Network News

X My Profile
View More Activity

Web Fraud 2.0: Digital Forgeries

For businesses, positively identifying someone online - by name, or physical location - is extremely difficult. Many Internet firms seek to verify the identity of customers by requesting scanned copies of their driver's licenses, passports, or utility bills. But what if services aimed at creating counterfeit versions of these documents became widespread? How long would businesses continue to rely on this method of identification?


Unfortunately, there are several such services. Among the most active is a site called For roughly $35 USD, you provide the site with the type of document or credential you're seeking and the identifying information you want to appear on it and scanlab will produce a very authentic-looking digital image that appears to be a scanned copy of said item.

For example, let's say I'm a scammer and I've just gained access to someone's online account and I want to move their funds to my own account. The victim's institution says, "Hold on there, cowboy. In order to prove you are who you say you are, we'll need to see a scanned copy of your driver's license and a utility bill with your name and address on it." At scanlab, those images would cost me about $60 total (albeit payable only through Webmoney, a virtual currency unknown to most Americans but quite popular in Russia and many parts of Eastern Europe.)


From the chatter about this service on certain online criminal forums, it appears scanlab does a fairly brisk business. Security Fix was able to register an account at the service and take a few screen shots of the options available to scanlab members. Here's a shot of some of the prices, broken down by document type, country and U.S. state.

Why would someone need to use this service? In most cases, companies request scanned documents when they're trying to combat fraudulent activity. PayPal has been known to freeze users' accounts if it suspects them of being used for fraud, often demanding a copy of the user's utility bill to unfreeze them.

Online gambling sites often will try to prevent money laundering (a scammer depositing funds from a stolen credit or debit card and then trying to withdrawal said funds to a cash account a few days later) by requesting scanned documents. In other cases, scanned documents can allow foreigners to create official U.S. corporations complete with U.S. based bank accounts protected by the FDIC. All that is required are certain scanned documents.

By Brian Krebs  |  August 21, 2008; 7:00 AM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Web Fraud 2.0: Validating Your Stolen Goods
Next: Opera Update Plugs Multiple Security Holes


Am I confused, or does the use of multiple "security questions" used by a lot of sites now get around this (name of first pet, high school, where met spouse, favorite teacher, etc)?

Posted by: nle | August 21, 2008 2:02 PM | Report abuse

@nle: this has to do with sites that ask for scanned copies/images of important documents to prove your identity. it has nothing to do with secret questions or security questions.

i've heard from sources who say they've been asked for identifying documents for other various reasons, such as obtaining an SSL cert, or for regaining control over an AOL account after being locked out due to fraud or spam as a result of an account takeover. I'm sure other readers could offer different examples.

Posted by: Bk | August 21, 2008 2:19 PM | Report abuse

It's also very common (and highly used) in the theft of game accounts, notably World of Warcraft and other MMOs. Blizzard, specifically, will suspend an account pending scanned identification and perhaps a notarized copy of it. Outfits like this make it easy to maintain a hold on an account and then sell it off to a third party.

Posted by: Charles Decker | August 21, 2008 7:30 PM | Report abuse

Good to be aware of this problem, Brian, but do you have some suggestions for companies who want to have a rock-solid means of identifying people?

Posted by: jm | August 21, 2008 9:21 PM | Report abuse

Some companies will send you an activation code with the (non-electronic) mail to verify your name and mailing address. Is that still a safe alternative or are there already forwarding services that allow you to receive mail at a fake address?

Posted by: Wladimir Palant | August 22, 2008 2:39 AM | Report abuse

I find these attempts as humorous as the little 3 digit number on the back of a credit card, to "prove" that I have the card.

Once I make one copy of my drivers license and send it to anyone - or type in that 3-digit number to any website - or even hand my credit card to any waiter - the integrity of that method is shot. Now someone else can "prove" that they are me with the same documentation.

Posted by: Bob | August 26, 2008 2:29 PM | Report abuse

What Bob said. Methods based on public key cryptography let you authorize transfers, etc. in ways that prove your identity (based on public key) without giving anyone the information (private key) needed to impersonate you. Another approach is a method (perhaps as simple as a card with a grid of numbers) that lets you generate different passwords in response to different challenges. These methods will become common when the entities that have the power to do something about identity theft are the ones that suffer from it.

Posted by: Ford | August 26, 2008 3:50 PM | Report abuse

The existence of these services means that criminals are making so much money that it is worth while to pay these services rather than messing around with old fashion paper, tape and scissors. It has never been hard to doctor a fax.

Posted by: Kevin | August 26, 2008 8:25 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company