NASTF working to stop VSP code sharing

July 30, 2018
In June the National Automotive Service Task Force shut down more than 1,300 VSP accounts for credential sharing as well as not having the proper positive ID paperwork on file.

Repairers or locksmiths trying to subscribe or renew their subscription to the Vehicle Security Professional (VSP) Registry this summer likely experienced a significant delay. In June the National Automotive Service Task Force shut down more than 1,300 VSP accounts for credential sharing as well as not having the proper positive ID paperwork on file. That effort will make the program more effective and safer, but resulted in a temporary suspension of new and renewal application processing.

The VSP registry was created as part of the NASTF Secure Data Release Model (SDRM). It allows aftermarket access to security sensitive information like key codes, PIN numbers, immobilizer reset information and other types of data for repairers like technicians and locksmiths.

Users that perform security system repairs have to subscribe to the registry to purchase security codes and VIN-specific files from the OEMs.

After evaluating credential usage in the registry, NASTF discovered two critical problems – users were sharing credentials, and many lacked the proper documentation.

Key code brokers were contacting repairers and indicating that they needed their locksmith identification (LSID) passcodes in order to continue receiving service.

Under terms of the VSP agreement, sharing those passcodes with anyone other than the OEM websites is grounds for suspension of the LSID license. In addition, those codes could conceivably be resold or used to steal vehicles. If the key code were traced back to a specific LSID passcode, that means the repairer could be subject to the theft investigation.

“We saw a pretty high number of members using code brokers,” says Donny Seyfer, executive officer at the National Automotive Service Task Force (NASTF). “In some cases, those brokers got into websites in other parts of the world and scrubbed databases to get codes, and then they sold them.”

One of the biggest code brokers is a site called AutoCode.us. “They give people the impression they are affiliated with NASTF,” Seyfer says. “They tell them they are part of NASTF, and say ‘All you have to do is tell us the LSID and password, and we will get the codes for you.’”

Some of the OEMs have also been working to shut down code brokers. “GM has been successful in this because they use regional databases,” Seyfer says. “For a group like AutoCode to hack in and scrub a database in Asia does them no good because they can’t sell those codes in the U.S.”

NASTF also learned that many VSPs were sharing credentials with other co-workers.

“These credentials and IDs are a one-to-one item,” Seyfer says. “We assign the ID to an individual. We do a background check on them. In many cases, a locksmith might be haring a code with multiple people who knew all the login information. We had vehicles stolen that way. There was no accountability.”

NASTF has developed to some tools to help better identify code brokers and reduce credential sharing. According to Seyfer, NASTF now does more digging to confirm that phone number, emails, and websites line up with a subscriber’s identity.

“We also have a new piece of software coming out in September that will make it so that it is easier for the user and better for us when it comes to screening,” Seyfer says. “The user will be able to enter their positive ID form (the D1), enter that online, and sign it. They have to submit the complete form to proceed. It will also make it easier to tie the transaction to the OE. They can collect the information electronically rather than having a copy on hand.”

The D1 form was at the heart of the second problem NASTF discovered: many accounts lacked complete D1 forms.

“Once we started auditing the accounts we found that subscribers were not providing the positive identification forms required by the terms and conditions,” Seyfer says. “They either weren’t doing them or were not doing them correctly.”

Of the 6,000 subscribers in the program, roughly 1,300 were flagged for a problem. The campaign to stop credential sharing resulted in hundreds of VSP accounts being suspended. As of July 16, more than 200 were still under suspension. NASTF estimated it would take all of July to clear the backlog and resolve all of the issues with existing credentials.

Moving forward, Seyfer says there may be some expansion of the use of VSP.

With so much new technology being added to vehicles, OEs are also thinking about securing some diagnostic data using the LSID. “We’re talking about doing something that involves the security of the vehicle, or that is involved calibrating the radar or LIDAR or something like that,” Seyfer says. “We have some OEs doing that now. Ford has it in their too, and Audi has it in their tool. It’s intended more to make it easier to use the tool when you have to do an immobilizer function.”

Sponsored Recommendations

ZEUS+: The Cutting-Edge Diagnostic Solution for Smart, Fast, and Efficient Auto Repairs

The new ZEUS+ simplifies your diagnostic process and guides you through the right repair, avoiding unnecessary steps along the way. It gives you the software coverage, processing...

Diagnostic Pre- and Post-scan Reports are Solid Gold for Profitability

The following article highlights the significance of pre-scans and post-scans, particularly with Snap-on scan tools, showcasing their efficiency in diagnosing issues and preventing...

Unlock Precision and Certainty: TRITON-D10 Webinar Training for Advanced Vehicle Diagnostics

The TRITON-D10 lets you dig deep into the systems of a vehicle and evaluate performance with comparative data, systematically eliminating the unnecessary to provide you with only...

APOLLO-D9: Trustworthy Diagnostics for Precision Repairs

The APOLLO-D9 provides the diagnostic information and resources you need to get the job done. No more hunting through forums or endlessly searching to find the right answers. ...

Voice Your Opinion!

To join the conversation, and become an exclusive member of Vehicle Service Pros, create an account today!