Now, if someone is traveling to Thailand to partake of some of the more controversial options, then I can see how this would be damaging.
We should all do our best to maintain privacy, but at the same time we should understand that the concept of privacy is changing. And by that I mean that we have less - and will have even less in the future - privacy than people did 10+ years ago.
It won't be long before biometric and other personally identifiable scanners will be integrated into much of what we touch or where we go. It may not be publicly known or even legal, but it will (and probably already does) happen. Just look at the NFC and facial recognition systems in much of our shopping places...
ok, but hunter-gatherers had only minimal privacy so we can adapt to a wide range of "privacies".
yes, it is true that the possibility of "increasingly impersonal threats from far away" has risen dramatically in recent history and it's not clear how well we will adapt to that.
What's your definition of privacy?
I can imagine burglars using this info to decide which houses and apartments to rob.
Anything else that comes to mind?
Any first / second hand experiences of what can happen if private data like this becomes public?
Additionally, some KBA authentication schemes might still be in place which make leaks like this one particularly problematic. Eg. one of my banks still asks relatively easy to answer questions to authenticate me when I call to unlock my card.
The most infamous KBA incident was the large scale IRS's tax returns fraud that occurred in 2014-2015:
- https://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-befor...
- https://krebsonsecurity.com/2015/08/irs-330k-taxpayers-hit-b...
- https://krebsonsecurity.com/2016/02/irs-390k-more-victims-of...
The type of data leaked by the Thai government doesn't look too bad, but one should not underestimate the creativity of attackers, especially when the amount of data is large (and might overlap with other, previous breaches that contain different attributes.)
- someone who has been to Thailand frequently pre covid.
Then it was mostly empty wallets with the occasional one or two transactions.
The early scammers made a lot of money.
I've provided it to hotel staff, Airbnb hosts, condo security, car rental places, airline staff, and more over the years. They all make copies of it digitally and physically so it's floating around out there in lots of places.
Next time I get a passport it will change anyways so I'm not sure I see the big deal even if it was a unique, never changing number.
And with the new COVID stuff/vaccinations, it's being shared more often even if you don't travel.
What does that have to do with anything? How is your passport information shared any more than before because of "COVID stuff/vaccinations"?
Obviously this is easily skirted by having another person do the check in and you arriving later. I've also stayed in some guest houses in Thailand last month and they did not register me, but that doesn't mean they should have done so.
If they don't, technically you're on the hook for not registering.
Like gp says, I've handed my actual passport to every hotel I've stayed at, and they usually make a photocopy. If anyone is assuming that a photocopy of a passport is good evidence that someone is who they say they are, they're wrong. If someone is assuming that just the number proves anything, then they're more wrong.
The times I've needed my passport online to prove my identity, it was usually one of those ID processes where I need to be in front of a camera holding my actual passport.
That has nothing to do with someone else leveraging gaps in the financial system and acknowledging those gaps exist. To that i would say AML/KYC/OFAC is the joke and should just be dropped since anyone can transfer any amount of value under someone else’s ID on a computer near where the compromised ID owner is expected to live.
There are open source tools to wear someone else’s face over webcam while holding up a doctored passport at 240p resolution. Even easier with a still image. And many places do not ask for more than just the ID itself.
I don’t really understand who the denial here is helping.
If I say my passport number is 134563543, how does anyone check that? Is there a database of passport numbers and identities that can be checked?
I get that the ID process of camera-and-passport can be spoofed, but in the context of this particular data breach, that's irrelevant. If I can dummy up a passport that looks good enough over 240p resolution then it doesn't matter if it's my actual number or whatever. The process I've been through checks for the watermark/sheen on the passport, but if you can dummy a face then you can dummy some glittery lights fine.
My original question stands: do you just need the passport number to prove identity? Because I've never had to provide just that as proof of identity.
You have way too much respect for the security and redundancies of the system.
Only need one account anywhere to be approved. Then you can just do a completely clearnet illicit source transfer to a crypto exchange and disappear the money into tornado.cash or Monero or whatever. The problem stays with the person whose name is on the account.
Alternatively, on Dread, people brag about maintaining funded brokerage accounts opened under other people’s names and accessed over compromised windows machines near where the physical person lives. They trading stocks and options with dollars, with the intent to deal with actual laundering later with a larger amount. There are market places for compromised windows machines by postal code and bandwidth.
Beyond what you asked though:
Most financial institutions are just covering their own ass and do not care. They just want the record in order to say they checked the box, and be able to look at that record when the government comes looking. Investigations rarely are high profile enough get stonewalled by a customer account that was fictional in order to ensnare the financial institution about how good/bad their KYC processes are. Money mule accounts are extremely prevalent, but this is limited to the actual person being tricked into using their own account for a ridiculous and shady purpose.
Yeah, so knowing the passport number alone is useless.
And yeah, lots of the "security" around us is theatre and easily bypassed.
that's like saying an exploit is useless because the pentester still has to privilege escalate. wrong forum to hold that opinion.
If anything, this breach improves security because now there is a list of passport numbers matched to identities that verifying companies can use to make sure that the passport number claimed by a potential imposter matches the number known for that identity (from this breach). Then you'd have to do what you said and alter the passport in some way to match the breach.