Database containing personal info of 106M visitors to Thailand exposed online
comparitech.comI guess I'm in there too. But passports get copied and provided to so many institutions these days that I wouldn't even consider nationality and passport number as private.
Now, if someone is traveling to Thailand to partake of some of the more controversial options, then I can see how this would be damaging.
We should all do our best to maintain privacy, but at the same time we should understand that the concept of privacy is changing. And by that I mean that we have less - and will have even less in the future - privacy than people did 10+ years ago.
It won't be long before biometric and other personally identifiable scanners will be integrated into much of what we touch or where we go. It may not be publicly known or even legal, but it will (and probably already does) happen. Just look at the NFC and facial recognition systems in much of our shopping places...
> we have less - and will have even less in the future - privacy than people did 10+ years ago
ok, but hunter-gatherers had only minimal privacy so we can adapt to a wide range of "privacies".
yes, it is true that the possibility of "increasingly impersonal threats from far away" has risen dramatically in recent history and it's not clear how well we will adapt to that.
> hunter-gatherers had only minimal privacy
What's your definition of privacy?
Of course it's elasticsearch. Elastic did irreparable damage by paywalling authentication and TLS on a supposedly open source project. If you make security optional, you've created an insecure and unsafe product.
What dangers are associated with this type of data becoming public?
I can imagine burglars using this info to decide which houses and apartments to rob.
Anything else that comes to mind?
Any first / second hand experiences of what can happen if private data like this becomes public?
This is useful to attackers in social engineering scenarios for sure.
Additionally, some KBA authentication schemes might still be in place which make leaks like this one particularly problematic. Eg. one of my banks still asks relatively easy to answer questions to authenticate me when I call to unlock my card.
The most infamous KBA incident was the large scale IRS's tax returns fraud that occurred in 2014-2015:
- https://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-befor...
- https://krebsonsecurity.com/2015/08/irs-330k-taxpayers-hit-b...
- https://krebsonsecurity.com/2016/02/irs-390k-more-victims-of...
The type of data leaked by the Thai government doesn't look too bad, but one should not underestimate the creativity of attackers, especially when the amount of data is large (and might overlap with other, previous breaches that contain different attributes.)
(In the US) passport info is not typically used for KBA, none of the common providers do it.
I get spam emails all the time which claim to have webcam pics of the recipient in flagrante delicto, oh and here’s a Bitcoin address you should send to if you don’t want them public. Rubbish, of course, as there’s nothing targeted about them; just a cleverly-worded mass email disguised as an individual extortion attempt. The next obvious step, however, is sprinkling enough details in to make it more convincing. “I have pics of what you did in Thailand in January 2019” would surely generate a lot more concern in a subset of the recipients.
When I get those I like to look up the bitcoin address on block explorer. Last time I checked one, two people had paid it out. No clue how many messages the spammer had sent, but there was at least a bit of payoff
I haven’t looked in a while but I think every example, even though the text was identical, had a different address. So if the one you saw already had two transactions...
Same here. I noticed they in the early days of the scam there were very payments (cannot say obviously if all were talked to that scam).
Then it was mostly empty wallets with the occasional one or two transactions.
The early scammers made a lot of money.
How is somebody going to get your address from this info? Did you actually look at what was leaked?
It's strange that it doesn't contain addresses. There's a bunch of other information you have to fill in including address on your arrival forms - so if it's the case that "this is it", we got off lightly. I have travelled there three times in the last ten years.
Also lucky the biometric data from passports wasn't included - portrait photos and fingerprint data. (https://www.hindawi.com/journals/bmri/2012/490362/)
I visited Thailand about six times in the last four years so this is a bit concerning to me. I really wish there were more details and hope that I can find out if my data was exposed as a part of this.
The database included full names, passport numbers, arrival dates, and more.
Yes, but it's been taken down. I can't query the dataset to see if I, personally, have been exposed.
Tell me your passport number, names, DOB and I will look it up and let you know… /s
I'm literally in Thailand right now and really can't say this bothers me. None of that info is sensitive
Name -> passport # isn't concerning?
No, why would it be?
I've provided it to hotel staff, Airbnb hosts, condo security, car rental places, airline staff, and more over the years. They all make copies of it digitally and physically so it's floating around out there in lots of places.
Next time I get a passport it will change anyways so I'm not sure I see the big deal even if it was a unique, never changing number.
15 years ago a foreigner couldn't even get a hotel room in Thailand without handing over passport information for each guest. I can't imagine it's changed much since then. If the Thai police want to track you down it wouldn't be very hard.
I can't think of a single country (other than my own, and maybe in the rest of the EU) where I've gone to a hotel and not had to give my passport and credit card. Passport is photocopied, credit card is checked. Passport number is like a US social security number, it's public information.
I don't think I've ever not been asked for my passport (or some other form of government ID) when staying in hotels in the EU. Two weeks ago I stayed at a large chain and I was asked for passports of my whole family.
Been a while since I stayed in the EU, but I was in Brussels in October 2019 and stayed at an Aloft at the time of an EU summit. I distinctly remember remonstrating with the clerk about the embarrassment of my British passport when I handed it over.
I checked into two hotels this past week while getting out of the city without giving any info. My Thai gf booked and paid for them so I'm not sure if that had anything to do with it. A couple years ago I had to give my passport to all hotels that I can remember
By law the hotel has to register your arrival online, as a foreigner.
Obviously this is easily skirted by having another person do the check in and you arriving later. I've also stayed in some guest houses in Thailand last month and they did not register me, but that doesn't mean they should have done so.
If they don't, technically you're on the hook for not registering.
I was present at check in, I didn't arrive later
What can you do with a passport number?
Some crypto websites accept Passport as a means to verify you before you can withdraw funds.
A new passport number comes with each replacement/renewal so I would suspect this is just security theater and you can upload any sample passport with the text changed. If they are insisting on the same exact passport again they could accept a fax of a random artwork and it would be more secure and just as permanent.
Which ones? The ones I've used use passport (and often photo holding passport) to enable certain features or raise limits, but they're not used for withdrawl. 2FA and email verification is.
Identity fraud
open bank accounts and launder money and lead a mile long paper trail to the wrong person
Are you sure you just need the number for that and not a copy of the actual document?
Like gp says, I've handed my actual passport to every hotel I've stayed at, and they usually make a photocopy. If anyone is assuming that a photocopy of a passport is good evidence that someone is who they say they are, they're wrong. If someone is assuming that just the number proves anything, then they're more wrong.
The times I've needed my passport online to prove my identity, it was usually one of those ID processes where I need to be in front of a camera holding my actual passport.
In the Ocean's Fourteen script writer's room: "Wait, what?"
What you are explaining to me is why you feel comfortable being able to prove your innocence if necessary. To that, good luck and it’s a pleasant way to view the world.
That has nothing to do with someone else leveraging gaps in the financial system and acknowledging those gaps exist. To that i would say AML/KYC/OFAC is the joke and should just be dropped since anyone can transfer any amount of value under someone else’s ID on a computer near where the compromised ID owner is expected to live.
There are open source tools to wear someone else’s face over webcam while holding up a doctored passport at 240p resolution. Even easier with a still image. And many places do not ask for more than just the ID itself.
I don’t really understand who the denial here is helping.
I was thinking about this more...
If I say my passport number is 134563543, how does anyone check that? Is there a database of passport numbers and identities that can be checked?
I get that the ID process of camera-and-passport can be spoofed, but in the context of this particular data breach, that's irrelevant. If I can dummy up a passport that looks good enough over 240p resolution then it doesn't matter if it's my actual number or whatever. The process I've been through checks for the watermark/sheen on the passport, but if you can dummy a face then you can dummy some glittery lights fine.
My original question stands: do you just need the passport number to prove identity? Because I've never had to provide just that as proof of identity.
The number has to corroborate whats on the picture of the passport.
Beyond what you asked though:
Most financial institutions are just covering their own ass and do not care. They just want the record in order to say they checked the box, and be able to look at that record when the government comes looking. Investigations rarely are high profile enough get stonewalled by a customer account that was fictional in order to ensnare the financial institution about how good/bad their KYC processes are. Money mule accounts are extremely prevalent, but this is limited to the actual person being tricked into using their own account for a ridiculous and shady purpose.
> The number has to corroborate whats on the picture of the passport.
Yeah, so knowing the passport number alone is useless.
And yeah, lots of the "security" around us is theatre and easily bypassed.
you superimpose it onto the picture of the passport, because you know the number.
that's like saying an exploit is useless because the pentester still has to privilege escalate. wrong forum to hold that opinion.
You don't need to. If the verifier has no way of verifying that any given passport number is correct, or associated with the identity you're trying to steal, then you can make up any number you like. Like you said, the only thing they can do is verify that the number on the (faked) passport matches the number the fraudster typed in the form.
If anything, this breach improves security because now there is a list of passport numbers matched to identities that verifying companies can use to make sure that the passport number claimed by a potential imposter matches the number known for that identity (from this breach). Then you'd have to do what you said and alter the passport in some way to match the breach.
Forge the document with the correct number. Click upload.
You have way too much respect for the security and redundancies of the system.
Only need one account anywhere to be approved. Then you can just do a completely clearnet illicit source transfer to a crypto exchange and disappear the money into tornado.cash or Monero or whatever. The problem stays with the person whose name is on the account.
Alternatively, on Dread, people brag about maintaining funded brokerage accounts opened under other people’s names and accessed over compromised windows machines near where the physical person lives. They trading stocks and options with dollars, with the intent to deal with actual laundering later with a larger amount. There are market places for compromised windows machines by postal code and bandwidth.
If you travel much, or nowadays if you register on just about any legitimate cryptocurrency exchange, you've already shared this information - and usually with a photo.
And with the new COVID stuff/vaccinations, it's being shared more often even if you don't travel.
> And with the new COVID stuff/vaccinations, it's being shared more often even if you don't travel.
What does that have to do with anything? How is your passport information shared any more than before because of "COVID stuff/vaccinations"?
Sorry, sometimes I forget my expat living abroad situation is uncommon. I guess that could be considered “very long term travel”.
Yet.
thanks for nothing incompetent Thai gov!
- someone who has been to Thailand frequently pre covid.
Would be fun to query that DB for men traveling to Thailand alone several times per year.