Services offering Video-Ident allow users to prove their identity to them by transmitting video showing themselves and an identity document for verification by an operator or by software. Once identified, individuals can proceed to sign up for cell phone contracts, create electronic signatures which are legally binding throughout the EU (QES), apply for credit and open bank accounts – or access their German personal health record (ePA).
A specially devised choreography designed to reveal circumstancial evidence such as visible security holograms or facial expressions is supposed to answer two critical questions in every Video-Ident session: Is the identity document genuine? Is the person in front of the camera genuine? Video-Ident service providers claim that their solutions reliably detect fraud attempts.
Open source software and a little watercolour
Martin Tschirsich, a security researcher with the CCC, demonstrates the failure to keep that promise in his report published today (all links refer to sources in German). In 2019 Tschirsich had already demonstrated how unauthorized individuals could acquire German medical insurance cards as well as special doctors’ and clinics’ electronic ID cards.
Links and further information
- Chaos Computer Club: Attack on Video-Ident
- gematik press release, 9. August 2022
- 35C3-Vortrag: Circumventing video identification using augmented reality
- As early as 2019, glaring security vulnerabilities were discovered in Telematik, which could be used to forge e.g. doctor’s IDs at will.
- CCC-Meldung von 2013: Trügerische Sicherheit: Der elektronische Personalausweis
- BfDI: 29. Tätigkeitsbericht für den Datenschutz und die Informationsfreiheit 2020, 7.11 Videoidentverfahren: Aktuelle Grundsatzentscheidung des BfDI mit Ausstrahlwirkung für viele Bereiche
Source: CCC | Chaos Computer Club hacks Video-Ident