Why Reddit’s Identity Verification Process is a Goldmine for Synthetic ID Frauds

While browsing Reddit, I came across subreddits like r/rateme, r/amiugly. These are subreddits where people post pictures of themselves for others to give feedback on their looks and how to improve them. But there’s a catch ….

To combat fake profiles posting on these subreddits, moderators of these subreddits require you to hold a piece of paper with your username, date, and sometimes subreddit name written on paper in at least one of your pictures.

There are dozens of subreddits that require uploading pictures for verifying genuine users from catfish or bot accounts.

Recently I signed up for an online banking service that required me to upload a picture of myself and identity documents for signing up. And in the end, I was asked to upload a selfie of myself while holding a government-issued id card for verification.

As someone who has spent months exploring exposed S3 buckets, Azure blobs, and exposed databases. I’ve come across a few KYC (Know Your Customer) image databases of small fintech, crypto companies. Most of them were using similar format images for KYC verifications.

Verification pictures from these subreddits can easily be manipulated to look like verification pictures required by online services during KYC verification.

Most of the country’s government-issued id cards, driving licenses, and passports are easily editable PSD files that have been available in underground markets since forever.

All it takes is an average skilled person to photoshop those edited PSD files in place of username paper. Add proper lighting and glare on the picture and it should pass as legit.

We have already seen North Korean actors photoshopping faces and ID cards on the same images to get their KYC done in crypto exchanges.