Enlarge image
It looks something like this when someone verifies their identity card using the video identification process
Photo: Andrea Warnecke / picture alliance / dpa topic service
Today, anyone who wants to open an account with an online bank or sign up for a new mobile phone contract no longer necessarily has to go to a branch of the provider.
A virtual presentation via mobile phone app is often enough to show and verify ID or driver's license via a kind of video call.
Appropriate options for video identification, often called video identification in everyday life, are being offered in more and more areas.
Now, however, experts from the Chaos Computer Club (CCC) led by the renowned security researcher Martin Tschirsich are showing what security risks the procedure apparently entails.
With little effort, they managed to register with six providers under a false identity and were even able to view the electronic patient file of an informed test person.
As early as Tuesday, the IT service provider in the health sector Gematik stopped access to the electronic patient file with video identification due to the attack method now publicly presented by the CCC. Health insurance companies have to switch off the system.
Today, the hackers revealed details of what vulnerabilities they found in video identification methods commonly used in the market.
TV and color
The challenge for the security researchers: they had to deceive the employees at various video identification services.
In a video call, they check certain security features such as the holograms attached to ID cards.
In order to expose fake documents, customers are instructed to hold the ID card in front of the camera at different angles, sometimes they are also required to cover certain parts of the ID card with their finger to make video manipulation difficult.
A lot of effort was therefore required to cover up an authentic ID card with a digital forgery in such a real-time conversation.
In preparation, security researcher Tschirsich first had to photograph the real ID card from many angles.
In this way, the hackers could create a digital twin of the document in which they could replace the name, address or even the image.
During the video call with the support agent, the real ID could then be seamlessly replaced with the fake twin.
No complex hacks were necessary to show the fake video image in the video call: the hackers simply filmed a commercially available television, on which they played the video manipulated in real time.
Due to the limited video quality of the cell phone cameras, the employees of the video identification service could not tell that the hacker was not sitting directly in front of the cell phone.
Layman's deception
But the hackers had difficulties with the details.
Since the hackers' real-time technology sometimes has problems distinguishing objects, there were problems when they were supposed to cover part of the presented document with their fingers.
The resulting errors in the video would have easily exposed the deception.
But the problem was quickly solved: the test person simply painted the hand red so that the computer could more easily distinguish it from the ID card.
Giving the hand a natural color again via video manipulation was not a problem.
However, the security researcher Tschirsich, who wrote the CCC report presented on Wednesday, assumes that laypersons could also exploit the vulnerabilities.
The necessary techniques for video manipulation are already widespread.
Access to other customer data as well
The hacker's record is devastating: According to them, six providers they tested not only accepted the wrong documents, in one case the security researchers also discovered a vulnerability that allowed them to access other customers' data.
In order to check how susceptible the procedures are to forgery, the hackers also asked the providers for the saved video material of their video identification with the false ID.
The result: imperfections in the manipulated videos were occasionally visible, but were not discovered by the employees of the video identification provider.
They are also said to have ignored whether the security features contained in the hologram matched the other information in the document.
Conclusion of the CCC: The video identification practiced today is a »total failure«.
Tschirsich demands consequences: "In the light of these discoveries, it would be negligent to continue to rely on video identification where misuse can potentially cause irreparable damage - for example through unauthorized disclosure of the most intimate health data," explains the security researcher.
The promises of the providers to improve video identification using artificial intelligence are also a dead end.
The conclusion is unlikely to meet with much approval from the providers.
The IT industry association Bitkom complained publicly on Wednesday about the shutdown of the health insurance companies.
"With the blanket and unannounced ban on video identification procedures for health insurance companies, Gematik has done patients in Germany a disservice," explained Bitkom CEO Bernhard Rohleder.
Instead of banning the technology across the board, solutions to secure the procedures should have been presented.
However, the online function of the identity card is not yet a practicable alternative, since too few citizens have activated the function or do not know how identification perso works.
tmk
