Hacker News new | ask | show | jobs
by ffsm8 385 days ago
Is that an actual thread model, and or are you just making stuff up?

I'm asking because even oauth would make this kind of attack vector impossible, as the referrer and redirect urls are verified - and I sincerely doubt they're so incompetent not to do something similar in such a context.
1 comments
rvnx 385 days ago
It is a relay attack.

There are a lot of verification platforms, so the idea is that the user is asked to be verified and that his proof of identity is reused in live for something else. In the addressbar, user sees "dangerousporn.com" -> "safeidentify.com"

The operator of "dangerousporn.com" starts (manually) an application to a [bank account / crypto exchange "bank.com"], using a fixed residential proxy (Luminati / Oxylabs, etc).

Once a victim arrives on "safeidentify.com", the user that is on "safeidentify.com" is asked to follow the actions that "bank.com" is asking to do (upload your ID, turn head left, turn head right, up, down).

"safeidentify.com" plays back the recorded video on the KYC platform of "bank.com" using an emulated Webcam.

Difficult ? Yes and no, but manually doable on a case-by-case basis, and you don't need thousands of victims as it is really worth.

link
ffsm8 385 days ago
to begin with, youve already switched the hacker from an advertiser to the operator running the website.

but ignoring that: none of what youve written there has been enabled by an identity provider hosted by the state. These scams already exists, today and various "special" users fall victim to them.

but lets ignore that too: these verifications are usually done interactively and cannot simply be played back, as you need to actually react to the actions of the person verifying your identiy

but lets ignore that too: its _highly_ unlikely the service will make users upload IDs and get verified via video etc on every connection. I'm gonna bet this is a one-time action, and after that you'll probably have to simply authenticate via 2-3 factors (username, password, biometric, sms, email, e-pass, certificate etc) - so what you're insinuating (this service makes people numb to such situation) is implausible. Especially in the context this scenario is in: merely verifying >18 yo

link
rvnx 385 days ago
> you need to actually react to the actions of the person verifying your identiy

yes it's exactly the point, use porn websites as a hook to convince the user to do your actions to verify their "identity"

link