One of the biggest code brokers is a site called AutoCode.us. “They give people the impression they are affiliated with NASTF,” Seyfer says. “They tell them they are part of NASTF, and say ‘All you have to do is tell us the LSID and password, and we will get the codes for you.’”
Some of the OEMs have also been working to shut down code brokers. “GM has been successful in this because they use regional databases,” Seyfer says. “For a group like AutoCode to hack in and scrub a database in Asia does them no good because they can’t sell those codes in the U.S.”
NASTF also learned that many VSPs were sharing credentials with other co-workers.
“These credentials and IDs are a one-to-one item,” Seyfer says. “We assign the ID to an individual. We do a background check on them. In many cases, a locksmith might be haring a code with multiple people who knew all the login information. We had vehicles stolen that way. There was no accountability.”
NASTF has developed to some tools to help better identify code brokers and reduce credential sharing. According to Seyfer, NASTF now does more digging to confirm that phone number, emails, and websites line up with a subscriber’s identity.
“We also have a new piece of software coming out in September that will make it so that it is easier for the user and better for us when it comes to screening,” Seyfer says. “The user will be able to enter their positive ID form (the D1), enter that online, and sign it. They have to submit the complete form to proceed. It will also make it easier to tie the transaction to the OE. They can collect the information electronically rather than having a copy on hand.”
The D1 form was at the heart of the second problem NASTF discovered: many accounts lacked complete D1 forms.
“Once we started auditing the accounts we found that subscribers were not providing the positive identification forms required by the terms and conditions,” Seyfer says. “They either weren’t doing them or were not doing them correctly.”
Of the 6,000 subscribers in the program, roughly 1,300 were flagged for a problem. The campaign to stop credential sharing resulted in hundreds of VSP accounts being suspended. As of July 16, more than 200 were still under suspension. NASTF estimated it would take all of July to clear the backlog and resolve all of the issues with existing credentials.
Moving forward, Seyfer says there may be some expansion of the use of VSP.
With so much new technology being added to vehicles, OEs are also thinking about securing some diagnostic data using the LSID. “We’re talking about doing something that involves the security of the vehicle, or that is involved calibrating the radar or LIDAR or something like that,” Seyfer says. “We have some OEs doing that now. Ford has it in their too, and Audi has it in their tool. It’s intended more to make it easier to use the tool when you have to do an immobilizer function.”