NASTF Fixing Widespread Problems With Credential Sharing

The National Automotive Service Task Force (NASTF) shut down almost 1,300 vehicle security professional accounts June 11 for sharing their credentials. The sharing was happening both inside businesses as well as with code brokers who told VSPs that they are approved by NASTF and automakers, according to the organization.

The suspended accounts showed at least five markers or events where their account was shared or an Internet-based code seller was used, NASTF executive officer Donny Seyfer said.

“The key problem we had was that so many of our VSPs were socially engineered by AutoCode to believe that this code broker is affiliated with NASTF,” Seyfer said. “Of course, this is not only not true, it is a violation of our terms and conditions to share your vehicle security credential with anyone.”

A representative of AutoCode denied that the company claims it’s approved by or affiliated with NASTF. “We are anything but the ‘bad guy’ and have no problems to play by NASTF’s rules,” AutoCode said in a statement to Service Executive.

AutoCode said it doesn’t store LSID credentials on its servers, so they’re used once, for fetching the code. The company also said it only provides codes to locksmiths and auto professionals.

“We still hope that we can find a way to work with NASTF and provide locksmiths with a better key code service,” the statement reads. “There are so many ways in which technology could advance this industry. We’ve been thinking of technical solutions that will allow us to satisfy and even improve NASTF’s security requirements …”

(Editor’s Note: Click here to read AutoCode’s detailed statement in its entirety.)

These are two kinds of codes: key cut codes, which are the sequence direction for physically cutting a new key; and immobilizer codes, which are the PIN codes that unlock anti-theft security when a new component is replaced on a related system.

NASTF also found a large percentage of its members were not filling out their positive ID forms properly. The violations ranged from not filling them out at all to leaving off key items, like customer signatures and VSP information. More than 100 of these accounts were suspended for a longer period of time to offer training on proper use of the forms.

“We were able to terminate about a dozen accounts that were bad actors acting as code brokers or who were involved in car theft,” Seyfer said.

As a result of the audits, and their resulting measures, NASTF set aside processing new and renewal vehicle security applications to the registry until July 9.

“We are almost done with the entire list,” Seyfer said. “Right now, we are down to a handful of accounts who have not yet contacted us to be reinstated. Some of these are very low-volume users who probably have outdated email information with NASTF or bad actors who know we are on to them.”

NASTF believes the planned September release of SDRM 2.0 will streamline the entire process and give users a more secure interface that’s easier to use. It also will help catch users who are breaking the rules, according to the organization.      — Sarah Hollander