Yet Another ID Verification Service Breached, Exposing Private Info Collected On Behalf Of Uber, TikTok & More
from the play-stupid-age-verification-games,-win-stupid-privacy-prizes dept
As more and more governments try to pass more and more laws requiring age verification, some of us keep pointing out that age verification will cause a ton of harm. For all the talk of how it’s necessary to “protect the children,” the only way to verify ages is to collect a ton of private information on people, which then makes that information a target.
People like Jonathan Haidt in his new book like to pretend that there’s some magical way of doing privacy-protective age verification by outsourcing it to a third party, but that just passes the buck and makes that third party a target. Just a few weeks ago, we talked about this a bit in the context of Australia, where a third-party age ID verification vendor used by bars had a breach, leaking more than 1 million customer records.
Of course, some people would say, “but that’s a bar, that’s different than a website.”
Well, then, this new story should catch your attention. First reported by 404 Media, AU10TIX, an Israeli-based online identification company used by TikTok, ExTwitter, Uber, LinkedIn, PayPal, Fiverr and others has been leaking drivers’ licenses. For over a year.
The set of credentials provided access to a logging platform, which in turn contained links to data related to specific people who had uploaded their identity documents, Hussein showed. The accessible information includes the person’s name, date of birth, nationality, identification number, and the type of document uploaded such as a drivers’ license. A subsequent link then includes an image of the identity document itself; some of those are American drivers’ licenses.
The data also appears to include results from AU10TIX’s verification process, with a field for “liveness” reading “true”; the “probability” of that conclusion on a scale of 0 to 1, with a potential result being 0.9486029; and other fields called “DocumentAuthenticity” and “OverallQuality.” More results appear to relate to AU10TIX’s comparison of a photo of the person’s face to their uploaded document, with another section referencing a photo called “PhotoForFaceComparison.jpg.”
Another screenshot from the tool shows a line chart with one axis labeled “clientOrganizationName.” That axis includes “TikTok_Shop_Creator,” “Impersonation_XCorp,” and “uber-carshare-passport,” apparent references to the three tech giants.
Cool, cool. Nothing to be concerned about there at all.
Just last year, when Elon first hired this company to provide identification services for ExTwitter, we warned that these systems are not at all reliable and can be a threat to privacy. Turns out we were right.
As always, collecting unnecessary data makes you a target. And this data became a target and was exposed. The way we minimize that is not by forcing more companies to collect more such data. It’s to not need to collect such data in the first place.
This isn’t a case where someone just discovered this breach and no harm was done. Indeed, it appears that significant harm was done here:
The credentials appear to have been harvested by malware in December 2022, and first posted to a Telegram channel in March 2023, according to timestamps and messages from the Telegram channel that posted the credentials online. 404 Media downloaded these credentials and found the name matched that of someone who lists their role on LinkedIn as a Network Operations Center Manager at AU10TIX. The file contained a wealth of passwords and authentication tokens for various services used by the employee, including tools from Salesforce and Okta, as well as the logging service itself.
So this data has been out there for over a year. And shared. Widely. For over a year.
Can lawmakers please stop requiring more companies to harm everyone’s privacy this way? These breaches are only going to keep happening, and they’re only going to get worse the more and more ignorant policymakers keep forcing more companies to collect more such data, based on a myth that age verification will magically make the internet safe and wholesome. It won’t.
It’ll just expose private data to scammers.
Filed Under: age verification, data breach, personal info, privacy
Companies: au10tix
Comments on “Yet Another ID Verification Service Breached, Exposing Private Info Collected On Behalf Of Uber, TikTok & More”
Anything is easy when you aren't the one who has to do it
Sadly since the correct response to this would require politicians to admit that age verification is a monumentally stupid and dangerous idea and therefore they were wrong to suggest and push it I expect that the response, if any, will ultimately boil down to ‘Well they should have nerded harder and made it more secure, since everyone knows that perfect security is possible if those involved just try hard enough.’
Re:
even tho it’s impossible
Re: Re:
Well technically it is possible, it just involves storing date of birth to a name, instead of keeping the whole ID!
Re: Re: Re:
It’s called “weak link”, you store a non unique identifier for each user that would match many people from different information, the exact data is lost but enough is kept to match two different profile with a good (but not perfect) certainly.
Below a certain match probability, just ask again the user for data, that would match other new users.
Nothing complicated, and once data leak, all your bio-metrical data (that, by definition, you cannot change) is not in the wild.
The only benefit of storing personal data pretty much everywhere, is for enforcement find suspect easily. Of course, it could never happen.
Re: Re: Re:
“technically it is possible”
Where “it” from prior comment is: ‘perfect security’.
Highly doubtful, guess a definition of perfect security is needed to be sure. One could “technically” achieve perfect security in a computer network by completely incinerating same I suppose.
Re:
i just wish i can express my concern about all this without being called a troll
Re: Re:
You could have done so, but now you’re trolling for sure. Good decision.
Law that forces websites to force users to give up sensitive info = law that forces users to give in themselves to data breaches
I’ve seen it on the EFF.
Parents and schools have taught their children not to give out their personal information. If a non-important site like art requires one, they’re taught on how to lie their age and other information on the site. Even if the site’s only required personal info is their age, and that lying violates the ToS.
That’s how protective especially parents are to their child. They don’t know what’s going on behind the scenes, especially in an online place that is not controlled by the parents or guardians.
If it weren’t for any form of identity verification mandates for non-important site, data breach problems would’ve been mitigated, as it would be the equivalent of a crook broke into a safe, only to find that the safe is empty, rather than a law that state that the social media safes are required to have your personal info in there.
Keep such verifications only on important places. Job applications, banks, loans, government services, and airports? That’s reasonable. Social media (I’m looking at you, facebook), art, porn, forums? That is WAY TOO MUCH.
Last thing I want to see is a system resembling China’s cybersecurity law mandating sites for verification. I’ve seen Weibo brings up a login wall that ask for phone numbers, and to create an account looks like fakebook’s account creation requirements. If you combine that with the fact you cannot access content without an account, then browsing the site anonymously to even look at something is banned.
I do not want this cancer to spread across the globe for all social media websites. I hate login walls, I hate them even more when they require personal information, and EVEN MORE if required by law to make the whole internet suffer the problems that facebook had over the years.
And finally, and this is a biggie, this is a parent or guardian’s job. It is not the government nor the site’s responsibility to do such things that a parent/guardian’s objective to prevent the young from accessing dangerous content. How do they know exactly what is harmful to a child? At scale? Sure pornographic content is obvious, but not so when bad actors find ways to bypass moderation like obfuscating content, dog whistling and other evasion tactics. There are other things that only a parent/guardian knows about their child than any other person outside the family, and it may be unique for each child across families.
If anything, it is better to just spread awareness to kids rather than to continue this endless fight that doesn’t go anywhere but to harm the openness of the web.
Honestly, as a younger person it feels like it’s just a matter of time before my data ends up out there, regardless.
If not something like Uber or LinkedIn, it’ll be a credit agency or something. I’ve basically resigned myself to the fact that my data will be online regardless of precautions, it’s just a matter of when. It’s a bit depressing.
When it comes to personal information, laws should be in place that makes it even less attractive to collect people’s personal information. If you’re going to collect people’s information, it must adhere to a list of strict standards for when that information is disclosed to third parties or simply stored and accessed.
There’s WAY too much personal information on the web today and lawmakers are going in the exact opposite direction of what they should be doing with laws like these. They are legally requiring websites to obtain and store EVEN MORE personal information just for the privilege of accessing the normal open internet, putting people’s lives at further risk.
What’s more, these efforts are just a thin wedge to put further controls on what you can and cannot see online. They aren’t going to stop at NSFW content. They will look at other things to censor like video games because moral panic is a difficult thing to stop once it gathers momentum. Heck, Australia has already moved in that direction to expand age verification law requirements to video games. I really don’t believe that they will stop there if they got their way, either. Once you have a hammer, everything looks like a nail, as they say.
Re:
For proof that your predicted escalation could happen, consider the scourge of book bans being led by right-wing provocateurs and conservative parents. Those efforts were once a mission to root out “pornographic” books. They’ve since become an excuse to go after books with little-to-no sexual content based on ideological grievances. Consider the following: Mission CISD in Texas recently agreed to remove hundreds of books from school shelves, several of which were books about the Holocaust—and those books could’ve been targeted precisely because they were about the Holocaust.
Give would-be censors the power to control what we see and hear, and they will keep going beyond their initial aims to seek full control. Online bans on porn/adult content have ensnared plenty of non-sexual LGBT content. As I just mentioned, book bans have escalated from “porn” to “books that offend me”. If we don’t take stands against this bullshit here and now, pretty soon, the only works we’ll have left to peruse are the God’s Not Dead movies and the Bible.
Re: Re: 'The existence of non-heterosexuality, positive portrayals of minorities... porn, the lot of it!'
Those efforts were once a mission to root out “pornographic” books. They’ve since become an excuse to go after books with little-to-no sexual content based on ideological grievances.
Counter-argument: It was never and still isn’t about going after ‘pornographic’ books, that was just the excuse they used to remove anything they didn’t like because it allowed them to frame anyone who objected to their efforts as ‘wanting kids to read porn’ without having to actually address or defend their actions.
Re: Re: Re:
Well, I think they should. While I was reading Genesis 19 in the Old Testament of the Bible, I couldn’t help but imagine the gay sex with the angels.
Re: Re: Re:2 'That sex and/or violence doesn't count, we LIKE that book!'
Funnily enough for people oh so concerned about keeping ‘sexual’ and/or ‘violent’ material out of the hands of kids the response when people point out that their bible fits the definition all too well tends not to be ‘Oh you’re right, kids should not be reading this so we’ll pull it too’ but rather ‘That doesn’t count so we’ll add in a special exemption’, an act which serves as an admission that the bible absolutely would qualify as not-for-kids according to their own rules but they’re fine with kids reading it anyway.
Re: Re: Re:3
Exempting the Bible from book bans would likely be a 1A violation, but good luck getting an appellate court to agree with that argument, never mind the current corrupt Supreme Court.
Re: Re: Re:4
I believe they did just that for Utah’s ban, though it might not have been an official exemption so much as a ‘oh what were they thinking, clearly this book was mistakenly taken off shelves…’, and I think another of the state bans included the exception from the outset though I might be misremembering as I can’t recall which.
Mike… when has that EVER had a down side for law makers?
Re:
To be fair, they’ve likely never been targeted as heavily as us regular jackoffs. Someone stealing a shitload of Congress’s personal data might prompt them to actually do something besides partisan bickering.
…then again, they could pass a law that only protects them while leaving the rest of us jackoffs to fend for ourselves.
Re: Re:
I’m sure Wyden would push for a sane law addressing the issue.
But I don’t have much faith that a bill he would vote for (in this regard) would actually pass. Maybe if we had some high turn over, and some how managed to find some sane people…
There’s no “turns out” involved. You were right from the start.
ps: why the ultra-specific citation? Because “Not every quote on the internet is true.” — Abraham Lincoln
Re:
“Everything on the Internet is true, if you upload something false to the Internet it instantaneously becomes true. This is why me must prevent CRIMINALS and TERRORISTS from using the Internet.”
– Shakespearicles, 1605
Bad Actors
I would like to bypass the middleman and give my info directly to the bad guys. Who should I contact?
Re:
Parler.
Re:
You know? That would really streamline the process. How much could we save if we cut out the middleman?
AU10TIX
The most egregious part of this story is their Elon Musk type attempt to make a cutesy company name.