Trading and selling passport photos are booming on the dark web, how are they being exploited?


by T.Young

Passport pictures and scanned images are distributed in the underground ' dark web ' world where illegal goods and services are sold. Although the price of the passport image is various, it seems that it is sometimes traded at a high price with other personal information as a set.

Passports on the dark web: how much is yours worth? - Comparitech
https://www.comparitech.com/blog/vpn-privacy/passports-on-the-dark-web-how-much-is-yours-worth/

Paul Bischoff of Comparitech who is studying about trading personal information investigated the selling price of the passport sold on the dark web. The survey was conducted as of September 2018 in illegal markets of several dark webs including Dream Market, Berlusconi Market, Wall Street Market, Tochka Free Market.

According to Mr. Bischoff's survey, in the case of a physical passport, the average price of counterfeit passport is 1478 dollars (about 166,000 yen), the real passport is a high price of 15,567 dollars (about 1.5 million yen) as the average price It seems to be.



The price varies depending on the issuing country, and passports tend to be priced higher in those in Europe.



The tendency for counterfeit passports to be higher in the European area is the same.



Because passports are often misused for crimes such as improper opening of bank accounts, it is quite understandable that high prices are attached to physical passports. However, according to Mr. Bischoff, Dark Web's illegal commodity market has values ​​on the digital image of passport, and it is said that it is traded with vigorous demand.

Typical merchandise includes Passport in SELPHY (Self-portrait) as below. The following photograph is a passport image of a British woman born in 1982, the price is 0.00916 BTC (the price is about 52 euro: about 6700 yen).



The average price of passport digital scan images is $ 14.71 (about 1600 yen). However, the average price of a passport image when another certificate such as a driver's license or a proof of utility fee is attached is said to jump to 61.27 dollars (about 6900 yen).



The question is why digital images get valuable? However, Mr. Bischof thinks that it may be abused in "takeover of account". And the term "account" here means an account of virtual currency trading service, and the following cases are assumed for taking over the virtual currency account.

In many virtual currency trading services, two-step authentication has been introduced to enhance safety. Therefore, even if you can get your password illegally by phishing scam or some other means, you will need a one-time passcode etc. sent to your smartphone or application each time, in addition to your password, to log in to your account and change user information , A malicious attacker who is trying to take over the account can not handle it.


However, an attacker who got the password impersonates the owner of the account that is trying to get over and informs the service provider that "two-step authentication can not be used due to some troubles such as losing smartphone" , It may request resetting of 2-step authentication. In such a case, most virtual currency trading service providers are asking to submit information that can confirm the user's identity before resetting the password.

Therefore, the attacker submits the passport image of the target user obtained from the dark web, completes the impersonation to the principal, resets the two-step authentication, totally hijack the account and robs the virtual currency. In addition, Photoshop templates for rewriting passport contents are also on sale on the dark web, and it is said that they are talking about rewriting the information according to the target. It seems rare to verify whether the passport number matches the passport owner at the service provider seeking personal information.


by T.Young

In order to prevent the scanned image of the passport from being leaked, paying attention to the storage of the passport is basically basically not to upload it to SNS, save scan data to the local terminal, cloud, etc. That's right, Mr. Bischoff said. Moreover, there is a danger that it can be abused when asking for a copy of a passport at overseas hotel accommodation etc, so it is good to prepare black and white copy by yourself beforehand. It seems that submission of a black and white copy is effective because many criminals want images of color.

By the way, it is unclear whether the scanned image of the passport sold on the dark web is still valid, there is no guarantee that it will be "unused item" that has never been misused before. Mr. Bischoff seems to be checking passport images that are sold in duplicate in multiple black market in the survey.

in Note,   Web Service,   Security, Posted by darkhorse_log