Like many of his peers, Andy Lee was crazy about video games when he was in elementary school. The desire to win soon pushed him to learn computer programming, so he could hack the games and grant himself easy wins.
“My preferred method was to write extensions for video games that helped me to win more easily,” he said.
When he entered high school, hacking became much more than just about games. “One time, I skipped classes and failed my exams, so I hacked into the school’s grade system and tweaked the scores for the whole class to pass.”
Later, Lee met Dalton Hsu, a like-minded peer and an enthusiastic hacker, at university.
In March 2015, Hsu broke into the ticketing system of a Taiwanese high-speed rail operator after hearing rumors of a weakness that allowed users to manipulate the ticket price. An engineer working for the company subsequently discovered the hacking attempt and reported the incident to the authorities.
While Hsu admitted breaking into the system, he said that his goal was only to prove that the system was vulnerable. According to a report by local media Liberty Time Net, the cyberattack cost the rail operator TWD 3,000 (USD 110). Hsu had to pay TWD 150,000 (USD 5,400) in fines.
“When we were younger, Dalton and I found joy in exploiting security flaws in computer software. But as the years went by, we wanted to channel our expertise into something more meaningful and impactful,” Lee said.
They realized that lots of websites are shoddily constructed and vulnerable to attacks. At the same time, the risks were overlooked by cybersecurity policymakers because they are out of touch with these developments that have real consequences.
In his spare time, Hsu would hack into online shopping sites and insert large-sum orders that were confirmed but not paid for. “I wanted them to contact me to find out what’s wrong. Or I might contact them, but I definitely wouldn’t ask them for money [for revealing the bug],” Hsu told local media Business Today.
However, based on his experience, most companies contacted him only to inform him that there is a problem with the order, and that it must be cancelled. No one took the initiative to address the security weak points.
Lee and Hsu’s enthusiasm for hacking resulted in the shared vision of safeguarding digital identity, which for some people is their most private information.
Together with co-founder Kuo Chan Tseng, the three founded AuthMe in September 2019 to offer identity authentication solutions to businesses.
According to Lee, contemporary methods of digital identity verification take too long to process and are susceptible to hacks such as deepfakes that can fool the system, making widespread adoption challenging.
AuthMe’s proposed solution, involving scanning the user’s identity card before facial recognition and liveness detection that confirms the user is a living person, only takes three minutes to complete, said the company.
Last year, when the AuthMe team was researching near-field communication (NFC), which enables contactless data exchange within short distances, they discovered a bug in MyData, a platform managed by the Taiwanese government that allows citizens to access and download their personal information and authorize data transfers.
“We immediately informed the government and Audrey Tang, the digital minister of Taiwan,” Lee said. “Tang and her team promptly scheduled a meeting with AuthMe to learn how to fix the issues. It was actually a very memorable experience to enhance public security on a technological level”.
Nowadays, Lee still counts drilling into network vulnerabilities and security flaws among his favorite pastimes.
“The fundamental basis of hacking is to outsmart a system. To do that, you have to think outside the box,” he said. “That’s what I’ve learned over the years, and am still trying to master today.”