[marcus_holmes]

I was thinking about this more...

If I say my passport number is 134563543, how does anyone check that? Is there a database of passport numbers and identities that can be checked?

I get that the ID process of camera-and-passport can be spoofed, but in the context of this particular data breach, that's irrelevant. If I can dummy up a passport that looks good enough over 240p resolution then it doesn't matter if it's my actual number or whatever. The process I've been through checks for the watermark/sheen on the passport, but if you can dummy a face then you can dummy some glittery lights fine.

My original question stands: do you just need the passport number to prove identity? Because I've never had to provide just that as proof of identity.

[vmception]

The number has to corroborate whats on the picture of the passport.

Beyond what you asked though:

Most financial institutions are just covering their own ass and do not care. They just want the record in order to say they checked the box, and be able to look at that record when the government comes looking. Investigations rarely are high profile enough get stonewalled by a customer account that was fictional in order to ensnare the financial institution about how good/bad their KYC processes are. Money mule accounts are extremely prevalent, but this is limited to the actual person being tricked into using their own account for a ridiculous and shady purpose.

[marcus_holmes]

> The number has to corroborate whats on the picture of the passport.

Yeah, so knowing the passport number alone is useless.

And yeah, lots of the "security" around us is theatre and easily bypassed.

[vmception]

you superimpose it onto the picture of the passport, because you know the number.

that's like saying an exploit is useless because the pentester still has to privilege escalate. wrong forum to hold that opinion.

[marcus_holmes]

You don't need to. If the verifier has no way of verifying that any given passport number is correct, or associated with the identity you're trying to steal, then you can make up any number you like. Like you said, the only thing they can do is verify that the number on the (faked) passport matches the number the fraudster typed in the form.

If anything, this breach improves security because now there is a list of passport numbers matched to identities that verifying companies can use to make sure that the passport number claimed by a potential imposter matches the number known for that identity (from this breach). Then you'd have to do what you said and alter the passport in some way to match the breach.