a bit of love now to banks which don't allow you to do anything scary without visiting their office in person.

[–] shortwavesurfer@monero.town -4 points 9 months ago (1 children)

And I'm on the completely opposite end where the person I trust to have my best interest at heart is me. So I have crypto and manage it myself.

[–] rottingleaf@lemmy.zip 0 points 9 months ago (1 children)

Too bad it's not actual money.

[–] shortwavesurfer@monero.town 1 points 9 months ago (2 children)

Money is what people say it is. And enough people see crypto as money to make it money. As an example, I have been buying my groceries with it for over a year now. And if it were not money, I would have starved.

[–] rottingleaf@lemmy.zip 4 points 9 months ago (1 children)

I agree that money is what people say money is, but if it's too volatile, it may still be a good asset, but bad currency.

[–] shortwavesurfer@monero.town 1 points 9 months ago

I use Monero, which moves about 15% from its one year simple moving average before reverting. And while that is quite a large move for somebody from the United States, for people from other countries that is not a very bad move, but I do see your point. I base my expenses off of the one-year moving average and save some for when the price is below that and I need to use a little extra.

[–] TheBat@lemmy.world -3 points 9 months ago (3 children)

Pay your taxes in crypto and then we'll talk

[–] aBundleOfFerrets@sh.itjust.works 3 points 9 months ago (1 children)

I can’t pay my taxes with euros, doesn’t mean they aren’t money

[–] TheBat@lemmy.world -5 points 9 months ago

You can, if you're a Euro citizen. Is 'make dumb comparisons' a prerequisite for being a cryptobro?

[–] shortwavesurfer@monero.town -1 points 9 months ago (1 children)

That can't be done since the government goons will only accept the fiat that they provide as taxes. So use crypto for everything else. And then each year convert just a little of it to the currency they want, which you find worthless to pay your "taxes" with. If somebody gave me the choice between Fiat and crypto for a thing that owed me, I would take the crypto immediately because it is worth the same no matter where I go.

[–] TheBat@lemmy.world 1 points 9 months ago
[–] EmergMemeHologram@startrek.website 46 points 9 months ago (1 children)

I like to thread the needle between "useful verification of identity" and "not a horrifying invasion of privacy that puts everyone in our society at risk"

Reading these kinds of things will just result in is creating horrible identification laws like having to scan your face each time you want to watch porn.

[–] Squire1039@lemm.ee 17 points 9 months ago

Yeah, I hate how the institutions now ask for endless information and IDs to identify you. It does look like asking for a copy of an ID is about to get worse.

[–] jet@hackertalks.com 14 points 9 months ago (2 children)

The military already has a solution to this. Smart card ID cards. So it acts like a hardware security key that you plug into your computer to verify it's you. Or at least the person possessing it. And it relies on the central authority to invalidate and verify the authenticity of that signature. Just like a yubikey

Combine the ID card with a fingerprint scanner built into the ID card. You get the best of the security enclave. And public key verification.

[–] ExLisper@linux.community 14 points 9 months ago (1 children)

In Spain you just go to an office, show your ID and they give you a personal certificate you import into your browser. You can use the same cert on multiple computers and have multiple certs in the same browser. When you visit government pages it asks you which cert you want to use and voilà, you're authenticated. You can also use the same cert to sign files and it's a legally valid signature. It uses common standards and works on Linux.

[–] LemmyRefugee@lemmy.world 7 points 9 months ago

Or if you buy a card reader you can use your ID (DNI) as your certificate because it has one saved inside

[–] Squire1039@lemm.ee 9 points 9 months ago (2 children)

Not disagreeing, but for the US:

  1. Yubikey 5c NFC costs ~30-55 USD. Not cheap.
  2. Yibikey BIO, with the scanner built in, will be even more expensive.
  3. Need a central registration authority or federated authorities to verify electronic ID. If the feds don't press the issue, this probably won't happen.
[–] mlg@lemmy.world 17 points 9 months ago
  1. CA will get hacked and root certificate dropped because they paid morbillions to some credit card company to setup the system on windows server 2003 with password123
[–] Landless2029@lemmy.world 4 points 9 months ago

And how much would a solution cost in bulk for millions/billions of people? Also you can always tack on $10-$20 as a fee and you're done.