Enlarge image
Digital driver's license from Verimi: sample counterfeit by Martin Tschirsich
Photo: Martin Tschirsich
Once before, in autumn 2021, a so-called ID wallet for the digital driver's license got lost: members of the Chaos Computer Club (CCC) had expressed security concerns, so that the service provider Digital Enabling GmbH, commissioned by the federal government at the time, felt it was necessary ID Wallet to be removed from the Google and Apple app stores just one week after the official launch.
Now there is a second attempt with a new operator, the ID service provider Verimi, which belongs to Allianz, the Axel Springer publishing house, Bundesdruckerei, Deutsche Telekom, Mercedes-Benz, Samsung and Volkswagen, among others.
But even Verimi has not managed to develop a secure solution for digitizing driver's licenses, as the German IT security researcher Martin Tschirsich demonstrated on Twitter.
According to Tschirsich, he has generated several digital driving licenses under different names, as well as an ID card, according to which he has Swiss citizenship.
This was possible without any problems because Verimi relies on a photo identification process.
Users only need to photograph and take a selfie of the front and back of their driver's license to prove that they are the person on the document.
According to Verimi, this is checked in an “AI-supported process”, i.e. apparently without human inspectors.
A comparison with a driver's license register does not take place either.
In order to create a digital driver's license with any name, Tschirsich photographed his real driver's license, changed the name with image processing software, printed out the manipulated files in large format "at the photo kiosk of the nearest drugstore" - and again photographed the printouts with the mimic apartment
Along with a selfie taken as requested, the app immediately accepted the forgery and generated the digital driver's licenses with the desired names.
On the one hand, the printout in large format serves to keep fine optical features as recognizable as possible.
On the other hand, Tschirsich does not want to give the impression that he is forging official documents, as he told SPIEGEL.
It all happens particularly quickly because Tschirsich has built a generator in the form of a browser application with blank templates of the desired document and the correct font in each case.
From this, the generator creates “a digital collage” together with a photo, as he describes the software.
The digital driver's license stored in the ID wallet can initially only be used to rent a rental car or use car sharing offers.
In the long term, however, the digital image of the driver's license on the smartphone should be able to completely replace analogue identification papers.
For this, however, appropriate changes in the law are required.
So far, only the physical driving license is valid in everyday life.
pbe
