Browsing through Reddit, I came across subreddits like r/rateme, r/amiugly. These are sub-reddits where people post photos of themselves for others to comment on how they look and how to improve them. But there is a catch….
To combat the posting of fake profiles on these subreddits, the moderators of these subreddits ask you to hold a piece of paper with your username, date and sometimes the name of the subreddit written on paper in at least one of your photos.
There are dozens of subreddits that require uploading images to verify genuine users from catfish or bot accounts.
Recently, I signed up for an online banking service that required me to upload a photo of myself and ID documents to sign up. And at the end I was asked to upload a selfie of myself while holding a government issued ID for verification.
As someone who has spent months exploring exposed S3 buckets, Azure blobs, and exposed databases. I’ve come across a few KYC (Know Your Customer) image databases from smaller fintech and crypto companies. Most of them used similar format images for KYC checks.
The verification images from these subreddits can easily be manipulated to look like the verification images required by online services during KYC verification.
Most of the country’s government-issued ID cards, driver’s licenses and passports are easily editable PSD files that have been available in the underground markets forever.
All it takes is an average skilled person to photoshop these edited PSD files instead of username paper. Add proper lighting and reflections to the image and it should pass as legit.
We have already seen North Korean actors photographing faces and ID cards on the same images to get their KYC on crypto exchanges.
They got caught in this case because they used the same body wearing the same t-shirt. But if they had used photos of random individuals from these subreddits or other similar sources, they would have been off the hook.
Felixo Token has detected similar incidents from KYC fraudsters in the past. The attackers were using photoshopped images to create thousands of accounts to earn a referral bonus.
These subreddits provide an endless daily supply of images that KYC scammers can work with.
Use cases for manipulated images
These manipulated images are used by fraudsters to generate synthetic identities, which they use to create accounts on different crypto exchanges and other platforms.
These accounts are then sold in underground marketplaces and forums to others who could use them to launder money or receive funds from illicit activities. Or these accounts are involved in large-scale coordinated frauds like the case of the FELIXO token.
Marketplaces for such images
The image format of a person holding a piece of paper or a card in their hand is the basic model for KYC verification images. Some fake ID marketplaces have started listing selfies with an editable ID card in hand and an exchangeable background for sale.
What can be done to stop the potential abuse of these images?
On the Reddit side – Reddit should make these verifications private, where users must verify their identity by sending these images in private messages to moderators and not in public posts. Nevertheless, malicious moderators can take advantage of the process, as they are all voluntary and not bound by any agreement.
On the business side – Uploading only static images of yourself holding an ID card for KYC ID verifications shouldn’t be the only way to verify KYC documents. Major crypto exchanges have their custom live video solutions and strict AI/ML controls in place, but some smaller businesses still use old-school static images for KYC verification. This exposes small exchanges, such as on fintech apps, to a higher risk of these KYC frauds. If smaller exchanges cannot develop in-house capabilities to perform such checks, they should use a third-party solution that performs liveness checks and other AI analysis in images to detect Photoshop and image manipulation.
*** This is a syndicated blog from the Security Bloggers Network of Reinforcement Blog written by Nikhil Panwar. Read the original post at: https://bolster.ai/blog/reddit-goldmine-for-synthetic-id-fraud/