Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/4/2018
11:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

For $14.71, You Can Buy A Passport Scan on the Dark Web

That's the average price of a digital passport scan, and it goes up with proof of identification, a new study finds.

A digital passport scan costs an average of $14.71 on the Dark Web, but a scan is all you'll get for that price. Cybercriminals up the cost for scans accompanied by identity verification documents, and you'll pay more than $13,000 for a legitimate physical passport.

Researchers at Comparitech combed the Dark Web in late September to learn more about the selling prices of passport scans. Their search took them across several illicit marketplaces, including Dream Market, Berlusconi Market, Wall Street Market, and Tochka Free Market. A wide range of vendors are selling passport scans, but only a few specialize in them.

There are several ways to sell a passport. The cheapest is an editable Photoshop template, which can be used to create a fake scan by dropping in a photo and passport number. Since passport numbers are sequential, it's not hard to guess a real one, and most companies don't check if the passport number matches its holder, anyway.

Digital passport scans, which are fairly common and available for many countries, are more expensive and are often sold in bulk. Then there are the physical passports, both counterfeit and legitimate.

Consider digital passport scans: It's common for both counterfeit and legitimate scans to come with various forms of identification: a selfie, utility bill, and/or a driver's license, for example. If proof of ID is added to a passport scan, the average price jumps from $14.71 to $61.27.

"The reason for this is because multiple forms of ID are usually required to pass proof-of-address and proof-of-identification checks on websites," said Comparitech editor Paul Bischoff in a blog post. "These checks are often part of the account recovery process in which a user has somehow lost access to their account and must prove who they are to regain access."

Researchers primarily looked at digital scans and photos of legitimate passports, he wrote. In total, they discovered 48 unique listings for real passport scans, 38 of which did not come with proof of ID. Listings spanned 20 countries, and they learned nationality plays a role in price.

The most frequently listed passport scans came from Australia and the United Kingdom, and Australian passport scans were the most expensive at $32, on average. There was no consistent price correlation between country and cost, Bischoff noted; however, the price did not seem to be based on either the scarcity or power of the country's passport.

Physical passport forgeries are also available; researchers found fake passports for a number of European countries in their search. Most fraudulent passports cost above $1,000. Real, physical passports are both rare and expensive. Most are at least $12,000; the average cost is $13,567.

Why Steal a Passport?
A counterfeit passport could be useful to a cybercriminal in several ways, Bischoff pointed out. Some banks only require two proofs of identification to open a new account. Someone with a stolen passport and driver's license could open an account, access sign-up bonuses, or use it to cash out on different illicit transactions in a "bank drop" scam, he explains.

These forms of ID can also be used to bypass two-factor authentication on websites that require a photo of a physical ID to prove identity. Some companies require account holders to snap a selfie while holding their IDs, which is why digital passport scans cost more with a selfie of the legitimate owner.

Bischoff provided some guidance for people to keep their passports secure. Among his tips: Travel with black-and-white copies of your passport in case you need to provide it (most criminals prefer color scans). Never post photos of the inside of your passport to social media, and refrain from storing it in checked luggage. Don't store passport scans on your device, and don't store it with other documents that could be used to compromise your identity.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
priyasharma1
50%
50%
priyasharma1,
User Rank: Apprentice
12/29/2019 | 2:49:48 AM
priyasharma
Such A nice post... thanks For Sharing !!Great information for new guy like <a href="https://happynewyeari.com/new-year-2018-images/"> Happy New year 2020 </a>
twoment53
100%
0%
twoment53,
User Rank: Apprentice
5/27/2019 | 7:33:37 AM
Re:
Very interesting post about passport sell in dark web. 
newyearall
50%
50%
newyearall,
User Rank: Apprentice
10/5/2018 | 12:03:51 AM

Aw, this was a very nice post. Taking the time and actual effort to produce a superb article... but what can I say... I procrastinate a whole lot and never manage to get anything done. 
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...