Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Monday January 06, @09:40PM   Printer-friendly
from the hackers-regift-your-data dept.

The incident exposes the growing vulnerabilities tied to digital ID systems and mandatory KYC (know your customer) data collection:

A US-based online gift card retailer has resolved a critical data exposure incident that left highly sensitive customer identity documents accessible on the internet, raising concerns about the growing risks posed by mandatory data collection under "know your customer" (KYC) and digital ID regulations.

The issue came to light when a security researcher, known by the alias JayeLTee, discovered an unprotected storage server linked to MyGiftCardSupply. According to TechCrunch, the server, which lacked even basic password protection, contained hundreds of thousands of government-issued IDs, including driver's licenses and passports, as well as selfies submitted by customers. These documents are required by the company to comply with US anti-money laundering laws, which mandate identity verification for certain transactions.

Despite an attempt by JayeLTee to notify MyGiftCardSupply about the exposure, the company did not respond until TechCrunch reported the breach. MyGiftCardSupply's founder, Sam Gastro, later confirmed the issue. "The files are now secure, and we are doing a full audit of the KYC verification procedure," Gastro stated. He also pledged that the company would delete identity documents promptly after verification in the future.

[...] According to JayeLTee, the server, hosted on Microsoft's Azure cloud platform, contained over 600,000 images of identity documents and selfies from approximately 200,000 customers. These materials are a part of controversial KYC procedures, intended to confirm identities and prevent fraud.

Related: Chinese Organized Crime's Latest U.S. Target: Gift Cards


Original Submission

Related Stories

Chinese Organized Crime's Latest U.S. Target: Gift Cards 14 comments

Chinese crime rings already dominate the illegal marijuana trade in the U.S. and launder cocaine and heroin profits. Now a federal task force is investigating their role in a burgeoning form of gift card fraud:

Federal authorities are investigating the involvement of Chinese organized crime rings in gift card fraud schemes that have stolen hundreds of millions of dollars or more from American consumers.

The U.S. Department of Homeland Security has launched a task force, whose existence has not previously been reported, to combat a scheme known as "card draining," in which thieves use stolen or altered card numbers to siphon off money before the owner can spend it. The initiative has been dubbed "Project Red Hook," for the perpetrators' ties to China and their exploitation of cards hung in store kiosks on "J-hooks."

This marks the first time that federal authorities have focused on the role of Chinese organized crime in gift card fraud and devoted resources to fighting it. Homeland Security Investigations, a DHS agency, began prioritizing gift card fraud late last year in response to a flurry of consumer complaints and arrests connected to card draining.

[...] Card draining is when criminals remove gift cards from a store display, open them in a separate location, and either record the card numbers and PINs or replace them with a new barcode. The crooks then repair the packaging, return to a store and place the cards back on a rack. When a customer unwittingly selects and loads money onto a tampered card, the criminal is able to access the card online and steal the balance.

[...] More broadly, almost 60% of retailers said they experienced an increase in gift card scams between 2022 and 2023. Between 2019 and 2023, Americans lost close to $1 billion to card draining and other gift card scams, according to the Federal Trade Commission.

Originally spotted on Schneier on Security.


Original Submission

This discussion was created by mrpg (5708) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0, Interesting) by Anonymous Coward on Monday January 06, @11:03PM (4 children)

    by Anonymous Coward on Monday January 06, @11:03PM (#1387735)

    Things like this will continue as long as companies are not forced through laws
    And the chance of that happening anytime soon is slim and none, and slim just left town. I know, redundant.

    • (Score: 1, Funny) by Anonymous Coward on Monday January 06, @11:24PM

      by Anonymous Coward on Monday January 06, @11:24PM (#1387736)

      From the nice summary,
        > A US-based online gift card retailer
          A US-based online grift card retailer

      ftfy -- you forgot a critical "r"

    • (Score: 3, Insightful) by Gaaark on Monday January 06, @11:27PM (1 child)

      by Gaaark (41) on Monday January 06, @11:27PM (#1387737) Journal

      And executives need MAJOR fines against THEM as well as jail time.

      Only THEN will you see changes.

      --
      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
      • (Score: 3, Insightful) by mcgrew on Thursday January 09, @09:23PM

        by mcgrew (701) <publish@mcgrewbooks.com> on Thursday January 09, @09:23PM (#1388136) Homepage Journal

        Hear, hear. Why wasn't the CEO of the mine jailed for negligent manslaughter a decade ago when their repeated safety violations caused the mine to collapse, killing a lot of miners? If you get drunk and wreck your car, you're going to jail even if nobody gets hurt!

        America is a plutocracy, not a democracy, ever since Citizens United. Rich men only go to jail when they piss off a richer man.

        --
        A man legally forbidden from possessing a firearm is in charge of America's nuclear arsenal. Have a nice day.
    • (Score: 4, Insightful) by Tork on Monday January 06, @11:58PM

      by Tork (3914) Subscriber Badge on Monday January 06, @11:58PM (#1387740)
      It's amusing to think that right now we're maybe the roll of a single dice away from Pornhub becoming a media hero.
      --
      🏳️‍🌈 Proud Ally 🏳️‍🌈
  • (Score: 0) by Anonymous Coward on Tuesday January 07, @01:29AM

    by Anonymous Coward on Tuesday January 07, @01:29AM (#1387752)

    The Red site (gister) has an article saying that the US gov's anti-encryption push is over and done, that the FBI is actively recommending E2E encryption now -- because of the telco fiasco.

    But KYC etc keep on promulgating, just proving that it's not done. I don't think the US politicians, or the cops, have learned anything at all about concentrating data in easy-for-China-to-access locations, or requiring easy-for-China-to-access doors in everything. I don't think the anti-encryption fight is over -- I'm certain it will resume again next year, or next election cycle. (House/senate, two years?) I honestly don't think it's ever going to go away, until it's lost. The US is a police state, and it simply *will not* allow individuals security if it is in any way perceived to hamper cops, at all.

    It will go on. The encryption battle will be lost in the US. It's just a matter of time.

  • (Score: 2) by looorg on Tuesday January 07, @12:44PM (1 child)

    by looorg (578) on Tuesday January 07, @12:44PM (#1387777)

    KYC sucks. I fail to see what the point of it is except some kind of paperwork exercise in futility and lies as you try to prognosticate into the future. After all if I was sending money to terrorist organizations I wouldn't put that down on their forms. Last year I had to fill that out three times, under the normal threats of that we'll close your bank accounts. Cause apparently the bank I have had my accounts in for nearly 50 years doesn't know me by now, at least according to the law. I asked them a few times how I am supposed to know how much money I'll make during the year with my company or if I plan on sending any money or making any purchases to foreign nations (then which once and the sum of those transactions) during the coming year or two. The whole thing is just complete bullshit paperwork. Guesswork, but they don't want guesswork and then gets pissed if the guesses doesn't come true.

    Every time I fill them out I'm wondering if I shouldn't just close all my accounts and go back to using cash only again.

    • (Score: 0) by Anonymous Coward on Tuesday January 07, @02:36PM

      by Anonymous Coward on Tuesday January 07, @02:36PM (#1387791)

      Along the same lines, but for small companies, is filing US Treasury Dept. Beneficial Ownership Information (BOI) required by the Corporate Transparency Act (CTA) -- which is currently suspended after multiple injunctions and court actions. For anyone with a small company, here's the official page to see the status of "to file or not to file" - https://www.fincen.gov/boi [fincen.gov]
      Current recent update reads,

      Alert: Ongoing Litigation – Texas Top Cop Shop, Inc., et al. v. Garland, et al., No. 4:24-cv-00478 (E.D. Tex.) & Voluntary Submissions [Updated January 2, 2025]

      In light of a recent federal court order, reporting companies are not currently required to file beneficial ownership information with FinCEN and are not subject to liability if they fail to do so while the order remains in force. However, reporting companies may continue to voluntarily submit beneficial ownership information reports.
      [...]

  • (Score: 2) by VLM on Tuesday January 07, @02:38PM

    by VLM (445) on Tuesday January 07, @02:38PM (#1387792)

    These documents are required by the company to comply with US anti-money laundering laws, which mandate identity verification for certain transactions.

    KYC is an inherently self destructive system because of the universality of data breeches or identity theft.

    Now, you have to run paper/plastic documents thru a scanner and upload them. In the future you'll just google for your name and drivers license and then upload the file you find on the internet rather than tediously scanning your physical DL yet again.

    My guess is once KYC completely collapses the strategy will become some kind of weird social credit score thing, where to open an account at a bank you'll need to get "friended" by three current bank branch customers on Linkedin, because personal presence is the only way to verify identity in a world where all digital data is immediately stolen. Competing with that will be the problem that social media traffic is like 90% bots and fake accounts, and the advertising-selling companies have zero motivation to blow that scam open so they'll aggressively oppose using social media as ID because of the financial effects of revealing 90% of their ad sale revenue was fraudulent.

(1)