Bank account trading is not new; but recently, criminals have been packaging them with full identity and biometric data. This “biometric packaging” is achievable via two main methods, according to expert Ngo Minh Hieu.
High-tech criminal groups have developed a tool that costs around VND15 million (US$590). This tool is installed on a jailbroken phone. Buyers cannot install it themselves; it is sold bundled with a basic phone, which costs about VND5 million ($195), bringing the total to VND20 million ($785) for the hardware and software package. These groups then use this setup with software that emulates biometric videos, typically VCam. This method is only effective against banks with weak biometric authentication layers.
The second, more advanced method involves bypassing biometrics using “virtual machines” (VM) on a computer. Criminals often use Android Virtual Device (AVD) VM software, installing dozens of virtual machines on a single computer to control multiple accounts simultaneously.
They integrate software that automatically feeds the required biometric video into the banking app on demand. These videos are usually purchased from individuals – often students or low-income earners – who sell their real identities for VND500,000 to 1 million ($20-39) per set. The advantage of this method is its flexibility and ease of bypassing authentication without a live person, but it demands advanced technical skills and a significant initial investment, making it less common.
Mr. Hieu then mentioned the practice of “farming” people to rent out their faces for biometric verification, which is reportedly rampant. This method has existed for a while but persists because it is specifically designed to defeat the strong security systems of banks that fake videos or VMs cannot bypass.
The approach involves hiring real people – typically young, low-income individuals – for long-term lodging. The criminal groups pay them a fixed salary or a percentage of the profits from each successfully opened account. The condition is that the person must live on-site and be available at all times to perform live biometric authentication as required by the banking application. While this is a costly method, it allows criminals to open a large number of bank accounts with diverse identities, as they have a real person to authenticate each login.
Explaining the availability of data for a massive trade in photos of national ID cards and biometric videos on online forums, this cybersecurity expert shared that there are likely two primary sources fueling the rampant sale of ID cards, images, and biometric videos.
The first is from users who provide it voluntarily. Many students, factory workers, or people in urgent need of money are enticed to sell their personal information for anywhere from a few dozen to a few hundred thousand dong. They photograph their ID cards and record facial videos according to instructions, then send them to an intermediary. These data sets are then packaged into “account combos” and sold to high-tech criminals.
The second source, which is more severe, involves data leaks from online lending applications. Many loan apps, particularly those involved in predatory lending (also known as “black credit”), require borrowers to submit photos of their ID cards and verification videos. These applications often have lax data security, making them vulnerable to hacking, or the app owners themselves may sell the user data for profit.
Mr. Hieu stressed that the primary purpose of collecting bank accounts and ID data is for money laundering, fraud, opening e-wallets, or creating fake identity shells for cryptocurrency trading and predatory lending.
Therefore, citizens must never, under any circumstances, sell their personal information – be it phone numbers, ID cards, or banking details. The public are advised against opening bank accounts on behalf of strangers, regardless of payment. It is also essential to limit the amount of personal information posted on social media. Meanwhile, state management agencies must tighten the account opening process for both individuals and businesses.
According to a survey by the Vietnam Information Security Association (VNISA), a staggering 66.24 percent of users confirmed their information had been used without their permission.
Vice Chairman Ha Hai of the HCMC Bar Association stated that blank national ID card templates are managed by the Ministry of Public Security, considered state assets, securely held, and only to be issued to citizens according to proper legal procedures. The open trading of these blank cards or large quantities of genuine ID cards constitutes a serious violation of the law.
Specifically, the act of buying, selling, exchanging, appropriating, or illegally using information and data from the national population database, the citizen identification database, or the electronic identification and authentication system is strictly prohibited under Article 7 of the 2023 Law on Citizen Identification. Individuals who commit the act of buying or selling national ID cards may face administrative penalties or even criminal prosecution.
)
