OnlyFake lets essentially anyone generate fake IDs in minutes that may seem real enough to bypass various online verification systems. Or at least fool some people
> I'm really not sure why you're upset and accusatory. What a weird thing to lie about,
Please don't respond to a bad comment by breaking the site guidelines yourself. That only makes things worse. I know the GP was provocative, but your comment would be fine without those bits.
You're right. I edited my comment to be more appropriate and disclosed the fact that it was edited. Thank you for the prod, sometimes we get caught in the moment.
"Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that.""
> In December, we noticed that articles we spent significant amounts of time on ... were being scraped by bots, run through an AI article “spinner” or paraphraser, and republished on random websites.
> Requiring an email address to read our articles has, for the moment, stopped our content from being scraped and repurposed by AI.
I am looking forward to the stressors this places upon identity in the online world so we can develop something better than showing a picture of an ID card. Some sort of public/private key repository kept by licensing authorities would be a more preferable solution to me at an initial glance.
It can be. If my bicycle has no lock at all, I will not leave on a outdoor parking near the central railway station, because I know for sure it will be stolen. The value here comes not from imperfect security per se, but from my ability to predict the outcome. Now if my bicycle has a meh lock, the chance of it being snatched suddenly increases.
I'm saying that maybe people who chose to accept the id scan knowingly accept the risk, have a second line of checks somewhere, evaluate amount lost to fraud or fines against the cost of having full-fledged PKI and also knowingly make it your problem if their evaluation proves to be wrong.
Cardboard boxes can be acquired without a record of their purchase and are easy to hide among other cardboard boxes, like a book in a library. Also can be used to hide from enemies while moving around under the box.
I think the argument against is that right now people know how terrible an authentication system this is and don't build actual security on top of it -- "we only have cardboard boxes so we installed cameras and encrypted the contents."
Once it's good people will outsource the work to what is essentially a CA system where every BMV in America is an issuer and I expect it to hold up at best as well as SMS verification.
I think the problem is that people are relying on this for actual security. The article demonstrates how easy it is to get companies to accept this form of fraudulent authentication (and the demand for this service speaks to its efficacy as well).
Why not let notaries or an authoritative agency issue cryptographically signed one time codes upon inspection of your physical ID? Frankly, it sounds like a superior system to me.
The CAs have been hacked. Multiple times, in several different ways. And that's just the public ones we know about, which I have no reason to suppose are all of them or even necessarily a significant fraction of what we would consider compromises. At the scale of "everything done on the internet" or "all the money" you can't wave this issue away. It is difficult, if not impossible, to build a security system that is more expensive to break than "all the money and value in the world".
A government identity to do business with the government might just about be possible. A government identity to cover everything done by everyone everywhere is not. The value of cracking that system is just too high.
> A government identity to cover everything done by everyone everywhere is not. The value of cracking that system is just too high.
So the value of the system being broken is too high, yet we live in a world where it's broken, as anybody can make a photoshop of your driving license? I'm sorry I don't get the argument.
Basic principle of security: A security system should be more expensive to break for the attacker than the value of the thing it is securing to the owner.
This is generally a counter to people using binary thinking and believing that a security system is broken if there is any way in at all, thus thinking things are either in the categories "secure" or "insecure" without any further qualification. In fact those categories don't exist. It is intrinsically at a bare minimum a spectrum of security, and one can slice & dice more finely if one likes based on what sort of attacks various different types of attackers can mount, e.g., defending against whole-internet scans is one thing, nation-state attackers specifically targeting you quite another.
I'm using it in a different way: When what you want to lock behind your security system is essentially "all economic value in the world", such as "we'll solve all identity problems on the internet by just having the government provide identities", that means you need to create a security system that is more expensive to break than "all economic value in the world". However, you can't. Any conceivable security system is easier to break than that.
There is a sense in which it is simply necessary that there be a wide variety of independent identification systems, each individually covering sufficiently small amounts of value that they are possible to exist at all, and with a diversity of costs and strengths to cover the various cases.
And because of that a photo of your driver's license is at best a low-pass filter. A central identity system where you get strong identity verification will be relied on for real security and authentication making it a properly juicy target the level of Gmail for account compromises but the real life security of Verizon issuing phone numbers and sim cards.
It's a classic fallacy of "the old one may be extremely bad, but it's already there, so it's okay, but the new one needs to be perfect against anything any scenario someone can think about, no matter how far fetched". We have this pretty often here in Germany. The requirements for anything digital are so incredibly high compared to the non-digital version we have currently/had before (depending on whether we finally managed to introduce a digital version), it's just sad.
Let me send you that totally secure fax with my totally secure signature drawn by hand. Far more secure than a digital document signed by this scary, newfangled electronic signature, which could have been hacked and is therefore totally insecure.
EU is working on an "EU Digital Identity Wallet". Which might be a good step in that direction. Even though it remains to be seen whether it won't be piggy-backed on some current weak authentication/identification methods in practical implementations.
Even US had it solved two decades ago on a peak of post 9/11 paranoia. Federal agencies use smartcards internally, there is federal root and the copy-cat of that was successfully rolled out in different flavors in several countries in Europe as well.
On the other side of the spectrum, there is Dutch digi Id, which is the only way to use any government service online and works either with pure and simple username+password or a second factor through the app. There is no rocket since involved -- government agency sends you an activation code to your registered address and you activate the app.
Then there is Ukrainian Diia, which is kinda both and also bundles government services themsevles and a digital id generator into the same app. But it's all built on top of existing PKI infrastructure that is used for decades before to tackle the problem of district tax office doing shenanigans with your tax reports.
Add:
And of course the most no brainer way to roll it out in a fragmented landscape of US is to let banks be Oauth2 providers, as they are already tasked with KYC stuff and have a license to lose. See https://www.bankid.com/en/
> And of course the most no brainer way to roll it out in a fragmented landscape of US is to let banks be Oauth2 providers, as they are already tasked with KYC stuff and have a license to lose.
That doesn't stop banks from pulling all kinds of shit with their customers' identity or what they believe to be that. The amount of credit scams possible in the US is mind-boggling for me as an European.
I feel like the tolerance to fraud is just higher in US or something, as the alternative is being sent to GULAG right after having your federal id issued.
Wells Fargo employees for example got caught creating millions of accounts without the consent of the customers to meet unrealistic quota by their managers [1], and not just once, but at least three times (2016, 2018, 2023).
> And of course the most no brainer way to roll it out in a fragmented landscape of US is to let banks be Oauth2 providers, as they are already tasked with KYC stuff and have a license to lose.
Yeah, the same works in the Czech Republic, the banks provide an OIDC service, including document signing, see https://www.bankid.cz/en
> Some sort of public/private key repository kept by licensing authorities would be a more preferable solution to me at an initial glance.
Everyone in possession of an ICAO 9303-compliant ID card / password (so, at least everyone in Europe) already has such a thing. These cards can be read by any NFC enabled smartphone that can act as a reader, and the chips themselves can act as a a secure element capable of a range of cryptography functions.
The problem is that while ICAO 9303 is a standard to retrieve and verify the data, it's fundamentally based on the assumption that it is just used to retrieve the data written in cleartext on the card as well as the biometric data so that you can build a staff-less boarding solution for air and sea ports. It's just a read-only dump of the data, signed with a certificate from the card issuer.
We'd additionally need a standard similar to what Germany and Croatia have done that allows a person to use their computer or phone as an NFC reader "proxy" to create a digital signature against a service-provided challenge that can then be traced back to the government's PKI.
Or, to put it in SSL terms, each government has a root CA, that issues a sub-CA certificate to the card producers ("can issue certificates for #.de"), who in turn have the card provision its own public/private keypair, and then sign the card's public key to use as a sub-CA ("can issue certificates for #.person-identifier.de").
>We'd additionally need a standard similar to what Germany and Croatia have done that allows a person to use their computer or phone as an NFC reader "proxy" to create a digital signature against a service-provided challenge that can then be traced back to the government's PKI.
Why bother with NFC if the phone itself has secure enclave and a biometry check to lock it down too?
And the best part of course, the federal government of US doesn't just have a standard, but actively uses all that for quite some time, just explicitly without NFC.
> Why bother with NFC if the phone itself has secure enclave and a biometry check to lock it down too?
There have been a lot secure-enclave exploits against both Apple [1] and everyone else [2], and fingerprint readers can also be bypassed. The Secure Enclave itself has a giant attack surface and is highly complex. (That however does not stop dreams of "digital driver's licenses" and whatnot, though, but that's another question)
In contrast to that, ISO 7816 smartcard stuff has been in use for decades, and (unless it's Javacard...) a very limited complexity. It's rare to see something else other than sidechannel attacks.
Fair enough. So the attack scenario is having a rogue state-sponsored app installed on everybody's device (think tik-tok), which steals everybody's private keys ... and does what? Registers an account on coinbase to launder money? Applies for a childcare subsidy and wires the money to insert country here?
> Fair enough. So the attack scenario is having a rogue state-sponsored app installed on everybody's device (think tik-tok), which steals everybody's private keys
The German AusweisApp2 is fully open-source (to protect against the first scenario), and it might be possible to do it in a web app assuming Web NFC gets more widely supported [1].
The second scenario is protected against by the keys being provisioned on the smartcard during manufacture (or, if the user so desires, at the touchpoint where they get handed over the ID card) and being unable to be exposed, at least not without either destructive methods or side-channel attacks.
Malware can go and dump the keys from the Secure Enclave. It's just the same mechanism that pirates use to crack the Widevine decryption, just that it's the strong digital identity of a person towards a government at stake here.
Here in Sweden we have a solution called BankID that is pretty much that. To get the key the first time you need to go physically to a location to identify yourself, after that you can use your BankID to get a new one when your first is about to expire(this is basically rolling your private cert)
Never heard of any successful identity thefts in this system, except where someone has been tricked into signing something with their BankID that they shouldn't have. That's pretty hard to defend against on a systematic level though, at least in a way that's fool-proof.
Maybe I'm missing something, and this is a "dropbox" comment, but this article makes this sound like it's high-effort or high-skill.
While I'm sure Neural Networks bring this to a new level, I feel like this wouldn't be hyper difficult to automate without them.
What's more, $15 sounds like a lot. If this wasn't certainly going to be used for less-than-ethical purposes, I feel like it would be ripe for disrupting this market with $5 or $2 IDs of various quality.
I think what it comes down to is that most of the other ways to automate ID creation at scale were probably really easy to detect using ... well, probably neural networks. Because ID verification services had access to millions of "real" ID photos, I'd think a lot of fake images created using traditional automation would be pretty easy to detect (For example, having the same backgrounds/wood grain pattern reused for multiple images). So what neural network generation is adding here is basically being able to add much much more "plausible randomness" to the image (lens artifacts, dust motes, wood grain, plastic reflection, etc) in a way that makes distinguishing generated from non-generated images statistically very difficult.
> Because ID verification services had access to millions of "real" ID photos
It's all snake oil devised to shift the risk from a party who has a mandate to perform KYC to some broken by design AI woodoo, which will generate free money until it doesn't once the landscape or the legislator's will mood change.
They bank will then perform the actual KYC and will start asking questions once it sees something funny and will eat the cost of fraud at the end of the day.
"this article makes this sound like it's high-effort or high-skill."
It is.
Today.
Do not underestimate criminals. They have a full dark free market operating that you may be completely unaware of. The "Dark Web" is not just a media slogan. There is an entire economic ecosystem with high levels of specialization and structure already in it. There are already organizations smart enough to have people who can take this, productize it, and be the one selling the metaphorical shovels to the lower level criminals who buy this product and then take all the direct risks of doing the actual crime.
I don't doubt criminals are highly skilled or motivated, nor that "onion" and "hidden" sites exist.
I'm just not seeing why they would need to employ either great skill or motivation in this case. Just saying the task does not seem very difficult, but is described as being so.
It’s bananas that a picture of an ID sent over the internet was ever considered identity verification.
Anyone who’s ever had their identity “stolen” knows how little effort banks and business will put into identity verification before making their mistake your problem.
worse than that - in 2008 or so there was a serious spike in identity theft among people in west USA. A theory is that it was the ex-employees of banks and credit related biz that knew how to effectively use a stolen ID for credit. similar comment about credit card fraud in the 1990s
Is this just America failing to update to the modern world again?
In the UK, if I want to hire a car, I have to provide a code from a Government website which is tied to my driving licence. The hire company check the validity of my licence using that one-time code.
Similarly, the passport service provides an API which lets authorised organisations check the validity of a passport.
Relying on a photo of a document is as ridiculous as relying on a signature on a credit card receipt!
If someone has my social security number and name and address I'm pretty sure they can just impersonate me however they like (and I have to give my social security number to so many random institutions that it isn't that secret). Honestly if someone steals my mail at certain times of year it's pretty likely they could steal my whole identity
I found telling people "Sorry, I'm a foreigner and don't have one" satisfies almost anyone (obviously not a bank or anyone tax-related). But plenty of companies ask for it and would rather find a way to do business than turn me away.
That makes an unreasonable assumption that everybody across the whole industry is not just competent and can be trusted to have it together, but they also manage to achieve their important goals (which are not always having the cleanest code or architecture) using the same architectural dogmas as you do. One can define a datatype as FormattedValue | null, make a tuple of (value, present), have a special empty value or do all of that at once, because parts of the dataset were separately inherited during the merger.
I'm not saying it doesn't happen - I'm saying it's not the correct practice. When talking about financial services, this sort of garbage data could lead to compliance issues and financial penalties. Typically those mergers end up with remediation initiatives to at least ensure that all the invalid data is nulled out, or facilitate it's collection if it's critical.
My mobile phone account has a bogus number (not generated by me!) as my SSN. Fortunately I know what it is so can recite it on a call. Which is why I don't want them to have my SSN in the first place!
It’s all fun and games until your bank reports something to the government under this SSN and it affects a person to whom its really assigned. Bonus points if “something“ has fiscal consequences for either of you.
Seriously, this is not kind of shenanigans you want to be doing for no reason at all, simply because the reason would be invented by someone else.
As my original comment says I don’t do this for anything tax-ish (for the same reason you mention). But there is no reason a phone company need know my SSN. Or the pharmacy.
As far as I am aware, that SSN is technically possible. Years ago SSNs could be traced back to the state/location of birth by looking at the first few digits (mine is like that), but they were changed to be completely random a while ago.
> It's probably well past time for legislation prohibiting anyone else for using it for that purpose, preferably with some teeth.
No, it is time for legislation prohibiting people from being held responsible for a business’s lack of due diligence. If the lender wants to use SSN to give out thousands of dollars, that is entirely on the lender.
The businesses will automatically stop using mechanisms of identity verification that cause them to lose money.
While I do somewhat agree, the SSN used to be just a number that the SSA uses to identify you. It was never meant for things like credit and bank accounts.
The only problem is the government has foisted the costs of the lender’s due diligence onto the general public. If a lender wants to collect on debts, they should need more proof than an SSN/DOB combo, and no one should have to spend time correcting their credit report from no fault of their own.
You could both limit the victim's responsibility for identity theft, and prohibit businesses for using the SSAN as a means of identification, with a whopping fine attached.
> The businesses will automatically stop using mechanisms of identity verification that cause them to lose money.
You mean like if they were forced to pay a gigantic fine?
Isn't this more just KYC stuff? If I sign up to a gambling website/crypto exchange/whatever - they ask for a photo of my driving licence or passport. I'm assuming this is just one way around that.
Yeah, Suisse can be a bit weird - ultra modern stuff mixed with very conservative stuff from maybe 70s or 50s, not sure which century though.
I have a single proper horror story with otherwise flawless (yet nontrivial) Swiss bureaucracy - one of those situations where you are completely at the mercy of incompetent bureaucrat which couldn't care less, to allow just your basic existence in this country as a highly sought-after expat, since evidently solid past 12 years means nothing.
You see the process working on others within few weeks yet you are stuck there, without any info apart from 'wait', without any option to anyhow contact physical person handling your case, your main permit allowing your existence here expiring, yet the evidently lazy bureaucrat which sometimes picks up official phone for whole bureau doesn't bulge a bit, stating 'there is no time limit how long this could take, bye'. I tried naively to just go to the bureau but was literally kicked out of the building. Literally untouchable folks.
And then other bureaucrat by chance picks up a phone and takes a look after a year during one desperate final call, balks in horror and WTFs, goes on 5 minute tirade full of apologies (I guess I could sue Geneva canton for undue stress on me and whole family since that shit was real we could be easily forced out) promptly does everything in 5 minutes.
Yeah, using bad (phone) photo copies of IDs in 2024 is the least problem with Swiss bureaucracy for me here, there seems to be a lot of ingrained trust in the system (which is great when it works).
The trick is not to make phone calls, but write mail, preferably to their supervising office. A basic FOI to get yourself a copy of your own submission can do wonders, as it forces somebody to find your specific case and look at it.
Most likely what happened is your case (in a physical form of a folder) was simply in a wrong physical place, forgotten, not transferred to a different case worker after a previous one retired/went on vacation/etc or otherwise slipped through the cracks.
I know these 'tricks', registered letter, filling out cantonal forms on official pages, went through that after first 2 months. Didn't help a bit, this was advanced shit.
Email response from filled cantonal online form came back after 3 months, with... 'wait'.
Till this day I believe this was an actual evil person getting kicks from this slow suffering of poor desperate foreigners who have absolutely 0 way of doing anything, even having decent polite conversation. And its hard to ignore the fact that suing an office which maybe will issue you most important papers in your life may not be the smartest course of action.
They say its roughly 1/20 sociopaths and 1/100 psychopaths in general population, not that hard to meet them if you are unlucky.
There is definitely a way to verify driver's license ID numbers. I've seen photos used as an easier option since they can OCR the info instead of making the user type in the 12-digit code. I'm guessing it's just some companies don't care.
A lot of them are garbage when it comes to user provided photos. Names are difficult because they can have near-infinite variations (unlike words).
Have also had a provider that insisted on sending in a picture of a barcode for something (too many users entering in the values wrong), but on their side, it was just a human typing them in, and still made an error.
This is not entirely true. Most states do not have a way for 3rd-parties to verify a license ID number.
There is a non-profit, AAMVA (AMERICAN ASSOCIATION OF MOTOR VEHICLE ADMINISTRATORS) which provides some businesses with access to verify ids in some states. A list of states supported is here https://www.aamva.org/identity
That said, things are changing and hopefully more states will adopt something more standardized.
Or you can provide a fake US driver's license and they'll rent you the car anyway. I guess the CC address on file might be a tell, but I'm not sure you couldn't have a UK card while a US driver.
In the US, driver's licenses are issued by states. Aside from passports, we don't really have a national ID card. Historically, attempts at creating unified national databases have run into opposition from religious fanatics whose end times mythology says that such things will literally be a tool of the Antichrist.
EDIT: Yes, there are other groups/ideologies that also think that having fifty or so separate state databases for a basic administrative function is better than having one federal database. Not sure how much political power sovereign citizens or libertarians have compared to evangelicals, but consider yourself counted, I guess.
>> creating unified national databases have run into opposition from religious fanatics
And the gun people. And the sovereign citizens. And the "states rights" people. And the constitutional originalists. And the capital-L libertarians. If you don't want to carry an ID card, there is a variety of communities to help you amplify that opinion in the most annoying and disruptive ways possible.
Just don't issue a number to identify a person, issue a number to identify a record which has their god-given and church blessed christian name. Problem solved. Seriously, the number on my government id is called "record number", as personal number is too haram.
Unless of course the real push to sabotage it comes from people actively interested in having fraudlent ids in circulation or rely on undocumented people to do low-paying jobs, or something.
So an indexed online database that doesn't use numbers. Sounds almost worse than the ATF gun sales database that is forbidden from keeping electronic records.
The ATF being required to keep paper records only is a feature, not a bug, specifically mandated after the absolute fiascos of Ruby Ridge and Waco. Regulators decided that giving them less power was probably wise.
Well, it does use numbers and they are permanent once issued. The difference is what you call those numbers, how you issue them and what is the UX around them.
Don't want to have a federal id? Sure, here is your federated id prefixed with TX-, with all the PII stored in a datacenter in your state. Don't want to have another id issued? Sure, type in the number of your driver license issued when you were 16 years old. Don't like numbers at all? Okey, type in your baptism name, dob and the name of the church or apply through a snail mail.
It's not like Europe has a pan-european id issuing authority or a single unique number to identify a person through all of the databases on a continent. Even if did, some people would still have another identity number in US to open an account there.
This isn't especially relevant or important, but fun trivia: in France the National Identity Card was put in place by the Vichy regime.
(Along with a surprising amount of stuff we still have like National Police, Mother's day, being on the UTC+1 timezone, the alarm siren we get every first wednesday of the month, Licence IV for opening bars, etc)
I mean, it's just an alarm you hear for 30 seconds once per month. Compared to living next to a train line or an airport, that's nothing. (Though I've never lived closed to one of the sirens, maybe that's worse.)
Or opposition who know just how many times national IDs have been used as a tool for oppression and murder.
Hint: a lot. Not just in Nazi Germany or the Soviet Union, either.
The Hutus and Tutsis in Rwanda look pretty much the same, and even speak the same language. Rwanda had a national ID card system that identified which one you were, which made matters much simpler for the genocidal murders.
South Africa had "passbooks", used to enforce the infamous "pass laws".
And so on.
Dismissing those concerned about privacy as "religious fanatics" is both unfair and incorrect.
I am not "dismissing" anyone as anything. I am talking about literal religious fanatics who have the same opposition to things like UPC codes[1] and credit cards[2] and COVID vaccines[3] and who knows what else.
I'm not sure how a state-level database is supposed to be safer in real life. The idea that state governments are somehow less dangerous to minority groups than the federal government conflicts with large swaths of US history.
>I'm not sure how a state-level database is supposed to be safer in real life.
It will be relevant in a very improbable case the states would be at war with each other. It's an odd threat scenario to optimize for, but maybe something like that happened already and people are still not happy about the result. I dunno.
Yes, you are. You're lumping everyone opposed to a national ID into the category of "religious fanatics".
> I'm not sure how a state-level database is supposed to be safer in real life.
Because mitigates the potential number of victims. The population of the United States is about 330 million. The population of California (the most populous state) is only about 39 million.
Now, some states would cooperate with a potential tyranny, and hand over their databases.
Wouldn't robust structures that discourage or prevent such abuses be a better solution than not doing anything at all and still having discrimination? If we were really that worried why are we okay with passports, state driver's licenses, etc.?
Ideally you want both, this is just one of many types of structures used to reduce the likelihood of such events happening. As for why we have any id at all, there is a degree of risk vs reward that has to be traded off, and this current point along the equilibrium has worked well so far.
>> Historically, attempts at creating unified national databases have run into opposition from religious fanatics whose end times mythology says that such things will literally be a tool of the Antichrist.
That is an extreme exaggeration and not even close to true. There a myriad of legitimate reasons to not want a national ID. My reason, for example, is that States are sovereign and identifying citizens is not a Constitutional power given to the Federal government.
I would also argue that the Federal government has sneakily made a national ID with the RealID initiative.
Please show me the excerpt from the Constitution that gives the Federal government any power to implicitly or explicitly identify anybody. The people belong to the States that created the Federal government. It is a power of States to require identification of their people if the people of that State so desire.
> Please show me the excerpt from the Constitution that gives the Federal government any power to implicitly or explicitly identify anybody.
Are you aware that not all rights granted to the government are in the constitution?
I can tell you are going to want to dispute that, but doing so would only be a display of ignorance.
Plenty of rights the government has are are a result of later caselaw or legislation, and not outlined in the constitution. If you want to say those don't count, then you're probably a 'sovereign citizen' type.
Incorrect. All powers that the Federal government has are explicitly granted in the Constitution. All powers not explicitly granted to the Federal government belong to the States or the people.
Way to attempt to be dismissive of a literal reading of the Constitution that ostensibly governs this country. If a sovereign citizen is somebody that believes in self-governance of the people then, thank you. This country was created and defended by people that believe this. I am proud to be part of that tradition.
10th Amendment The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
So, 10th Amendment says that later caselaw and legislation that gives more power to Federal government than was defined in the Constitution is illegal. The only way the Federal government can legally get more power is through Constitutional amendments.
> All powers that the Federal government has are explicitly granted in the Constitution.
This is just incorrect. As I said, caselaw and legislation grant rights not explicitly in the constitution.
That's just a fact, and I'm not really interested in debating it or any various fringe theories of how some people think things ought to work, anymore than I have an interest in debating Pangaea existed or that the sky during daylight generally appears blue to humans.
>In the UK, if I want to hire a car, I have to provide a code from a Government website which is tied to my driving licence.
Seems like convincing that website I am you would be the weak point here. I'd be more concerned about that than someone spoofing my id like they are doing here. Because in the future I could almost definitely prove they spoofed my id. Not so with accessing a website.
Relying on photos and signatures isn't ridiculous at all, we did that for decades and it served a purpose. What you are seeing is one government that is authoritarian on ID, and another that is prioritizing other things.
Of course the government databases via APIs is more secure, but that doesn't make everything else ridiculous.
Saying the US isn't modern because of this one thing is silly. The US ostensibly leads technological investment, has the an advanced military, puts rockets in space and recovers them, had the internet before most of the world, iPhone, all the software we all use the world over, the list goes on.
It's the same with Home Office. Skilled worker visa is proved with a share code. It's a bit weird not to have a single sticker or even stamp in your passport.
The US has id.me for accessing government services and for myself getting registered involved having a live video call with a government employee.
Such a site/AI might put pressure on widespread usage for the same or a similar service but there will be political and ideological pushback - for sure.
So no I don't think this is an example of the US failing whatever it is this week. Even if it may be quicker or easier to push through such changes in wildly different political and cultural environments.
Any service that is only using "submit a photo of your ID" deserves to be compromised.
It really doesn't take much to get to the "take a picture holding the ID" step, which can still be fooled but is much more difficult than this (especially for AIs when it comes to finger count lol). But "turn your head left and right" is also pretty easy to incorporate.
If you're not making even a basic effort to confirm the person submitting the ID actually exists, your customers are already screwed. They just don't know it yet.
I think you're kinda behind on the state of the art because the fingers issues hasn't been a major problem for a few months now from what I've seen, at least when it comes to stuff that gets a manual check like with this. At that point, I don't see why short videos wouldn't also be next. I think the real issue here is that this method of ID verification just isn't good enough anymore. The correct solution is for governments to make high quality ID verification services (ideally with some level of privacy guarantees etc) but obviously that's a lift that will take time to happen and if any one locality is behind it'll cause bad actors to just use that ID.
I was playing with Google's new image generation tool just this week and it still had a problem with fingers.
I'll admit I don't do much with image generation, but hands still seem to be a weak point, which is why I added a parenthetical jab at the whole system.
Midjourney and DALLE 3 are state of the art. Not only are fingers not a problem, they semi-reliably generate images of the same person for different angles and different environments.
Finger count problem has been basically solved since Fall 2023.
"Turn your head left and right" probably has less than two years left to it as a security measure, and I feel I'm being generous on that. I seriously can't imagine that we've made it as far as we have with this sort of AI, but that's the wall we're going to hit beyond which math simply says "nope, you can't do that". "Take a picture holding the ID" won't have much longer.
The simple truth is that remote identity verification of this sort may simply be impossible in the near future. There's nothing intrinsically identifying about a video stream. It's just numbers. It isn't something you have, are, or know. We were floating along on "it's really hard to forge" but that on its own is not one of the ways of authenticating someone.
Agreed, but then you need to have some sort of blessed entity perform that KYC and create all the UX necessary to deal with losing your individual NFT Identity. And then of course you question what the point of having a public blockchain is at all. Use a private chain like Hyperledger instead with authorized validators being a consortium of government entities.
You'd want to use a KYC'd L2 that is still secured by the L1. The consortium would just validate transactions on the L2, and the security overhead is payed for by publishing to L1, so no need for validators actually validating and retaining blocks/data. Just a single. or multiple centralized sequencers. That way you also still have access to liquidity if you want additional KYC'd financial services (like for services using USDC), while also having the benefit of a closed carefully monitored system.
That's only if access to liquidity is important to you or you think you'd benefit from the infrastructure already present on an L1. I'd argue for the use case of identity verification, you don't need any of that. Bless a set of core validators run by the federal government or some other central entity contracted out to by the government. Everyone else just runs on this chain. You'll have no throughput issues because your blessed validators are the only ones gating blocks on the chain. You'll also be able to upgrade the chain and other things in a centrally coordinated manner.
Well, the EU is trying to launch a secure EU-wide digital identity and signature service - you might have heard of it, called EIDAS, in a different context due to the bit in Article 45. As far as I can tell, the rest of the service is a really good idea though.
This does not affect the collecting website's security or revenue in any way. They don't care.
They don't do this for their own security. They do it because they're required to. And the requirement is idiotic, which is why the result is... idiocy.
An awful lot of websites do have their revenue affected. Cryptocurrency exchanges, for example, need to know if an account belonging to some random innocent person is being linked to their account by someone impersonating that person, because if they accept payment, issue the cryptocurrency, and the fraudster withdraws it, the owner of the bank account will reverse the charge, their bank will recall the funds from the exchange, and the exchange is left holding the empty bag.
I've worked in this field specifically for most of the last 7 years. It's a problem on the order of tens to hundreds of millions of dollars annually if you get it wrong.
Now we're conflating underground with darknets? Journalism at its finest. What exactly is an underground website? This website is public and very welcoming to all:
I'm thinking they mean in the sense that it's not in mainstream use. Think of "underground" music which is played in clubs that are open and welcoming to the public.
One definition when I looked up the word was "a group or movement seeking to explore alternative forms of lifestyle or artistic expression" which I think also applies here.
This varies from US state to US state, but at least in Georgia the answer is no. We have to register ahead of time (usually when obtaining a driver's license for our current address), and voter registrations are cross-checked against other records of residency. On election day, we have to vote at an assigned location, and that location has a list of the people who are allowed to vote there that day. When you check in, they check you off of that list. People who vote early or have requested a mail-in ballot are scrubbed from that list ahead of time.
A fake ID, let alone a photo of a fake ID, is not going to get you past the registration step nor the in-person verification step. At best a truly good physical fake ID might get you through to vote in another person's name, if you know where they were registered and beat them to it. But that is not what this tool enables.
This system is not without its flaws. Plenty of people are disenfranchised because they either failed to properly register ahead of time, or failed to show up at the correct polling location with proper ID on election day. But AI-generated photos of fake IDs is not one of this system's weaknesses.
If that worked at a scale that mattered I have a feeling we would have heard about it by now. Election ink has been used extensively for quite some time -- just not in the countries HN readers are likely to live in.
If the site is generating real looking IDs using fake data then it won't be of any use for voting. When you vote they check your name against a list and if it isn't on the list you can only cast a provisional ballot, which will get tossed later when your name fails to verify. Penalties for in-person voting fraud are also very stiff so this is not a likely scenario.
I don't know about the most nefarious, but I know the most frequent will be bypassing KYC (Know Your Customer) requirements on banking and (moreover) crypto sites.
1. I don't think you need a neural network to produce the image of a fake ID. The right tool is some scripting around ImageMagick and whatnot.
Where AI could come into the picture, so to speak, would be in cleaning up a random selfie photograph that is not suitable as an ID photo, into an ID photo. Changing the lighting, removing the background, and perhaps adjusting the facial expression.
Using AI for the remaining textual parts of the ID would only lead to defects.
2. An image of ID printed on glossy photo paper (which I'm guessing this is) is not going to fool anyone who asks you to take your ID out of your wallet. This is only good for flashing in someone's face to get into a club.
2. Is that what this is? I assumed they generate a fake photo of the ID as if it had been taken in real life, not a JPEG that you then have to print and photograph.
The main use for this is for websites with KYC requirements. You can generate a fake good enough to get past their automated (and human) ID checks so you can get an account that can't be traced back to you.
Yeah, when I was first reading the title, I was thinking "how can they possibly generate good fake id that people can just print, id has holograms and magnetic strips and what not. But generating a realistic photo of an id is whole different kettle a fish. An easy kettle!
Well then the burden lies on the KYC websites to actually verify the details? If someone uploads documents, I hope you verify them with the issuing authority, otherwise it's not really KYC is it? Photoshop has existed for a while now....
A good idea in principle, but that only works in countries where the majority of citizens trust their government with important and difficult tasks like that.
Given how political a topic IDs are in the US even in their physical/offline variant, I'm not holding my breath for that.
They’re not political at all in the US. They’re called passports, and nobody has a problem with them (as far as I know). No one has to force anyone to use it, but that’s their problem if they want to inconvenience themselves by having to prove their identity in person rather than use an API provided by the USPS (since they already do identity verification for passports).
Know Your Customer. It's a law in the US (and I think EU has similar?) that requires sites that deal with money to verify your identity to prevent fraud and money laundering.
You are probably thinking of the physical fake IDs that kids use to buy alcohol, where the picture on the fake ID must resemble the owner. The application here is for certain websites that require pictures of realistic-looking IDs to register, and none of the text or photos on the ID need to reflect reality.
Online banks require you to provide such photos of an ID. Also, registration for government services.
However, in the banking case (and likely government, but I cannot speak to that directly) they are running your data against a KYC API so chances of your information being valid are low.
What API takes a photograph and tells you whether the person who gave it to you is in physical possession of the ID document depicted on it?
This flow was designed, and only works, for branch-based KYC: The bank employee physically looks at the ID, makes sure it's you, examines the many physically hard-to-forge elements on the card, and then queries an API that tells them whether the same ID was ever issued with that data on it (name and photo).
Bringing that flow online in the age of GANs is an absurd concept, right up there with using a short, unchangeable numeric personal identifier as a bearer token for authentication. The fact that financial institutions in some countries actually do both doesn't make it any less absurd.
Not only that, but in some cases your picture is also ran across a database. There is a company called Veridas who does this for banks, and since they are allowed by their clients to x-reference data,! has identified identity thiefs showing up in 4 banks with four stolen identities but the same face.
They offer all validations behind an API, so you don’t need to know how a Nigeria driving license looks like.
It's pretty foolish to accept picture ID without being face-to-face with the person to match the two.
Even if the rest of the ID is fake, at least you have a record of that person's face; you can attest to the fact that the person who gave you the ID, whoever they may be, looks like the picture you have.
This is more about making fakes for use online. They isn't for showing a bouncer on the street outside of a club. This is about uploading a photo of your ID to a website as proof that you are over 18 ... for whatever reason that needs to be done. The quality of the paper is immaterial as there will never be a physical copy.
It just seems better for your fake ID business if you don't require the users to use any external tools or have any photo retouching skills. Just upload any old shitty picture and go to checkout.
This is only shocking to people who don't understand that OKX basically doesn't care if you upload a picture of your dog as your ID.
To put more meat on the bone: Plaid is basically KYC for any service that matters anymore, and this $15 autogen service doesn't help you when you get to the face-scan/hold your ID next to your face level, which is required for any serious crypto exchange you'd wnat to use if you're a money launderer.
And when deep fakes can easily recreate a face in real time video? doesn't have to be good enough to fool a human, just the face scan which uses a subset of points to match.
Can I make a fake id for my unemployment I have warrant my id is expired it can all b done online I bout to miss out on getting my back pay they owe me becuz I can’t go get validid yet plz help anyone
204 comments
[ 38.6 ms ] story [ 4110 ms ] threadOnlyFake lets essentially anyone generate fake IDs in minutes that may seem real enough to bypass various online verification systems. Or at least fool some people
Blocked by Signup: https://i.imgur.com/vrkQ8rS.png
Unblocked: https://i.imgur.com/R74nUPt.png
(This post was edited after Dang's comment)
Please don't respond to a bad comment by breaking the site guidelines yourself. That only makes things worse. I know the GP was provocative, but your comment would be fine without those bits.
https://news.ycombinator.com/newsguidelines.html
https://news.ycombinator.com/newsguidelines.html
> In December, we noticed that articles we spent significant amounts of time on ... were being scraped by bots, run through an AI article “spinner” or paraphraser, and republished on random websites.
> Requiring an email address to read our articles has, for the moment, stopped our content from being scraped and repurposed by AI.
JAN 26, 2024 AT 9:36 AM
https://www.thetruthaboutguns.com/liberty-safe-changes-its-p...
there's a point to be made for expections of strong security where it's actually weak, but is no security at all really better than bad security?
Once it's good people will outsource the work to what is essentially a CA system where every BMV in America is an issuer and I expect it to hold up at best as well as SMS verification.
Why not let notaries or an authoritative agency issue cryptographically signed one time codes upon inspection of your physical ID? Frankly, it sounds like a superior system to me.
A government identity to do business with the government might just about be possible. A government identity to cover everything done by everyone everywhere is not. The value of cracking that system is just too high.
So the value of the system being broken is too high, yet we live in a world where it's broken, as anybody can make a photoshop of your driving license? I'm sorry I don't get the argument.
This is generally a counter to people using binary thinking and believing that a security system is broken if there is any way in at all, thus thinking things are either in the categories "secure" or "insecure" without any further qualification. In fact those categories don't exist. It is intrinsically at a bare minimum a spectrum of security, and one can slice & dice more finely if one likes based on what sort of attacks various different types of attackers can mount, e.g., defending against whole-internet scans is one thing, nation-state attackers specifically targeting you quite another.
I'm using it in a different way: When what you want to lock behind your security system is essentially "all economic value in the world", such as "we'll solve all identity problems on the internet by just having the government provide identities", that means you need to create a security system that is more expensive to break than "all economic value in the world". However, you can't. Any conceivable security system is easier to break than that.
There is a sense in which it is simply necessary that there be a wide variety of independent identification systems, each individually covering sufficiently small amounts of value that they are possible to exist at all, and with a diversity of costs and strengths to cover the various cases.
Do I really?
Let me send you that totally secure fax with my totally secure signature drawn by hand. Far more secure than a digital document signed by this scary, newfangled electronic signature, which could have been hacked and is therefore totally insecure.
On the other side of the spectrum, there is Dutch digi Id, which is the only way to use any government service online and works either with pure and simple username+password or a second factor through the app. There is no rocket since involved -- government agency sends you an activation code to your registered address and you activate the app.
Then there is Ukrainian Diia, which is kinda both and also bundles government services themsevles and a digital id generator into the same app. But it's all built on top of existing PKI infrastructure that is used for decades before to tackle the problem of district tax office doing shenanigans with your tax reports.
Add:
And of course the most no brainer way to roll it out in a fragmented landscape of US is to let banks be Oauth2 providers, as they are already tasked with KYC stuff and have a license to lose. See https://www.bankid.com/en/
refs:
https://www.concretecms.com/about/blog/devops/how-make-us-go...
https://diia.gov.ua/
https://www.digid.nl/en/security
That doesn't stop banks from pulling all kinds of shit with their customers' identity or what they believe to be that. The amount of credit scams possible in the US is mind-boggling for me as an European.
Such as?
[1] https://en.wikipedia.org/wiki/Wells_Fargo_cross-selling_scan...
Yeah, the same works in the Czech Republic, the banks provide an OIDC service, including document signing, see https://www.bankid.cz/en
It hasn't caught on for verification outside of government yet.
Everyone in possession of an ICAO 9303-compliant ID card / password (so, at least everyone in Europe) already has such a thing. These cards can be read by any NFC enabled smartphone that can act as a reader, and the chips themselves can act as a a secure element capable of a range of cryptography functions.
The problem is that while ICAO 9303 is a standard to retrieve and verify the data, it's fundamentally based on the assumption that it is just used to retrieve the data written in cleartext on the card as well as the biometric data so that you can build a staff-less boarding solution for air and sea ports. It's just a read-only dump of the data, signed with a certificate from the card issuer.
We'd additionally need a standard similar to what Germany and Croatia have done that allows a person to use their computer or phone as an NFC reader "proxy" to create a digital signature against a service-provided challenge that can then be traced back to the government's PKI.
Or, to put it in SSL terms, each government has a root CA, that issues a sub-CA certificate to the card producers ("can issue certificates for #.de"), who in turn have the card provision its own public/private keypair, and then sign the card's public key to use as a sub-CA ("can issue certificates for #.person-identifier.de").
Why bother with NFC if the phone itself has secure enclave and a biometry check to lock it down too?
And the best part of course, the federal government of US doesn't just have a standard, but actively uses all that for quite some time, just explicitly without NFC.
There have been a lot secure-enclave exploits against both Apple [1] and everyone else [2], and fingerprint readers can also be bypassed. The Secure Enclave itself has a giant attack surface and is highly complex. (That however does not stop dreams of "digital driver's licenses" and whatnot, though, but that's another question)
In contrast to that, ISO 7816 smartcard stuff has been in use for decades, and (unless it's Javacard...) a very limited complexity. It's rare to see something else other than sidechannel attacks.
[1] https://news.ycombinator.com/item?id=24025502
[2] https://www.zdnet.com/article/manual-code-review-finds-35-vu...
The German AusweisApp2 is fully open-source (to protect against the first scenario), and it might be possible to do it in a web app assuming Web NFC gets more widely supported [1].
The second scenario is protected against by the keys being provisioned on the smartcard during manufacture (or, if the user so desires, at the touchpoint where they get handed over the ID card) and being unable to be exposed, at least not without either destructive methods or side-channel attacks.
[1] https://developer.mozilla.org/en-US/docs/Web/API/Web_NFC_API
Never heard of any successful identity thefts in this system, except where someone has been tricked into signing something with their BankID that they shouldn't have. That's pretty hard to defend against on a systematic level though, at least in a way that's fool-proof.
https://www.bankid.com/
While I'm sure Neural Networks bring this to a new level, I feel like this wouldn't be hyper difficult to automate without them.
What's more, $15 sounds like a lot. If this wasn't certainly going to be used for less-than-ethical purposes, I feel like it would be ripe for disrupting this market with $5 or $2 IDs of various quality.
Although I think you're right, the market tells us that this is likely either too high-skill and/or high-labour and/or easily detected.
It's all snake oil devised to shift the risk from a party who has a mandate to perform KYC to some broken by design AI woodoo, which will generate free money until it doesn't once the landscape or the legislator's will mood change.
They bank will then perform the actual KYC and will start asking questions once it sees something funny and will eat the cost of fraud at the end of the day.
It is.
Today.
Do not underestimate criminals. They have a full dark free market operating that you may be completely unaware of. The "Dark Web" is not just a media slogan. There is an entire economic ecosystem with high levels of specialization and structure already in it. There are already organizations smart enough to have people who can take this, productize it, and be the one selling the metaphorical shovels to the lower level criminals who buy this product and then take all the direct risks of doing the actual crime.
Today's high-skill attack is tomorrow's product.
I'm just not seeing why they would need to employ either great skill or motivation in this case. Just saying the task does not seem very difficult, but is described as being so.
Would be happy to learn why it would be though!
It’s bananas that a picture of an ID sent over the internet was ever considered identity verification.
Anyone who’s ever had their identity “stolen” knows how little effort banks and business will put into identity verification before making their mistake your problem.
In the UK, if I want to hire a car, I have to provide a code from a Government website which is tied to my driving licence. The hire company check the validity of my licence using that one-time code.
Similarly, the passport service provides an API which lets authorised organisations check the validity of a passport.
Relying on a photo of a document is as ridiculous as relying on a signature on a credit card receipt!
Seriously, this is not kind of shenanigans you want to be doing for no reason at all, simply because the reason would be invented by someone else.
https://secure.ssa.gov/poms.nsf/lnx/0110201035
It's probably well past time for legislation prohibiting anyone else for using it for that purpose, preferably with some teeth.
As you say, most people's SSAN has been compromised many, many times.
No, it is time for legislation prohibiting people from being held responsible for a business’s lack of due diligence. If the lender wants to use SSN to give out thousands of dollars, that is entirely on the lender.
The businesses will automatically stop using mechanisms of identity verification that cause them to lose money.
The only problem is the government has foisted the costs of the lender’s due diligence onto the general public. If a lender wants to collect on debts, they should need more proof than an SSN/DOB combo, and no one should have to spend time correcting their credit report from no fault of their own.
You could both limit the victim's responsibility for identity theft, and prohibit businesses for using the SSAN as a means of identification, with a whopping fine attached.
> The businesses will automatically stop using mechanisms of identity verification that cause them to lose money.
You mean like if they were forced to pay a gigantic fine?
https://www.neon-free.ch/en/blog/about-neon/identification-v...
I have a single proper horror story with otherwise flawless (yet nontrivial) Swiss bureaucracy - one of those situations where you are completely at the mercy of incompetent bureaucrat which couldn't care less, to allow just your basic existence in this country as a highly sought-after expat, since evidently solid past 12 years means nothing.
You see the process working on others within few weeks yet you are stuck there, without any info apart from 'wait', without any option to anyhow contact physical person handling your case, your main permit allowing your existence here expiring, yet the evidently lazy bureaucrat which sometimes picks up official phone for whole bureau doesn't bulge a bit, stating 'there is no time limit how long this could take, bye'. I tried naively to just go to the bureau but was literally kicked out of the building. Literally untouchable folks.
And then other bureaucrat by chance picks up a phone and takes a look after a year during one desperate final call, balks in horror and WTFs, goes on 5 minute tirade full of apologies (I guess I could sue Geneva canton for undue stress on me and whole family since that shit was real we could be easily forced out) promptly does everything in 5 minutes.
Yeah, using bad (phone) photo copies of IDs in 2024 is the least problem with Swiss bureaucracy for me here, there seems to be a lot of ingrained trust in the system (which is great when it works).
Most likely what happened is your case (in a physical form of a folder) was simply in a wrong physical place, forgotten, not transferred to a different case worker after a previous one retired/went on vacation/etc or otherwise slipped through the cracks.
Email response from filled cantonal online form came back after 3 months, with... 'wait'.
Till this day I believe this was an actual evil person getting kicks from this slow suffering of poor desperate foreigners who have absolutely 0 way of doing anything, even having decent polite conversation. And its hard to ignore the fact that suing an office which maybe will issue you most important papers in your life may not be the smartest course of action.
They say its roughly 1/20 sociopaths and 1/100 psychopaths in general population, not that hard to meet them if you are unlucky.
Have also had a provider that insisted on sending in a picture of a barcode for something (too many users entering in the values wrong), but on their side, it was just a human typing them in, and still made an error.
There is a non-profit, AAMVA (AMERICAN ASSOCIATION OF MOTOR VEHICLE ADMINISTRATORS) which provides some businesses with access to verify ids in some states. A list of states supported is here https://www.aamva.org/identity
That said, things are changing and hopefully more states will adopt something more standardized.
Adoption is painfully slow.
EDIT: Yes, there are other groups/ideologies that also think that having fifty or so separate state databases for a basic administrative function is better than having one federal database. Not sure how much political power sovereign citizens or libertarians have compared to evangelicals, but consider yourself counted, I guess.
And the gun people. And the sovereign citizens. And the "states rights" people. And the constitutional originalists. And the capital-L libertarians. If you don't want to carry an ID card, there is a variety of communities to help you amplify that opinion in the most annoying and disruptive ways possible.
Unless of course the real push to sabotage it comes from people actively interested in having fraudlent ids in circulation or rely on undocumented people to do low-paying jobs, or something.
Don't want to have a federal id? Sure, here is your federated id prefixed with TX-, with all the PII stored in a datacenter in your state. Don't want to have another id issued? Sure, type in the number of your driver license issued when you were 16 years old. Don't like numbers at all? Okey, type in your baptism name, dob and the name of the church or apply through a snail mail.
It's not like Europe has a pan-european id issuing authority or a single unique number to identify a person through all of the databases on a continent. Even if did, some people would still have another identity number in US to open an account there.
(Along with a surprising amount of stuff we still have like National Police, Mother's day, being on the UTC+1 timezone, the alarm siren we get every first wednesday of the month, Licence IV for opening bars, etc)
"Say what you want about the tenets of National Socialism, at least it's an ethos."
(Although a lot of these measures were pretty police-state-ish.)
Well that sounds as useless as it would be frustrating.
And yeah, the usefulness is dubious.
Or opposition who know just how many times national IDs have been used as a tool for oppression and murder.
Hint: a lot. Not just in Nazi Germany or the Soviet Union, either.
The Hutus and Tutsis in Rwanda look pretty much the same, and even speak the same language. Rwanda had a national ID card system that identified which one you were, which made matters much simpler for the genocidal murders.
South Africa had "passbooks", used to enforce the infamous "pass laws".
And so on.
Dismissing those concerned about privacy as "religious fanatics" is both unfair and incorrect.
I'm not sure how a state-level database is supposed to be safer in real life. The idea that state governments are somehow less dangerous to minority groups than the federal government conflicts with large swaths of US history.
[1] https://www.wired.com/2012/12/upc-mark-of-the-beast/
[2] https://www2.cbn.com/article/finances/are-credit-cards-assoc...
[3] https://www.usatoday.com/story/news/nation/2021/09/26/covid-...
It will be relevant in a very improbable case the states would be at war with each other. It's an odd threat scenario to optimize for, but maybe something like that happened already and people are still not happy about the result. I dunno.
You do realize that's actually happened before, right?
Yes, you are. You're lumping everyone opposed to a national ID into the category of "religious fanatics".
> I'm not sure how a state-level database is supposed to be safer in real life.
Because mitigates the potential number of victims. The population of the United States is about 330 million. The population of California (the most populous state) is only about 39 million.
Now, some states would cooperate with a potential tyranny, and hand over their databases.
Others... would not.
That is an extreme exaggeration and not even close to true. There a myriad of legitimate reasons to not want a national ID. My reason, for example, is that States are sovereign and identifying citizens is not a Constitutional power given to the Federal government.
I would also argue that the Federal government has sneakily made a national ID with the RealID initiative.
lol. come on. Passports the IRS, etc. The federal government implicitly and explicitly has the right to identify you.
Are you aware that not all rights granted to the government are in the constitution?
I can tell you are going to want to dispute that, but doing so would only be a display of ignorance.
Plenty of rights the government has are are a result of later caselaw or legislation, and not outlined in the constitution. If you want to say those don't count, then you're probably a 'sovereign citizen' type.
Way to attempt to be dismissive of a literal reading of the Constitution that ostensibly governs this country. If a sovereign citizen is somebody that believes in self-governance of the people then, thank you. This country was created and defended by people that believe this. I am proud to be part of that tradition.
10th Amendment The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
So, 10th Amendment says that later caselaw and legislation that gives more power to Federal government than was defined in the Constitution is illegal. The only way the Federal government can legally get more power is through Constitutional amendments.
lol, called it.
> All powers that the Federal government has are explicitly granted in the Constitution.
This is just incorrect. As I said, caselaw and legislation grant rights not explicitly in the constitution.
That's just a fact, and I'm not really interested in debating it or any various fringe theories of how some people think things ought to work, anymore than I have an interest in debating Pangaea existed or that the sky during daylight generally appears blue to humans.
Take care.
Seems like convincing that website I am you would be the weak point here. I'd be more concerned about that than someone spoofing my id like they are doing here. Because in the future I could almost definitely prove they spoofed my id. Not so with accessing a website.
Of course the government databases via APIs is more secure, but that doesn't make everything else ridiculous.
Saying the US isn't modern because of this one thing is silly. The US ostensibly leads technological investment, has the an advanced military, puts rockets in space and recovers them, had the internet before most of the world, iPhone, all the software we all use the world over, the list goes on.
Such a site/AI might put pressure on widespread usage for the same or a similar service but there will be political and ideological pushback - for sure.
So no I don't think this is an example of the US failing whatever it is this week. Even if it may be quicker or easier to push through such changes in wildly different political and cultural environments.
It really doesn't take much to get to the "take a picture holding the ID" step, which can still be fooled but is much more difficult than this (especially for AIs when it comes to finger count lol). But "turn your head left and right" is also pretty easy to incorporate.
If you're not making even a basic effort to confirm the person submitting the ID actually exists, your customers are already screwed. They just don't know it yet.
I'll admit I don't do much with image generation, but hands still seem to be a weak point, which is why I added a parenthetical jab at the whole system.
Finger count problem has been basically solved since Fall 2023.
The simple truth is that remote identity verification of this sort may simply be impossible in the near future. There's nothing intrinsically identifying about a video stream. It's just numbers. It isn't something you have, are, or know. We were floating along on "it's really hard to forge" but that on its own is not one of the ways of authenticating someone.
They don't do this for their own security. They do it because they're required to. And the requirement is idiotic, which is why the result is... idiocy.
I've worked in this field specifically for most of the last 7 years. It's a problem on the order of tens to hundreds of millions of dollars annually if you get it wrong.
Now we're conflating underground with darknets? Journalism at its finest. What exactly is an underground website? This website is public and very welcoming to all:
https://onlyfake.org/robots.txt
One definition when I looked up the word was "a group or movement seeking to explore alternative forms of lifestyle or artistic expression" which I think also applies here.
Not after HN frontpage!
Underground makes more sense here as they're clearnet but you have to be "in the know" to know about them.
adj. 3a: existing outside the establishment, as in "an underground literary reputation"
n. 3c: an unofficial, unsanctioned, or illegal but informal movement or group
The journalist might even have intended:
n. 3b: a clandestine conspiratorial organization set up for revolutionary or other disruptive purposes especially against a civil order
Voter fraud? Single individual could go around to a bunch of different voting polls too?
A fake ID, let alone a photo of a fake ID, is not going to get you past the registration step nor the in-person verification step. At best a truly good physical fake ID might get you through to vote in another person's name, if you know where they were registered and beat them to it. But that is not what this tool enables.
This system is not without its flaws. Plenty of people are disenfranchised because they either failed to properly register ahead of time, or failed to show up at the correct polling location with proper ID on election day. But AI-generated photos of fake IDs is not one of this system's weaknesses.
More likely you would use them to gain access to someone's accounts and steal their money/credit/etc.
Where AI could come into the picture, so to speak, would be in cleaning up a random selfie photograph that is not suitable as an ID photo, into an ID photo. Changing the lighting, removing the background, and perhaps adjusting the facial expression.
Using AI for the remaining textual parts of the ID would only lead to defects.
2. An image of ID printed on glossy photo paper (which I'm guessing this is) is not going to fool anyone who asks you to take your ID out of your wallet. This is only good for flashing in someone's face to get into a club.
Given how political a topic IDs are in the US even in their physical/offline variant, I'm not holding my breath for that.
However, in the banking case (and likely government, but I cannot speak to that directly) they are running your data against a KYC API so chances of your information being valid are low.
This flow was designed, and only works, for branch-based KYC: The bank employee physically looks at the ID, makes sure it's you, examines the many physically hard-to-forge elements on the card, and then queries an API that tells them whether the same ID was ever issued with that data on it (name and photo).
Bringing that flow online in the age of GANs is an absurd concept, right up there with using a short, unchangeable numeric personal identifier as a bearer token for authentication. The fact that financial institutions in some countries actually do both doesn't make it any less absurd.
They offer all validations behind an API, so you don’t need to know how a Nigeria driving license looks like.
Nice people and nice products.
Even if the rest of the ID is fake, at least you have a record of that person's face; you can attest to the fact that the person who gave you the ID, whoever they may be, looks like the picture you have.
This stuff would work decently well for the "send us a photo of your ID for verification" shit that is more and more common online.
To put more meat on the bone: Plaid is basically KYC for any service that matters anymore, and this $15 autogen service doesn't help you when you get to the face-scan/hold your ID next to your face level, which is required for any serious crypto exchange you'd wnat to use if you're a money launderer.
And even if a party does ask for doc verification, even if you fail - an account can still be opened.