ID Verification Service for X Exposed Driver Licenses for over a year
Israel-based company, AU10TIX, that offers “full-service identity verification solutions” cannot be trusted
UPDATE: 6 hours after this publication was sent out, we have been informed by Chris Stanley (a great guy) at X, that X will be rolling out an additional option for ID verification, via STRIPE —the payment company already in use by X to process AdRev bi-monthly payments. ps subscribe to Chris on X here.
AU10TIX Limited, the company that verifies the identities of X users, by processing photographs of their faces and pictures of their driver's licenses, exposed credentials online for more than a year, potentially allowing hackers to access that sensitive data, according to data obtained and reported by 404 Media.
The Israel-based company, AU10TIX, offers what it describes on its website as “full-service identity verification solutions.”
This “full-service identity verification solution”, includes verifying peoples’ identity documents, such as passports and driver's licenses, as well as conducting “liveness detection” in a real-time video stream with the user. AU10TIX will also perform age verification, where its service will predict how old someone is based on their uploaded photo.
Based on the many company logos on their website, AU10TIX also provides this service to Fiverr, PayPal, Coinbase, LinkedIn, and Upwork, some of which confirmed to 404 Media they are still active or former AU10TIX clients.
This news comes as more and more social networks and pornography sites take the move towards an identity or age verification model. —in which users are required to upload their real identity documents to access services.
This major breach highlights that identity services could themselves become a target for hackers. The cybersecurity researcher did not distribute the data beyond providing screenshots and some data to 404 Media for verification purposes.
“My personal reading of this situation is that an ID Verification service provider was entrusted with people's identities and it failed to implement simple measures to protect people's identities and sensitive ID documents,” Mossab Hussein, the chief security officer at cybersecurity firm spiderSilk who originally noticed the exposed credentials, said.
We recently made a Public Statement on this, and have, as a result, terminated our partnership with X Business.
Special Thanks to Joseph Cox at 404 Media for the story.