As of: February 18, 2024, 12:39 p.m
By: Philipp Bräuner
Comments
Press
Split
Apparently there is a security gap in the German E-Perso.
A hacker identified the problem and informed the relevant authority.
Kassel - There was a lot of discussion about possible risks before the online function of the ID card was introduced.
The responsible Federal Ministry of the Interior always emphasized safety when dealing with it.
A report by
Spiegel
about a possible security gap in E-Perso is therefore attracting particular attention.
Ebay classifieds are also warning about a new online scam.
According to
Spiegel
, a hacker managed to steal the PIN code of the “AusweisApp” and the ID of the identity card.
Fraudsters could use this information, for example, to take out insurance or open bank accounts.
The hacker even carried out the latter successfully.
The federal government recently eliminated an important checking account function.
“White hat hacker” exposes security gap through test attack
However, the attack did not cause any real damage as the hacker with the pseudonym “CtrlAlt” is a so-called white hat hacker.
This group of cybersecurity professionals, whose practice is also known as ethical hacking, aims to test online systems and uncover vulnerabilities - but in the interests of users.
When a vulnerability is discovered, as in this case with the electronic ID card, it is made public and authorities, companies and users are warned.
A hacker has discovered a security flaw in the electronic ID card.
© Felix Schlikis/IMAGO
This type of activity is currently illegal in Germany, so “CtrlAlt” would like to remain anonymous.
However, there is a possibility that this will change in the future.
According to the IT magazine
Heise
, Federal Justice Minister Buschmann announced last November that he would revise Section 202c of the Criminal Code, colloquially known as the hacker section.
Online ID card data accessed by hackers via fake app
According to Spiegel,
in its current test attack, “CtrlAlt”
first developed an app to gain access to the data.
This app is so similar to the official “ID App” that laypeople would not be able to tell the difference.
For example, if a victim wants to check their age in an online shop using their e-mail address, the fraudster's hour has come.
Because instead of the real ID app, the fake application opens unnoticed on the smartphone.
This could have gotten onto the cell phone either via a special Trojan or another fake application from the App Store.
When the victim then scans their ID card and enters the PIN, the data is sent to the hacker instead.
However, a waitress's attempt at rip-off recently failed.
My news
Monthly salary of 3500 euros gross – that’s how much is left over in the pension
Major biscuit recall due to health risk: Aldi, Lidl, Kaufland and more affected read
Trick saves dying houseplants in no time: With a spice you can read it
Cuts in basic pensions: Married couples are at a disadvantage read
Fraud is a “total loss” for consumers: criminals take over cell phone number reading
Home remedies for limescale and urine scale - how to keep the toilet cleanread
“CtrlAlt” certainly didn’t keep its findings about this vulnerability to itself.
As early as the end of 2023, the hacker forwarded the information to the Federal Office for Information Security (BSI), as stated in the
Spiegel
report.
He also documented his actions on the Medium platform.
The Federal Office sees end devices as a security risk for online people
According to Spiegel
, the BSI stated
that it sees no reason to change the “risk assessment when using the eID”.
From the authority's point of view, this is not “an attack on the eID system, but on the users' end devices”.
Ultimately, the attack was carried out via a different app and therefore only on the victim's smartphone.
Nevertheless, the authority emphasized that it was taking the hacker's warning seriously.
A Baltic Sea resident recently fell for a perfidious scam.
(
pkb
)
The editor wrote this article and then used an AI language model for optimization at his own discretion. All information has been carefully checked.
Find out more about our AI principles here.