Published on

The Market For Your Driver License, SSN, and More

Authors
  • avatar
    Name
    n0 Sec
    Twitter

Origins of Investigation

Whenever researching the SIM swapping community, I noticed people frequently requesting 'lookups' for SIM-swap targets, and I was unsure why initially. I quickly realized how easy it is to both obtain this information and how essential it was to the process of account take-overs and SIM swaps.

SSNDOB.org, SSNDOB.cc, SSN24.me, Findme.cm, infodig.domains, 850score.biz

Services like the ones listed above are used to search people's 'fullz'. People in the fraudulent community typically refer to these as 'SSN lookups', they are tools meant to look up a target's name and output all of their sensitive information. This typically includes first name, last name, date of birth (DoB), social security number (SSN), address history, and phone number history. Some of the listed services on top of this provide additional information on targets, such as mother maiden name (a common 'security question' on banking apps), and credit score reports. While these sites are highly effective, the drawback is a lot of the information comes from old, leaked databases, such as voter databases, and thereby don't provide updated information on addresses and phone numbers. But the reliability for SSNs is generally okay on most of these sites, and there are even more reliable ways to find a target's SSN.

Fullz being sold, categorized by credit score.

A person's fullz has plenty of value - regardless of credit score, but the price on many sites depends on credit score. Higher credit score fullz are generally more valuable as the owners are more likely to be eligible for a loan or things of the likes that fraudsters can profit from. On some sites such as 850score.biz you can selectively purchase fullz based on a person's credit score. The credit score is confirmed by an attached credit report, sometimes old, and the site has credit scores in the 800+ range available for 39-49 USD. If you can get a credit score along with a person's driver license number, then a fullz becomes a 'pro' (short for profile). Profile is a loosely used term, but it typically encompasses more than a pro information wise, as a fullz in most context includes nothing outside of name, date of birth, SSN, and some addresses. Pro packages are compiled by black market sellers who buy from fullz from the sites above, conduct credit checks and do general OSINT (open-source intelligence, a form of researching information), and then sell the pro to buyers, who will open loans and other unauthorized activities.

The 'scans' tab of a SSN lookup site. This specific sale on that site is selling the front, back, and a picture of a person holding the front of the ID alongside their face, a selfie of them with their ID, a security requirement by some companies.

These services provide plenty of value for many different fraud situations. People buy information from these sites to make fake IDs under the victim's name to authorize themself as a victim at places like mobile carriers and banks. This comes in use when a fraudster wants to commit a SIM Swap, they can walk in with a fake ID of the victim using a date of birth found from a service like ssndob.cc, and tell the manager that they lost their phone, verifying themselves as the owner of a phone number via ID card. This is also essential when logging into some cryptocurrency exchanges and trying to withdrawal, sometimes Coinbase ask to scan ID for a withdrawal from a new device, and the fraudster must develop a fake ID of the victim. This can be done using information from 'SSN search' sites, amongst other services that will be discussed. Another example of how SSN searches relate to SIM swapping is through AT&T's SIM swap process, AT&T requires managers to scan the customer's ID barcode to perform a SIM swap, regardless of how the SIM swap is conducted. This is separate from the previous idea of walking in, as even a mobile network carrier insider at a high level requires some sort of false identification to perform a SIM swap. This is a whole new topic though that I'm only scratching the surface of.

A person requesting a license be made, likely to perform a SIM swap attack.

ID Generation, verif.tools, scanlab.cc, etc.

For many applications of identity theft, a false identification card must be made. While a fullz is nice, having someone's ID unlocks plenty of more potential. There are two options here, a physically printed ID and a fake digital ID, typically generated via automated services. I spoke to one of the few manual service providers to understand the advantages of automated tools and the advantage of manual fake ID artist. Manual fake ID artist can be physical or digital, while automated services exclusively are just digital. The extent of this research primarily focused on the USA market for false identification.

Automated ID generation tools such as verif.tools, which is said to be the 'new and better' scanlabs amongst many fraudsters work in a fairly simple manner. A customer chooses what they need generated, a bank statement, an Arizona driver license (front, back, or both), etc, and then inputs the information the site asks for on the ID. This is basically all the fields on your own ID, things like date of birth, home address, height, eye color, etc., all information obtained in the previous OSINT step of doing lookups on a person. Driver license numbers can be found via automated services that are abusing DMV databases or generated using algorithms on sites like Elfriq, keep in mind driver license numbers aren't random, they use check digits like the issue and expiration date. All this information the customer inputs is then put onto the ID automatically in the correct fields. The back for high-quality IDs is arguably more important than the front, especially for digital IDs. Many services that read IDs, such as ID.me, read the barcode of a driver license, which is located on the back. This barcode basically just encodes all of the information on the front into a readable format by a machine using a protocol called 'PDF417', people generate these barcodes using services like https://pdf417.cc, but automated ID sites like scanlab.cc automatically create this pdf417 barcode onto identification cards. These services, while convenient due to their speed, and consistently, are also limiting. Many of the templates for state IDs on these websites are outdated and become distinguishable as false IDs quicker by companies. In an interview with a false ID creator, he also claims that some of the templates used by automated sites like verif.tools generate lower quality images than individual ID creators do.

Manual ID creation, at least the good creators, have the quality of an automated tool with even more precision and more 'entropy' (randomness). Alongside this, many ID creators claim that their templates are more up to date. ID creators to compensate for the inconvenience of customers having to deal with a manual person opposed to a bot typically offer very quick delivery times that can compete with bots. Manual ID creators also better understand the extent of which their IDs are valid and can communicate better with buyers. To my understanding, the physical fake ID market typically revolves around speed and barcode. Most templates are similar enough, but some ID creators cannot generate good barcodes which are important for many people's use case with false IDs.

The price of a manual ID creation, front and back, USA, is around 30 USD, while sites like verif.tools only charge around 10 USD for most USA IDs.

Use Case, MRZ, OCR, VIZ

Most goals of IDs are to pass "ID verification" services, like ID.me, and other services 'KYC' ID-checkers. KYC, or know your customer, is a law that requires American businesses to verify customer identities to prevent money laundering, which requires that companies do their due diligence and verify IDs are not falsified. An example of this is CashApp's KYC requirement to withdrawal Bitcoins onto the Bitcoin network from an account. CashApp requires SSN, front and back of ID, and uses automated verification tools to check an ID. Security features of verification tools like these are typically: live photo required, selfie required, barcode scan. People who purchase false IDs have options, they can obtain a physically fake ID with their face on it and scan it on CashApp, or they can use a fake ID that's just a digital picture. There are two methods behind this, you can get a digital fake ID with your face and just scan your face in the selfie section, or you can keep a random person as the picture but have a different picture of them to provide as a live selfie. You may wonder, how doesn't CashApp notice that these digital IDs are only 2D on a computer screen and not physically in hand, this is solved via putting the ID on certain screens that are more readable, such as TV screens (from what I've heard, I'm uncertain). Otherwise, people just use their friends face who they pay money in exchange for having their face used for fraud, sometimes knowingly sometimes not. There are also allegdely ways to do this via using 3D-printed mannequin heads that I'm uncertain if they work, but some fraudsters claim they do.

In the title of this section, I included some acronyms, these acrnonyms are things that ID verification services use. OCR is the basis of all verification technology, optical character recognition, which reads text from an image. VIZ, the visual inspection zone, is the area that OCR is being done on, typically looking for certain fields of the ID that relevant to check if they are consistent (align with other account information). Another listed acronym is MRZ, which is a 'machine readable zone', which is an area of an identification document (for this acronym, specifically passport) that can be read by a machine that shows characters of the account owner but are encoded. Most tools like Elfriq can't properly generate a valid MRZ, putting placeholder characters for information that Elfriq can't generate, resulting in detection as a false document.

There are different types of ID verifications that are done. The easiest is when a website just allows a file upload of a front and back of an ID, in this case a digital ID can just be bought from a manual or automated service. This is used for services like PayPal's verification system when an account becomes limited. Then, the next step is typically those two uploaded images and a selfie with the document, typically a selfie with ID card. False ID verification services solve this by getting some pictures of people holding IDs and continuously re-modifying those pictures, just using them as a template. There is an alternative of this where services require the ID card written next to a piece of paper with a unique identification code that the verification service request, such as 'Coinbase.com #ABCDEFG', to verify that this ID scan is fresh and specific for Coinbase.

After this, ID verifications get harder. They require not static image uploads but live ID scan, which detect edges of the ID better, but people still just scan the digital ID from their TV to fool the system, or use a physical fake ID. After this, we step it up to arguably the two most advanced systems, ID.me and video-call verification services. ID.me is a service used for many government aid programs, frequently exploited by fraudsters, and they flash colors from the screen of the device being used for verification. Other services do similar interactive things like this, requiring a 180-degree scan of the customer's face, proving that the image isn't static. The most advanced services detect whether an image is static by requiring the person verifying their account to talk, which verifies the selfie isn't static. Some services require a live video call, where the only solution is a very high-quality fake ID. These services are the top of the line and not only verify the images aren't static, but also test how high-quality a fake ID is and can detect things like whether the ID has 'holographic features', a security features in IDs. The best physical ID verification services have holographic IDs with readable barcodes to try to get around this, but sometimes that isn't enough.

Credit Score & MMN

Credit score, as previously mentioned, has a large impact on the extent to which a person's identity is valuable. To reiterate, higher credit scores allow for higher limits on credit cards and loans, which are frequent targets of fraudsters. Credit score can be checked with a SSN, Date of Birth, and other personally identifying information online for free. Sites like Bankrate's Quizzle and other various credit indexing sites can provide credit information quickly with little verification. The extent to most credit verification questions depends on being able to answer security questions that are connected to a person's identity, like the height listed on their driver license, or the monthly car payment a person makes. This information can be obtained using OSINT tools, indexing social medias, and other tools to investigate. Sometimes fraudsters manage to not even have to answer the questions, and once they access the person's credit report, they gain answers to questions other sites may ask. For instance, the credit check may answer questions like "What is your monthly payment on your car loan from Xyz Dealership", this is typically answered in a credit report.

Mother's maiden name, MMN, is frequently mentioned amongst fraudsters because it is a common question for identity verification and password resets to credit bureaus. Lots of identity theft victims are already registered at credit bureaus like Transunion, so the hacker can just reset the password to this account knowing the account holder's personal identification information and mother's maiden name. This can be indexed with sites like Archives.com, and sometimes just general people search sites like WhitePages & BeenVerified.

Account Open-ups

One of the most frequent use cases for identities, SSNs, driver licenses, etc. I see on the market pertains to account open-ups. Hackers frequently have large amounts of funds that they need exchanged back and forth from Bitcoin, but obviously don't want to connect their real identity to these transactions. Some hackers even use these accounts for their operations, such as people who use stolen credit cards on Coinbase.com to purchase Bitcoin, they must first verify their identity, and their own identity isn't suitable for operational security. Bank open-ups are typically the easiest open-ups amongst any, these can be used to verify an account (making the website trust the account more, as they put their bank on the line), and can also be used as an account to hold funds that are fraudulent and will be later converted to Bitcoin. Online bank open-ups can go from 50-100 USD and nearly every bank has fraudulent bank open-ups services advertised on blackhat markets, Chase, PNC, Bank of America, anything you can think of. All banks typically ask for is account holder personally identifying information like SSN/DoB, driver license number (which can be generated, or you can use a lookup service), and some security questions that can be answered with a credit report.

The next step is accounts like CashApp & Binance to link these 'drop' banks to. They are called drop banks because they are meant to hold money for short periods of time, as these accounts are always high-risk for being closed. People connect their 'drop' bank to CashApp, typically the drop bank holds stolen funds, and they can cash out the funds to Bitcoin via CashApp's bank to Bitcoin feature. They must first verify their identity on CashApp first, which requires the aforementioned ID scan, which is harder but frequently done. Pre-verified CashApps are sold on market for about 100 to 150 USD in many chats.

CashApp Account Sale in a Telegram group chat

It is worth noting that cryptocurrency exchange accounts are typically far more expensive than CashApp accounts. Some prices can be seen at an auto-shop for verified accounts at Roober.cc (I cannot verify the legitimacy of the website, but it is frequently vouched amongst fraudsters, nor do I condone buying fraudulent accounts). As demonstrated from shops like those, there is a plethora of accounts that are sold that just require things like ID verification, verified falsely using the outlined methods within this article.

Another interesting discovery in my investigation was merchants who have modified 'APKs', android application packages, of apps like CashApp to make the verification easier to do. Instead of having to put a picture of the false ID on a TV screen, the modified CashApp APK will make the process easier. I am unsure of the exact process behind this nor the extent to which it is being done for other applications.

Bank open-up service costs.

The Connection Between Fake IDs and SIM swapping

Fake IDs aren't just good for money laundering or the other aforementioned reasons, they can also be a tool for SIM swap attacks. Cryptocurrency exchanges to enable "on-chain" withdrawals, meaning withdrawals to the Bitcoin network (opposed to a banking account), require ID verification the first time, and sometimes they are random based on undetermined factors. This means that hackers idealistically come prepared into each SIM swap with a fake ID to upload to Coinbase. Typically, this goes wrong, but every once in a while, the ID is good enough and passes Coinbase's verification system. To my knowledge, Coinbase detects most automated websites like Scanlabs, so I frequently see fraudsters go to manual people for these.

Aside from this, ID barcodes are needed to perform some SIM Swap attacks. At AT&T, to override providing a PIN to a customer's account when SIM Swapping, the customer's barcode must be scanned. If the information encoded on the barcode matches the account owner's information, then the swap will go through most of the time.

TLO lookups

TransUnion has a software, TLOxp, that allows for lookups on American citizens. The software's practical use is for businesses to determine who to hire and other areas where people must be fully investigated, just in a legitimate manner. Hackers manage to obtain accounts to the TLOxp software and then do lookups for malicious persons. These provide more insight than SSNDOB sites and are generally far more reliable. These lookups are sold at 50 USD per piece and about 1,000 USD for a login. These logins do eventually stop working as they normally are phished or maliciously obtained logins.

Conclusion

The market for fake IDs, driver license, and other personally identifying information is massive. Websites like SSNDOB.org have millions upon millions of entries of people's privately identifying information. I did a lookup of 10 family members and most family members were in the database. Other media outlets have covered how this is used to find celebrity personally identifying information, but I believe the day-to-day harm of fraudulent bank open-ups and SIM swaps are much more relevant implications of this fraudulent market. A criminal doesn't need you to leave your ID lying around at a supermarket anymore to open a loan in your name, they can just make a new one themselves. A consumer's SSN being leaked is rarely in their control, it is normally a result of a data leak of a big company that holds consumer's personally identifying information. Breaches like these, which are a consequence of bad security and lack of encryption, are the company's liability where the consumer can pay a massive price.