Although the fabricated passport likely would not withstand scrutiny due to the absence of an embedded chip, it proved sufficient to bypass the most basic KYC procedures employed by some fintech services.
From what i gather about these “Know Your Customer” systems, they take the photo of your ID, check if it is realistic enough and then check the picture on your ID (bad as it is) against your authentic photo made through the app. Verification against 3rd party API confirming existence of such ID while welcome / preferred seems to be optional (doesn’t work for all IDs - there may be technical/ legal barriers).
So the vulnerability has probably always been there, still is (?!?), for a sweet moment in time it was just more easy to exploit?
There’s some comments on HN that indicate that the first article said it could theoretically bypass a few specific ones, which later articles (including the one linked here) “telephoned” into saying that it actually did.
Doesn’t it say:
From what i gather about these “Know Your Customer” systems, they take the photo of your ID, check if it is realistic enough and then check the picture on your ID (bad as it is) against your authentic photo made through the app. Verification against 3rd party API confirming existence of such ID while welcome / preferred seems to be optional (doesn’t work for all IDs - there may be technical/ legal barriers).
So the vulnerability has probably always been there, still is (?!?), for a sweet moment in time it was just more easy to exploit?
There’s some comments on HN that indicate that the first article said it could theoretically bypass a few specific ones, which later articles (including the one linked here) “telephoned” into saying that it actually did.