OnlyFake: A site where ‘neural networks’ churn out fake IDs

You are probably thinking of the physical fake IDs that kids use to buy alcohol, where the picture on the fake ID must resemble the owner. The application here is for certain websites that require pictures of realistic-looking IDs to register, and none of the text or photos on the ID need to reflect reality.

The main use for this is for websites with KYC requirements. You can generate a fake good enough to get past their automated (and human) ID checks so you can get an account that can't be traced back to you.

2. Is that what this is? I assumed they generate a fake photo of the ID as if it had been taken in real life, not a JPEG that you then have to print and photograph.

The selfie cleanup exists - https://www.cutout.pro/passport-photo-maker and similar.

This stuff would work decently well for the "send us a photo of your ID for verification" shit that is more and more common online.

This is more about making fakes for use online. They isn't for showing a bouncer on the street outside of a club. This is about uploading a photo of your ID to a website as proof that you are over 18 ... for whatever reason that needs to be done. The quality of the paper is immaterial as there will never be a physical copy.

If someone has my social security number and name and address I'm pretty sure they can just impersonate me however they like (and I have to give my social security number to so many random institutions that it isn't that secret). Honestly if someone steals my mail at certain times of year it's pretty likely they could steal my whole identity

In the US, driver's licenses are issued by states. Aside from passports, we don't really have a national ID card. Historically, attempts at creating unified national databases have run into opposition from religious fanatics whose end times mythology says that such things will literally be a tool of the Antichrist.

EDIT: Yes, there are other groups/ideologies that also think that having fifty or so separate state databases for a basic administrative function is better than having one federal database. Not sure how much political power sovereign citizens or libertarians have compared to evangelicals, but consider yourself counted, I guess.

There is definitely a way to verify driver's license ID numbers. I've seen photos used as an easier option since they can OCR the info instead of making the user type in the 12-digit code. I'm guessing it's just some companies don't care.

Or you can provide a fake US driver's license and they'll rent you the car anyway. I guess the CC address on file might be a tell, but I'm not sure you couldn't have a UK card while a US driver.

It's the same with Home Office. Skilled worker visa is proved with a share code. It's a bit weird not to have a single sticker or even stamp in your passport.

When I signed up with Neon Bank here in Switzerland, I went through a process involving a picture of an ID:

https://www.neon-free.ch/en/blog/about-neon/identification-v...

Isn't this more just KYC stuff? If I sign up to a gambling website/crypto exchange/whatever - they ask for a photo of my driving licence or passport. I'm assuming this is just one way around that.

The US has id.me for accessing government services and for myself getting registered involved having a live video call with a government employee.

Such a site/AI might put pressure on widespread usage for the same or a similar service but there will be political and ideological pushback - for sure.

So no I don't think this is an example of the US failing whatever it is this week. Even if it may be quicker or easier to push through such changes in wildly different political and cultural environments.

> Some sort of public/private key repository kept by licensing authorities would be a more preferable solution to me at an initial glance.

Everyone in possession of an ICAO 9303-compliant ID card / password (so, at least everyone in Europe) already has such a thing. These cards can be read by any NFC enabled smartphone that can act as a reader, and the chips themselves can act as a a secure element capable of a range of cryptography functions.

The problem is that while ICAO 9303 is a standard to retrieve and verify the data, it's fundamentally based on the assumption that it is just used to retrieve the data written in cleartext on the card as well as the biometric data so that you can build a staff-less boarding solution for air and sea ports. It's just a read-only dump of the data, signed with a certificate from the card issuer.

We'd additionally need a standard similar to what Germany and Croatia have done that allows a person to use their computer or phone as an NFC reader "proxy" to create a digital signature against a service-provided challenge that can then be traced back to the government's PKI.

Or, to put it in SSL terms, each government has a root CA, that issues a sub-CA certificate to the card producers ("can issue certificates for #.de"), who in turn have the card provision its own public/private keypair, and then sign the card's public key to use as a sub-CA ("can issue certificates for #.person-identifier.de").

EU is working on an "EU Digital Identity Wallet". Which might be a good step in that direction. Even though it remains to be seen whether it won't be piggy-backed on some current weak authentication/identification methods in practical implementations.

Here in Sweden we have a solution called BankID that is pretty much that. To get the key the first time you need to go physically to a location to identify yourself, after that you can use your BankID to get a new one when your first is about to expire(this is basically rolling your private cert)

Never heard of any successful identity thefts in this system, except where someone has been tricked into signing something with their BankID that they shouldn't have. That's pretty hard to defend against on a systematic level though, at least in a way that's fool-proof.

https://www.bankid.com/

Japan has done this with the mynumbercard. It's an ID with a chip on it. The problem is they used to tell people that the Number was private.

It hasn't caught on for verification outside of government yet.

Simple public/private keys are neither private nor usable enough, but a federated, interoperable ID system is indeed desperately needed.

As far as I know Estonia has had something like this for years

Until that licensing authority gets hacked, then RIP to online security..

World ID? https://worldcoin.org/world-id

I think you're kinda behind on the state of the art because the fingers issues hasn't been a major problem for a few months now from what I've seen, at least when it comes to stuff that gets a manual check like with this. At that point, I don't see why short videos wouldn't also be next. I think the real issue here is that this method of ID verification just isn't good enough anymore. The correct solution is for governments to make high quality ID verification services (ideally with some level of privacy guarantees etc) but obviously that's a lift that will take time to happen and if any one locality is behind it'll cause bad actors to just use that ID.

"Turn your head left and right" probably has less than two years left to it as a security measure, and I feel I'm being generous on that. I seriously can't imagine that we've made it as far as we have with this sort of AI, but that's the wall we're going to hit beyond which math simply says "nope, you can't do that". "Take a picture holding the ID" won't have much longer.

The simple truth is that remote identity verification of this sort may simply be impossible in the near future. There's nothing intrinsically identifying about a video stream. It's just numbers. It isn't something you have, are, or know. We were floating along on "it's really hard to forge" but that on its own is not one of the ways of authenticating someone.

Well, the EU is trying to launch a secure EU-wide digital identity and signature service - you might have heard of it, called EIDAS, in a different context due to the bit in Article 45. As far as I can tell, the rest of the service is a really good idea though.

This does not affect the collecting website's security or revenue in any way. They don't care.

They don't do this for their own security. They do it because they're required to. And the requirement is idiotic, which is why the result is... idiocy.

I think what it comes down to is that most of the other ways to automate ID creation at scale were probably really easy to detect using ... well, probably neural networks. Because ID verification services had access to millions of "real" ID photos, I'd think a lot of fake images created using traditional automation would be pretty easy to detect (For example, having the same backgrounds/wood grain pattern reused for multiple images). So what neural network generation is adding here is basically being able to add much much more "plausible randomness" to the image (lens artifacts, dust motes, wood grain, plastic reflection, etc) in a way that makes distinguishing generated from non-generated images statistically very difficult.

"this article makes this sound like it's high-effort or high-skill."

It is.

Today.

Do not underestimate criminals. They have a full dark free market operating that you may be completely unaware of. The "Dark Web" is not just a media slogan. There is an entire economic ecosystem with high levels of specialization and structure already in it. There are already organizations smart enough to have people who can take this, productize it, and be the one selling the metaphorical shovels to the lower level criminals who buy this product and then take all the direct risks of doing the actual crime.

Today's high-skill attack is tomorrow's product.

I'm thinking they mean in the sense that it's not in mainstream use. Think of "underground" music which is played in clubs that are open and welcoming to the public.

One definition when I looked up the word was "a group or movement seeking to explore alternative forms of lifestyle or artistic expression" which I think also applies here.

I cannot investigate further because I'm at work, but if they use that clearnet url you linked, they aren't really a darknet (since they're clearnet).

Underground makes more sense here as they're clearnet but you have to be "in the know" to know about them.

The primary definition of underground means hidden, but most of the secondary definitions apply here.

adj. 3a: existing outside the establishment, as in "an underground literary reputation"

n. 3c: an unofficial, unsanctioned, or illegal but informal movement or group

The journalist might even have intended:

n. 3b: a clandestine conspiratorial organization set up for revolutionary or other disruptive purposes especially against a civil order

We moved it above ground in the title above.