Online ID Checks: Safety or Scam and Hack Magnet?

Show Notes

In this episode of Scams, Hacks, and Frauds, we explore the new internet age verification laws and their implications for online safety and potential scams. With the UK's Online Safety Act 2023 now in effect and similar legal rules in Australia (Online Safety Amendment (Social Media Minimum Age) Bill 2024) the USA  (including the alarming decision by the Supreme court in NETCHOICE v. MISSISSIPPI)  either in force or coming soon, requiring age verification to access adult and/or Social media sites, we assess whether these measures genuinely protect users or simply make them targets for hackers and scammers.

Join us as we delve into the risks associated with sharing personal data, such as phishing scams and identity theft. We’ll highlight unintended consequences from previous regulations, especially regarding efforts to combat online child exploitation. With a notable data breach at the TEA Dating Advice app revealing sensitive user information, we consider the practical security risks that accompany these verification systems.

As concerns grow, and VPN usage rises to address privacy issues, we discuss the complex dynamics between protecting personal information and potential misuse by malicious actors. Tune in for an enlightening conversation about the evolving landscape of online scams, and learn how to stay vigilant in safeguarding your data. 

We publish new content every other Monday. The  10 minutes our episodes may save your wallet, and help protect your family.

If you like shows like "The Perfect Scam" or "Darknet Diaries" then this show might be for you.  

On our website you’ll find more computer hacking, identity fraud, impersonation, consumer rights and Romance Scams.  To find these and to access our transcripts, visit us at www.scamshacksandfrauds.com.

The transcript and spoken audio are available under the Creative Commons, Share Alike, With Attributions license. For more information on this visit creativecommons.org.  

Transcript

Governments in the UK, Australia, the US, and elsewhere  are tightening internet restrictions. This week, we’re asking: do new age limits and verification laws genuinely protect you, or do they open the door for hackers and scammers to steal your information? Welcome to the podcast that helps you stay safe from scams, hacks, and frauds.

On July 25, 2025, the UK’s Online Safety Act 2023 came into force, which will require users of adult sites to prove they are over 18. In Australia, users of Social media will need to prove they’re over 18 from December, while in the US, the Supreme Court has allowed a law passed in Mississippi which similarly requires users of social media to identify themselves and proce their age to remain in place for now, despite Justice Brett Kavanaugh saying that the law likely breaches US Constitution's First Amendment. Laws with similar restrictions have been enacted in 12 other American states.

Other countries, such as Canada and members of the European Union, are either considering or have implemented similar requirements regarding adult material and social media.

Whenever a new rule, government service or legal requirement is introduced, scammers and hackers seek ways to exploit it. They’re quick to set up phishing sites that mimic legitimate verification pages, or to target databases with weak security. Every extra piece of personal data you share increases your risk of being caught up in fraud or identity theft.

But before we look at those, I want to talk about how rules like these snowball and become bigger than they were ever intended to be.  We’ll do this by working through how the UK’s previous efforts to block Child Sexual Assault material, or CSAM, were used to block access to other types of material.

Since 1996, most of the UK’s internet service providers have been voluntarily filtering CSAM. This followed threats from the police of criminal prosecution if they did not start removing content. With the government standing behind the police, the ISPs created an independent charity called the Internet Watch Foundation, whose mission was to compile and maintain a blacklist of sites containing illegal pornographic material and CSAM, accept reports of sites that may contain such material, and the ISPs that chose to be involved used this information to block sites on the list. 

So, no problem, right? Nobody wants CSAM to be out there, do they?  We certainly do not.

In 2008, 95% of the UK’s home internet users were unable to access parts of Wikipedia when the watch list blocked a page on the site about an Album by a 1970s German hard rock band because of its cover. Not only was the page blocked, but the implementation also prevented some users from editing any page on Wikipedia.  That Album, with that cover art, is available in  both online and physical music stores. After an outcry, the block was removed 4 days later. 

In 2011, the UK’s High Court ordered the UK’s largest ISP, BT to block some specifically named piracy sites. BT’s arguments, echoed by other ISPs, that it was a mere conduit for what users want to access, were undermined by its efforts to block access to child sexual material - that internet watch foundation blacklist as an exaple.   Further orders to block specific piracy sites have followed since then.

Snowballing further, in more recent years, this precedent has been employed to settle property disputes by blocking sites that allegedly sell counterfeit products or violate companies' trademark rules.  

Whilst those blocks are a win when it comes to stopping some types of fraud, It's not impossible that in the future, ISPs could be ordered to block news sites that report on sensitive trials or defamation hearings, as UK news sites have previously been blocked from reporting on some of these in the past with so called “Super Injunctions”, or  the government could decide some  other material is damaging to children could be put behind these blocks.

Since July 25, 2025, the Online Safety Act 2023 has been in force. This will require all sites offering adult content to verify people’s identity either with ID documents or other means to calculate their actual age, such as with a selfie. Mobile Phone operators in the UK have required ID to access Adult sites since 2004. 

We know from Episode 12 that North Korea has been stealing people’s identities, surely they—and every other hacking group out there—will be looking for ways to exploit these new ID checks. Hackers could break into age verification systems or set up convincing fake ID checker sites to steal your details. Once they have your information, scammers can open bank accounts, apply for credit in your name, or target you with phishing attacks. 

If you think this is just fearmongering, then I have bad news for you - it's already happened. TEA Dating Advice is an app that tries to help protect women by allowing women to check to see if their potential dates have a criminal history, sexual abuse record, and really are who they say they are; just last month they annouced that 72,000 images stolen from its servers in a data breach, 13,000 of these were images uploaded for identity checking purposes and include both selfies and IDs, in some cases those have included Military IDs which creates a national Security risk.

Wikipedia, in particular, is concerned that it may have to start identifying its users due to the information available in its encyclopedia and has threatened to block UK users instead of collecting their data, as it is unwilling to take on the risk of that information being hacked.  This would be a significant blow for those who use it to verify the authenticity of something, and a gain for potential fraudsters when their claims can no longer be easily checked.  Other sites could also follow, and for small businesses this may be an impossible burden.

The more restrictions impact people’s day-to-day lives, the more likely they are to turn to a VPN, or Virtual Private Network, to circumvent them. As a result, VPN providers have seen an explosion in user numbers, with one citing a 16-fold increase in their usual traffic.  

As a quick recap of episode 11, which covered VPNs, VPNs send your requests for websites, mail and anything else you want from th internet to a specific place on the internet first, and everything comes back through the same spot, making it look like you’re somewhere else.  If you pick that spot to be, say, Canada, then as far as the rest of the internet is concerned, you’re in Canada.  We discuss the risks of using a VPN and what they do or don’t do in that episode.

The UK govermnet agency tasked with enforcing these restictions - OFCOM - have made it clear that sites subject to these rules cannot mention how to use a VPN to bypass the restrictions and any other country looking to copy these rules would likely want similar rules to ensure their rules arent undermined, despite the free speech concerns, so an adult site can’t simply publish a page on where to find a VPN and how to use them, but that explosion in users to VPN services shows that this restriction isn’t reducing public interest.

There has been some talk of banning VPN use altogether, but this would create new problems.

Banning VPNs creates new security risks as these  networks are crucial privacy tools, particularly for businesses.  It's questionable whether companies can operate with adequate data protection required by laws like GDPR if they cannot use VPNs.

Additionally, VPN providers and hackers could place apps offshore, outside of established app store controls, meaning they remain accessible and are difficult to distinguish as real or fake. We've also seen legitimate VPN providers misusing their positions by selling user data, so this could actually put you at a greater risk of identity fraud than using the ID verification systems the government has demanded..

Critics of this law are sometimes accused of being supportive of child abusers. However, this distracts from genuine concern about privacy, scams, and hacking risks. Hackers and scammers are always on the lookout for ways to access things they should not, and hostile governments have nearly limitless resources to achieve this. Creating a database of your information gives them a significant target, and that target will be even larger when it requires social media site users to share their data.  Anyone who tells you there’s a simple answer to stopping online harm or protecting your privacy is lying to you.

Some ID verification solutions simply assess a selfie rather than requiring official documents to estimate age. While using a selfie might currently offer a safer option, as it is less sensitive than details like a name, date of birth, driver's license, or passport, it may not be suitable for everyone, particularly those who are 18, or just a few years older, and as we discussed about TEA before, if those aren’t deleted when not needed they to remain a risk to you.  The TEA Hack included data that was at least a year old.

Here’s a practical step to protect yourself from scams and hacks: check if your data is already on the dark web and being shared by cybercriminals. Enter the address "haveibeenpwned.com" in your browser. There, enter your email address and click search. If your email has been leaked in a known data breach, you’ll get a warning. Whilst you’re there, set up alerts to be instantly notified of future breaches—this can give you a head start before scammers try to use your information. As an alternative, check if your bank offers tools to monitor for identity theft or suspicious activity and sign up for this service.

Next week, we’re going to look at Encryption.  In the UK, Apple and the UK Government are battling in court because the Government wants to force Apple to decrypt its users' data on demand, and has tried to ban reporting on this. We’ll tell you what this is and why it's important next week.

In the meantime, remember that scams, hacks, and frauds are constantly evolving. Staying informed and cautious is your best defense. Check out all our stories on scamshacksand frauds.com and subscribe on your favourite podcast site or YouTube.