It sounds like a scene from a spy thriller: In order to fake a false identity for identification via video, the agent films an ID card from all directions. For this purpose, the plastic card lies on a special plate with markings. So that his picture and the desired name appear on the ID card, he cuts them out on the computer from a second filmed ID card using special software. While holding the first ID card up to the camera, the employee who is supposed to check the identity sees a completely different image on their screen. Because the image of the real ID card is superimposed by software on the forgeries, which are displayed on a standard television and filmed a second time from there. And this image arrives at the identifier.
Sound complicated? If it’s not, the Chaos Computer Club (CCC) thinks so. Of course he has nothing to do with espionage. The members of the association are much more concerned with uncovering security gaps, and they see such gaps in the so-called video identification process. Anyone who takes out insurance online today, for example, or wants to open an account at a bank, can register with many providers via video identification. Holding the ID in the computer or mobile phone camera is quick and saves a trip to a post office, for example.
But now the CCC has proven that it is possible to fake an identity. This would allow you to open accounts or gain access to the electronic health record. Gematik, responsible for the digitization of the healthcare system, has therefore stopped the video identification process for electronic patient files. But what about the other providers? And is the security of proof of identity via video really massively compromised?
Is the procedure just dying or is there nothing to complain about?
The video identification process has been around for years. Younger people in particular use the process at online banks such as N26, but large banks and savings banks also take part. A banker from a large German institute says: “Video-Ident is just dying.” Officially, on the other hand, the banks are reassuring and point out the security of the procedure, which has finally been in use for years. According to a survey by the SZ, no well-known bank in Germany is planning to stop the video identification process in the short term. The German banking industry, Germany’s most important interest group for financial institutions, lets it be known that the procedure is “used without objection” and was last checked by the Bafin in 2022 and found to be good.
A spokeswoman for Bafin, in turn, emphasizes: “We take indications of security problems or weaknesses in relation to the identification process very seriously.” However, a conclusive assessment of the attack scenarios is currently not possible because “relevant” details are not yet known. However, should there be a restriction, banks are likely to be hit hard, especially if they have no or only a few branches.
There is also excitement in the insurance industry, and there are currently no signs of a uniform approach. While the general association GDV also refers to the Bafin, the cooperative insurer R+V no longer offers video identification for the time being, but is in contact with its video identification provider to explore “what other measures can be taken to further improve security can be,” the company announced.
The responsible federal office had known about the security gap for some time
The advance of the Chaos Computer Club came as a surprise to the industry of video ID providers, they would have liked to be informed about the gap in advance, according to the industry. The CCC security researcher responsible for the hack, Martin Tschirsich, sees things differently. The Federal Office for Information Security (BSI) has long been aware of this possibility of attack, which is why the authority was only informed on Monday that the report about the successful hack would be published shortly.
Tschirsich says the campaign has been in preparation “for a long time”. The aim was to show that the theoretically known gap can actually be exploited in practice and that the providers do not notice it afterwards. All accounts or accesses opened would still have worked when the announcement was made. Tschirsich considers the effort required to overcome the security mechanisms to be only “moderate”. For the attack to work, two real ID documents are needed, each of which has to be filmed from different perspectives. According to the security researcher, these were provided by test persons. You don’t want to reveal their identity.
The digital association Bitkom reacted very critically to Gematik’s decision to stop video identification immediately. “Because of individual security incidents, which cannot be ruled out in the digital world any more than in the analog world, you (…) must not flatten the video identification process as such with a bulldozer.” According to the association, progress is already being made elsewhere. “Countries like Denmark are showing us how citizens can digitally identify themselves easily, securely and with confidence.”