FB pixel

Au10tix researchers discover relaunched fake ID generation site OnlyFake

Au10tix researchers discover relaunched fake ID generation site OnlyFake
 

OnlyFake.org caused a stir among digital identity verification providers and businesses relying on biometrics to onboard customers when it was revealed as a tool for attempting fraud at scale.

The website vanished from the internet following the outcry; but not for good.

Fraud prevention researchers at Au10tix discovered the site, reborn with a new URL that can be found through the same contact channels, Au10tix Chief Business Development Officer Ofer Friedman tells Biometric Update in an email. The synthetic ID generator has added more disclaimers that demonstrate their awareness of how customers can commit fraud with the products they sell.

A warning on the new site tells customers; “Do not use the images illegally!” The website offers bulk purchases of a thousand fake identity documents for $1,500, and advertises fake U.S. driver’s licenses and passports.  The site also includes a “Denial of responsibility,” which is labeled “OnlyFake disclaimer.”

The disclaimer suggests that the fake ID templates “are only for use in movies, TV shows, web illustrations (online account verification).”

“Buying and owning a PSD template from this site is not illegal, but making a fake PVC license/card/ID for physical use is illegal and a serious crime,” the disclaimer says. “So the use for fraudulent purposes is strictly prohibited. We set up our template in such a way that people cannot physically use it (by making a fake license/card/ID out of PVC). If you are going to use our fake PVC license/card/ID card template, please exit our site immediately.”

“They are also announcing the addition of new ID document templates on a weekly basis, and have added supporting tools such as handwritten signature generation,” Friedman says. “In parallel, various channels offer ready-made bulk deepfaked IDs for sale to those who want the easy way.”

Biometric Update is not sharing the new URL, to avoid publicizing the fraud tool.

Even poor-quality fakes defeat weak defenses

Friedman says Au10tix’ researchers were surprised that the fakes sold by OnlyFake and its new incarnation were able to defeat various automated identity document verification platforms, and notes, “The hype is bigger than the quality of deliverables.”

“We ran a couple of their fakes on our double-layered defense system, and the first layer was enough to flag them on 4 different issues,” he explains. “We are aware that other ‘automated’ systems are actually human-supported. As you know, humans can detect only what humans can see, and deepfake technology is good enough to produce non-visible fakes that only proper automation can detect. So, at this point, no, it’s quite basic Gen-AI manipulation. We’ve seen much more professional AI-generated fraud, and fraudsters do get better fast.”

Businesses concerned about the threat of AI-generated spoofs should keep in mind that fraud protection systems vary significantly in quality, Friedman advises, and make sure they have a multi-layered defense. “Case-level and behavior-level, and make sure to count how many ‘check types’ are done,” he specifies. “Standard systems would be at 40-60 checks, and strong systems would be at 120-180 checks.”

Friedman notes that Au10tix’ biometrics and fraud protection technologies were developed for airport and border control applications where it must be assumed that fraud attempts may pass invisible to the naked eye.

Governments recognize the AI-generated fake ID threat’s magnitude, according to Friedman, but are somewhat hamstrung by the nature of regulation.

“The problem is that fraudsters, especially professional fraudsters, don’t really follow those rules,” he says. He does offer a suggestion for policy-makers, however: “What may be a good idea is for regulators to accredit solutions based on the level of defense they offer. They do that with hotels; why not with fraud-fighting?”

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

HHS removes Login.gov from grantee payment system after cyberattack

The U.S. Department of Health and Human Services has removed Login.gov from its grantee payment platform after a security breach…

 

City of Clemson pilots Intellicheck ID verification to prevent underage drinking

Identity verification provider Intellicheck and the city of Clemson have launched a 12 month pilot program that uses identity verification…

 

Rumors of liveness detection’s defeat have been greatly exaggerated

Photo and video face filters are perhaps the most mainstream use case for augmented reality –  and an illustrative test…

 

Companies House takes new measures to fraud fight, but not biometric IDV

Companies House, the UK’s business registry, has begun rolling out new tools to fight fraud and help cleanse the register…

 

Mitek: quarterlies, annuals, SEC actions

April 4, 2024 – Mitek is getting back on track with its financial reporting, which may be more reflective of the…

 

Jamaica parliament soon to receive draft digital ID regulation for scrutiny

Plans are being finalized to send the draft regulation on Jamaica’s digital ID program to the country’s parliament for examination…

Comments

One Reply to “Au10tix researchers discover relaunched fake ID generation site OnlyFake”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read From This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events