Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There is a very possible attack. Open a porn website, buy ad traffic in France, once users are here, claim identity needs to be verified. In the background, start the process to open a bank account in one of these online banks and act as a relay in the verification process.


Is that an actual thread model, and or are you just making stuff up?

I'm asking because even oauth would make this kind of attack vector impossible, as the referrer and redirect urls are verified - and I sincerely doubt they're so incompetent not to do something similar in such a context.


It is a relay attack.

There are a lot of verification platforms, so the idea is that the user is asked to be verified and that his proof of identity is reused in live for something else. In the addressbar, user sees "dangerousporn.com" -> "safeidentify.com"

The operator of "dangerousporn.com" starts (manually) an application to a [bank account / crypto exchange "bank.com"], using a fixed residential proxy (Luminati / Oxylabs, etc).

Once a victim arrives on "safeidentify.com", the user that is on "safeidentify.com" is asked to follow the actions that "bank.com" is asking to do (upload your ID, turn head left, turn head right, up, down).

"safeidentify.com" plays back the recorded video on the KYC platform of "bank.com" using an emulated Webcam.

Difficult ? Yes and no, but manually doable on a case-by-case basis, and you don't need thousands of victims as it is really worth.


to begin with, youve already switched the hacker from an advertiser to the operator running the website.

but ignoring that: none of what youve written there has been enabled by an identity provider hosted by the state. These scams already exists, today and various "special" users fall victim to them.

but lets ignore that too: these verifications are usually done interactively and cannot simply be played back, as you need to actually react to the actions of the person verifying your identiy

but lets ignore that too: its _highly_ unlikely the service will make users upload IDs and get verified via video etc on every connection. I'm gonna bet this is a one-time action, and after that you'll probably have to simply authenticate via 2-3 factors (username, password, biometric, sms, email, e-pass, certificate etc) - so what you're insinuating (this service makes people numb to such situation) is implausible. Especially in the context this scenario is in: merely verifying >18 yo


> you need to actually react to the actions of the person verifying your identiy

yes it's exactly the point, use porn websites as a hook to convince the user to do your actions to verify their "identity"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: