Au10tix researchers discover relaunched fake ID generation site OnlyFake

OnlyFake.org caused a stir among digital identity verification providers and businesses relying on biometrics to onboard customers when it was revealed as a tool for attempting fraud at scale.

The website vanished from the internet following the outcry; but not for good.

Fraud prevention researchers at Au10tix discovered the site, reborn with a new URL that can be found through the same contact channels, Au10tix Chief Business Development Officer Ofer Friedman tells Biometric Update in an email. The synthetic ID generator has added more disclaimers that demonstrate their awareness of how customers can commit fraud with the products they sell.

A warning on the new site tells customers; “Do not use the images illegally!” The website offers bulk purchases of a thousand fake identity documents for $1,500, and advertises fake U.S. driver’s licenses and passports.  The site also includes a “Denial of responsibility,” which is labeled “OnlyFake disclaimer.”

The disclaimer suggests that the fake ID templates “are only for use in movies, TV shows, web illustrations (online account verification).”

“Buying and owning a PSD template from this site is not illegal, but making a fake PVC license/card/ID for physical use is illegal and a serious crime,” the disclaimer says. “So the use for fraudulent purposes is strictly prohibited. We set up our template in such a way that people cannot physically use it (by making a fake license/card/ID out of PVC). If you are going to use our fake PVC license/card/ID card template, please exit our site immediately.”

“They are also announcing the addition of new ID document templates on a weekly basis, and have added supporting tools such as handwritten signature generation,” Friedman says. “In parallel, various channels offer ready-made bulk deepfaked IDs for sale to those who want the easy way.”

Biometric Update is not sharing the new URL, to avoid publicizing the fraud tool.

Even poor-quality fakes defeat weak defenses

Friedman says Au10tix’ researchers were surprised that the fakes sold by OnlyFake and its new incarnation were able to defeat various automated identity document verification platforms, and notes, “The hype is bigger than the quality of deliverables.”

“We ran a couple of their fakes on our double-layered defense system, and the first layer was enough to flag them on 4 different issues,” he explains. “We are aware that other ‘automated’ systems are actually human-supported. As you know, humans can detect only what humans can see, and deepfake technology is good enough to produce non-visible fakes that only proper automation can detect. So, at this point, no, it’s quite basic Gen-AI manipulation. We’ve seen much more professional AI-generated fraud, and fraudsters do get better fast.”

Businesses concerned about the threat of AI-generated spoofs should keep in mind that fraud protection systems vary significantly in quality, Friedman advises, and make sure they have a multi-layered defense. “Case-level and behavior-level, and make sure to count how many ‘check types’ are done,” he specifies. “Standard systems would be at 40-60 checks, and strong systems would be at 120-180 checks.”

Friedman notes that Au10tix’ biometrics and fraud protection technologies were developed for airport and border control applications where it must be assumed that fraud attempts may pass invisible to the naked eye.

Governments recognize the AI-generated fake ID threat’s magnitude, according to Friedman, but are somewhat hamstrung by the nature of regulation.

“The problem is that fraudsters, especially professional fraudsters, don’t really follow those rules,” he says. He does offer a suggestion for policy-makers, however: “What may be a good idea is for regulators to accredit solutions based on the level of defense they offer. They do that with hotels; why not with fraud-fighting?”

Article Topics

AU10TIX  |  deepfakes  |  fraud prevention  |  generative AI  |  identity document  |  OnlyFake  |  synthetic identity fraud