[Arcten]

I've been interested in this topic for a while. The article was fairly good but I did have a few minor quibbles. For one, ordering from IDGod (the vendor in the story) is known to be very reliable. If packages get stopped at customs, a customer can contact support to get a replacement shipped at no charge. Additionally, the advanced scanner BarZapp is pretty much a non-issue. Almost any ID purchased from vendors on the subreddit mentioned in the article will pass those easily.

[SamBam]

How will a fake id pass BarZapp? According to the article (I know nothing about this, so could be wrong) it looks up the id in a database and returns the name and dob of the owner. How could the made-up name be in the database?

Or are they cloning existing IDs, and the buyer doesn't get a choice in the name?

[Arcten]

It's neither. All BarZapp does is read the barcode and check that it contains reasonable information and it formatted according to the standards. Vendors have figured out proper formatting so they look appropriate to BarZapp. Of course, no fake id will pass actual lookup in a database. Except of course cloned IDs, which are extremely rare in my experience. I've heard of stories of someone with a stolen DMV database who would sell fakes with real information for about $700 each, but I've never seen it myself, and no reasonable vendor doing anything like that would be selling through the clearweb.

[SmellyGeekBoy]

At that point you're talking about identity theft which is a whole different ballgame...

[tgokh]

I believe the apps only pull whatever information is in the barcode on the back of the idea - only law enforcement can actually check the ID against the DMV database.

I scanned the 2-D barcode on my license using a generic barcode reader on my phone, and it's a PDF417 barcode that contains all the information that's printed on my id (number, name, address, license type, physical descriptors, dates, organ donor) as well as a few other fields (revision number of the card format, and an inventory control number that looks like the concatenation of the DL number, state name, license type, and some other fields)

[VLM]

The situation is crazier yet more logical than it appears.

How do you prove someone once showed you a fake ID? Well, back in the $1 per shot polaroid / kodak instamatic era, you didn't. So the fake ID owner got away with it and bar owner got punished, which is the only reason bars cared about carefully checking fake IDs.

Now with a machine the bar has a fighting chance in court, the police verbally claim the bar served an underage patron, and the police provide a person residing in the city who is underage, but there is nothing in common between those two people, your honor here is a copy of the patron's license clearly showing he's 22 at that time and there's no legal record of my patron ever having been charged with a fake ID infraction and my patron is not the same person as the supposed police witness, so, your honor I request you dismiss the case K thx bye.

There is also the 3rd party to blame, if a bouncer knows some punk who gets drunk and starts fights, oh so sorry your ID failed the scan, now go away. "No point arguing with me, buddy, you need a better fake ID, yell at the guy who sold it to you".

[moftz]

A lot of bars in my college town are starting to require two forms of ID before they let you in. One must be a driver's license but the other can be your student ID card or a credit card. I'm sure it would be easy to fake our student ID cards but for the most part, this rule works well. Some bars are known for letting in minors. Their bouncers are inexperienced or just don't care. Every now and then those bars get a fine and they put someone experienced out front and give them a UV flashlight. That guy will collect enough fake IDs until the bar isn't making enough money so they will bring the first bouncers out and rake in more money from the underaged patrons until they get another fine.

I've seen people get let in using the worst fake IDs I've ever seen and I've seen people rejected using real IDs. It all depends on the bouncer's experience and how much the bar owner cares about not letting in underaged people.

[closeparen]

ID lookups against databases are actually pretty rare. The information is embedded in the barcode, and not in a cryptographically secure way.

[xkcd-sucks]

If BarZapp did do database lookups, it seems like a route to cloning part of a DMV registry...