#284—How AI creates fake IDs that work

Also, Farcaster’s moment

Welcome to Yaka Stuff, our weekly newsletter that covers news, industry perspectives, and updates from the Hard Yaka ecosystem. Check out our last report here.

This week:

1. How AI creates fake IDs

2. The US Treasury is worried

3. Quote of the week

4. Farcaster’s moment

5. Stuff happens

1. How AI creates fake IDs

So this happened—reporting from Joseph Cox at 404media:

An underground website called OnlyFake is claiming to use “neural networks” to generate realistic looking photos of fake IDs for just $15, radically disrupting the marketplace for fake identities and cybersecurity more generally. This technology, which 404 Media has verified produces fake IDs nearly instantly, could streamline everything from bank fraud to laundering stolen funds.

In our own tests, OnlyFake created a highly convincing California driver's license, complete with whatever arbitrary name, biographical information, address, expiration date, and signature we wanted. The photo even gives the appearance that the ID card is laying on a fluffy carpet, as if someone has placed it on the floor and snapped a picture, which many sites require for verification purposes. 404 Media then used another fake ID generated by this site to successfully step through the identity verification process on OKX. OKX is a cryptocurrency exchange that has recently appeared in multiple court records because of its use by criminals.

It’s unclear if this is a Jumio issue, one of OKX’s identity verification partners:

OKX uses a company called Jumio for at least part of its identity verification process. Stuart Wells, CTO for Jumio, said in an emailed statement that the company’s “advanced ID verification process uses mobile or webcam document scanning tools that allow security teams to cross-check against trusted sources and mitigate the number of fake profiles and malicious activity. Ultimately, these added identity verification measures better protect users by deterring fraud attempts right from the user onboarding stage.” When 404 Media then explained we had successfully passed the identity verification process using a fake, generated ID, Jumio said it could only comment on Jumio’s own technology, rather than OKX’s processes.

But the fake documents purportedly work on a number of well known exchanges:

Abhishek Mathew, a cybersecurity researcher who has followed the site, told 404 Media that real criminals are using OnlyFake in this way. “Many use this service for carding, creating fake bank accounts and also many use this service to unban their crypto accounts like Binance where they ask IDd proofs,” they said in an online chat. A Bitcoin address used by the OnlyFake service has received more than $23,500 worth of the cryptocurrency, according to blockchain records. The service accepts many other forms of cryptocurrency too, though.

OnlyFake’s owner, Wick, told 404 Media their service could be used to bypass verification at a host of sites, including Binance, Revolut, Wise, Kraken, Bybit, Payoneer, Huobi, Airbnb, OKX and Coinbase. In the same message they claimed, unconvincingly, “using our site for the purpose of forging documents is prohibited.”

It’s apparently that easy. Moreover, OnlyFake offers tools against more sophisticated verification processes that require video or photo proof:

Where things get a bit more tricky for fraudsters, and where some sort of other service or skill set would be required on top of OnlyFake, would be sites that ask for video or photo verification which ask the user to physically hold up their ID to the camera. That, obviously, is not really possible with an ID card that doesn’t actually exist. Other related sites have something of a workaround, or at least offer a helping hand. Users can purchase sets of photos from a choice of hundreds of people holding up blank pieces of paper, laptops, and plain passport-shaped objects to a camera, which they can then superimpose their fake documents onto. Presumably the photos would need to match, but multiple sites 404 Media visited offer a stream of real people ready to fulfill that role. Each set costs $45. It is not clear who exactly these people are, be they unsuspecting victims, direct accomplices, or perhaps people paid to be in the photos.

Cox isn’t new to skirting security protocols with AI tools. He was also able to scam his way into his own bank account:

This isn’t the first time I’ve successfully demonstrated the power of AI-adjacent tools for fraud. Last year I created an AI-generated version of my voice using a tool called ElevenLabs. With that, I broke into my own bank account, bypassing the biometric voice verification with my AI clone. “My voice is my password,” I commanded my AI doppelganger to say at the time. 

The rise of the internet and digitization broke a lot of society’s security measures when it came to identity, and the reality is that we’ve never addressed the core issue. Most solutions have been band-aids, which, with the rise of such tools, are only becoming easier to sidestep.

It’s beyond time to rethink our frameworks for digital identity.

2. The US Treasury is worried

Those concerns are only heightened with the rise of digital money.

Here’s Cryptoslate (via Mitja Simcic):

The U.S. Treasury Department said on Feb. 8 that its latest risk assessments show that virtual assets currently represent a small fraction of total money laundering flows compared to fiat currencies; however, they are becoming an increasing concern for regulatory and enforcement agencies.

…

A major concern the Treasury raises is inconsistent compliance with AML/CFT regulations across different jurisdictions. This inconsistency, coupled with the unique features of virtual assets that facilitate anonymity and cross-border transactions, poses significant challenges in curbing money laundering activities.

According to the report, the adaptability of money launderers to the digital age is evident in their use of sophisticated tools and methods to obscure the origins of illicit funds. It details how criminals leverage various technologies and methods to obscure the origins of illegal funds, complicating the efforts to trace and counteract money laundering.

3. Quote of the Day

Speaking of the Treasury, here’s Janet Yellen on stablecoins:

"Stablecoins pose risks to the financial system that both FSOC and the President's Working Group on Financial Markets have identified as potentially becoming significant over time, and we would very much welcome an effort by Congress to create a regulatory framework that would be appropriate to address those risks."

Relevant:

• POLITICO Pro: Waters: Lawmakers 'very, very close' on stablecoin deal

• The Big Misunderstanding: What MiCA Really Means for Stablecoins in Europe

4. Farcaster’s moment

The hype around decentralized social media has died down a bit from the highs of Elon’s Twitter acquisition, but Farcaster’s release of Frames has brought renewed vitality to the space.

Here’s Farcaster founder Dan Romero explaining Frames to Coindesk:

Frames are interactive social media posts. And the best analog to think about is when you use Twitter, you can post a tweet with text, image, video, and then there's one type of post that you can do on Twitter that has some interactivity, and that's a poll, right? So you can pick the options you want, and then as a kind of a reader or a viewer, you can vote in someone's poll and then see the results.

But with a poll, Twitter controls that entire experience and you can't modify it. You can't come up with a new creative way of displaying that poll or another use for those buttons. It's pretty constrained.

With Frames, it gives developers a kind of total canvas within our app to kind of display content and then have interactivity, define what the buttons that will show up next to a frame. And so it's kind of almost like a mini app within an app. And it's kind of like a mini app within an app.

What's important is it meets the consumer where they are. So there's no need to go install another app. There's no need to kind of fiddle with connecting a wallet and the kind of back and forth dance. You open up the app, you see a frame as a social media post in your feed. You're able to tap on a button and then have something happen. And there's a variety of different use cases. So kind of your more simple ones, polls.

We now have polls on Farcaster, but you kind of have tarot card reading and playing chess. And then people got really creative and said, well, what can we do with the kind of on-chain side of things, right? And actually kind of enable people to have these frames in the feed do something on a blockchain. And so what we've seen people have are kind of like mint NFTs right from a frame. And we've even had creative use cases, like someone built a full shopping cart for buying Girl Scout cookies that you could kind of do all the interactivity right from inside a social media post. And then at the end, you click, and then you actually pay with crypto. And so what's been great about it is developers, even within this really simple canvas, have had just tremendous creativity. And what's been great for users is it just meets them where they are. So developers now get users, and users get actual delightful, interesting experiences right in their feed.

The network has since seen a 400 percent surge in daily active users.

5. Stuff happens

• Making Sense of Tether on Tron

• Loyalty Points Are Crypto’s New Bait

• POLITICO Pro: Gensler ‘absolutely’ plans to stay on at SEC in second Biden term

• NYCB in Talks to Offload Mortgage Risk, Exploring Loan Sales

• NYCB woes reignite fears about shaky banks as anniversary of March crisis nears

• Changing The Tune On Tokenization

• Prometheum, the Only U.S.-Registered Crypto Platform, Picks Ether as Its First Product

• The programmable fintech stack

• Ripple Must Share Financial Statements Requested by SEC, Court Rules

• Solana Engineers to Deploy Fix as Network Suffers 'Major' Outage