MyVisit: How to Sell queue in MyVisit(fast)
What is MyVisit?
MyVisit is an application for booking queues to obtain government and quasi-governmental services provided by various Israeli ministries and other government organizations.
MyVisit is developed by the Israeli company Qnomy. This company develops solutions for organizing appointment bookings and sells its solutions to various businesses and government organizations. According to a search, their clients include the Australian government and the US military.
The application started operating in 2013 and initially served as a way to arrive at a designated time and place and receive the necessary service without waiting in a physical queue. However, with the onset of the pandemic in 2020, when the number of people in one location began to be strictly regulated, there was a complete transition to booking through MyVisit.
The most in-demand government services for citizens are the issuance of biometric documents: teudat zeut (ID card) and darkon (passport). These services are also the culmination of the aliyah process: absolutely all new repatriates need to obtain a teudat zeut, and the vast majority also need a darkon.
At the moment of the final transition to MyVisit, the system crashed.
What is the problem?
Almost immediately after the full transition to myVisit, it became clear that the system was not coping with the tasks assigned to it: users who wanted to order a queue for obtaining government services with biometrics saw available slots for booking approximately 6 months after the search.
At the same time, dozens of illegal organizations began to appear, offering to organize a queue for money in a short period, which is counted in days. All these organizations have the same characteristics: they are illegal, they have a black cash register, they do not give any guarantees, they are advertised in Telegram, and most importantly - they all parasitize on myVisit.
I will try to explain why this is possible and how it could be fixed.
Flaws in myVisit
Qnomy has a central part of their system - the backend for their products called Q-Flow. Meanwhile, products like myVisit are clients for Q-Flow and use its API.
The main complaints concern the direct communication mechanism between myVisit (client) and Q-Flow (server). Here are the main issues that require close attention:
- No validation of the TZ number (Teudat Zehut). When submitting a request for an appointment, the TZ is a required field. However, myVisit only validates that the user input conforms to the formal rules by which all TZs are generated. These algorithms are not a secret - for example, you can find a detailed explanation of the validation algorithm with an example in JavaScript at this link. Therefore, any TZ number can be sent - myVisit will check its validity, but not its authenticity.
- Any number of visits can be registered with the same phone number. This makes it easy for fraudsters to register all available slots for themselves and then pass on the slots to buyers (this can be done in several ways, the easiest being to cancel the appointment and immediately rebook it with "correct" data).
- In the mobile application, available appointments can be checked and booked without registration. The only thing the user needs to enter is their phone number (from which they can later change the details of the meeting) and the answer to a captcha, which is primitive and can be easily solved using standard computer vision frameworks.
- There are no rate limit restrictions - this means that requests to obtain available slots can be constantly executed, every second, thereby obtaining information about available slots for booking as quickly as possible.
- The code of the mobile application is available to anyone interested. Since the application is written in JavaScript (an Angular application wrapped in Ionic), it is sufficient to open the Android application in any development program and get a complete understanding of the processes that ensure the functionality of the application. Yes, part of the code is obfuscated, but the variable and function names help understand the logic of what is happening.
- The backend (Q-nomy API) is protected by weak captcha (as described above) and an API token, which is the same for any version of the application and website and is available to anyone interested because it is openly available in the application source code or tracked in the browser.
All of the above allows anyone who knows a little about programming and automation to write a program that will automatically use myVisit services.
At the moment, we have a whole bunch of illegal organizations that continuously scan available slots automatically, and instantly reserve them when they appear, thereby creating an artificial shortage of slots for booking.
And it is precisely because myVisit allows its functions to be easily abused that an ordinary Israeli, who wants, for example, to renew his passport, is forced to act in one of several ways:
- Reserve a slot in super-remote branches of the Ministry of Interior, such as Eilat or Afula.
- Reserve a slot in half a year.
- Spend hours and days in continuous attempts to snatch the queue, competing with a bunch of automated applications.
- Pay money to scammers who sell free government services.
Public attempts to influence the situation
- The investigation by the "Голденберг Говорит" channel and publications in Russian-language media in December 2022 did not bring significant results.
- Attempts to ban groups selling queue slots have been unsuccessful, with new groups appearing within 5 minutes.
- Personal user projects - more on this below:
Personal projects
On GitHub, you can find numerous abandoned repositories whose descriptions boil down to: "I needed to order a new passport for my daughter, myVisit wouldn't allow it, so I wrote this script." This once again proves that any programmer can solve this problem for themselves.
However, most people are not programmers.
Public free bots with open-source code
Based on what has been found on GitHub, concerned individuals have already tried to create alternatives to fraudulent organizations - free bots with open-source code that anyone can use. However, as soon as such projects became popular, myVisit quickly banned them, thereby destroying the only relatively simple opportunity to receive public services within a reasonable time frame. At the same time, paid bots from scammers continue to work.
The most well-known project of this kind is https://gamkenbot.com. Today, its page only contains a small message telling that they were banned approximately a week after they became popular.
More information: https://www.akamai.com/blog/security-research/bots-scalping-israeli-government-services
Public semi-free projects with closed source code.
There are also services on the internet that allow you to automatically get in line, but prefer to operate in a less illegal and more gray area.
For example, the website https://picktimebot.com allows you to queue up for automatic queue placement. However, in doing so, the unknown authors of the site obtain a lot of personal data, and for a "small donation of 100-200₪," they can advance the user closer in the queue. At the time of writing this article, we could not find anyone who had successfully used this service.
And some Telegram organizations, such as QuickSlot, publish free notifications about new available slots, while unobtrusively offering the services of "assistants" who can help snatch an appointment in time.
What threats and damage does the myVisit situation pose?
National security. It should be noted that in the conditions of a state of emergency, introduced in the country on May 19, 1948, and the peculiarities of our geopolitical situation, the issue of national security is very acute. However, it turns out that the only service directly related to obtaining government services can be hacked by anyone with a minimum set of technical skills.
Shadow economy. Against the backdrop of the fact that citizens cannot receive the necessary government services for free, a large sector of the shadow economy has emerged, which "solves problems for a small fee of $100-500." Entire companies have formed that provide "complete bureaucratic consulting" services for both native Israelis and new repatriates.
Integration of repatriates worsens. Repatriation to one's homeland is a complex process that many of us or our parents and grandparents have gone through in one way or another. Unfortunately, today many repatriates are forced to be in a suspended state, being in endless queues trying to get their documents, which not only does not allow them to fully integrate into our society, but also does not allow them to make ends meet and complete the process of obtaining basic documents and legalizing their status.
Public dissatisfaction. Citizens of the country cannot access government services, the rights to which they are entitled.
Results
All of the above indicates that the situation around myVisit is close to catastrophic: the only application through which one can obtain the most in-demand government services does not work properly, but allows a huge number of scammers to work and earn money, illegally obtaining money and personal data of Israelis.
In addition, I contacted the CEO of Qnomy with a request for comments regarding the problem with queues and scammers.
His response can be summarized as follows: "Regarding scammers, go to the police, regarding the Ministry of Internal Affairs - go to the Ministry of Internal Affairs." However, I received information that they are working on a new product, instead of fixing the old one. I do not know how true this is.
At the same time, it is worth noting that the situation can be significantly improved by improving myVisit. Understanding the complexity of developing such a product and not claiming to be an advisor, I would like to list a number of measures that, in my opinion, could make 90% of this article irrelevant:
- Introduce rate limits to prevent infinite scanning of available slots from one device.
- Prohibit more than one booking of the same service on the same phone number.
- Prohibit immediate re-booking of the same service from the same phone number right after canceling the booking (to prevent easy "transferring" of the booking to another person).
- Prohibit booking without confirming the phone number.
- Make the captcha stronger (for example, recaptcha), the passing of which would be significantly more difficult.
- Add verification of the entered TZ.
- Add authentication through gov.co.il or gov.id.
Benyamin Ginzburg& Leonid Goldenberg https://t.me/goldenberg_g