Penetration TestJan Kahmen9 min read

Video-Ident Procedure - Easier to Trick than You Think

Video-Ident - also spelled Videoident - is a convenient alternative to the PostIdent procedure you know from the post office. It is used to establish identity and is intended to prevent money laundering and fraud.

Table of content

Video-Ident - also spelled Videoident - is a convenient alternative to the PostIdent procedure you know from the post office. It is used to establish identity and is intended to prevent money laundering and fraud. This basically makes it an ideal tool for signing new contracts or opening accounts. After all, this process is supposed to verify identity and increase security. However, video identification suffers from serious problems.

What is a video-identification Procedure?

If you haven't tried to open an online account before, you may be wondering: what is a video-identification process? Basically, it is a way for you to prove your identity. The great advantage of this technology is that identification takes place conveniently and regardless of location via video. To do this, you simply use your smartphone, tablet or laptop. In addition, you only need a common web browser or a corresponding app.

How Does Video-Ident Work?

Video-Ident requires only a few technical tools. But how exactly does Video-Ident work? For online legitimation via Video-Ident, you receive a link from your potential contractual partner. They open this via the browser or an app. Identification via video then begins immediately. The interface is provided by employees in the Ident Center, who will guide you step by step through the Video-Ident process.
For verification, you take your ID card. The software automatically recognizes the front and back. It reads the data as soon as you hold the document up to the camera. Looking at the Security Management, the security features of your ID card are also checked. Finally, you enter the security code that you previously received by SMS or e-mail.
If your online identification via Video-Ident - or Videoident - was successful, the employees send your data and documents in encrypted form to the contract partner. This transmission takes just a few minutes, which makes the procedure particularly popular.

The Chaos Computer Club could Fool the Video-Ident Procedure

But the online Ident method is not as secure as hoped. Security researchers from the Chaos Computer Club (CCC) have proven this. They have managed to outsmart the technology. And this despite the versatile security management that is used for this method.
The result was that they were able to access an electronic patient file of their test subject after video verification. That's why the CCC is calling for the technology to be used only where there is a low potential for harm. After all, security assessments are not sufficient to ensure the necessary security.

This is How the CCC Managed to Outsmart the Video-Ident Procedure

There is no question that providers of online ID solutions want to ensure security with security assessments. The procedure providers also take into account the necessary security awareness and regular checks for security vulnerabilities. Nevertheless, the CCC has managed to circumvent these mechanisms. This allowed the security researchers to gain possession of sensitive personal data.
All that was needed was Open Source Intelligence and a little red watercolor paint. The combination of the two faked foreign identities to employees and allowed them to access sensitive data. This approach shows you that deep fakes are not always necessary. Sometimes simple means are enough to bypass modern security systems.

The Computer Chaos Club Managed to Access Quite a Few Sensitive Data

Since 2021, video identification has been an important solution for accessing e-patient records and e-prescriptions. However, the CCC has shown that it is basically possible to acquire the desired identity without any problems. This gives cybercriminals the opportunity to view the health data at hand.
This does not just include the data itself. It involves all the information stored in doctors' offices, hospitals or health insurance companies. Prescriptions filled, medical diagnoses, certificates of incapacity for work and treatment records also fall into this area.
The effort to deceive was minimal
Probably the most frightening thing about this security breach: Only simple tools were needed for the false online ident method. Open source intelligence and a little paint allowed access to sensitive information. These simple tools, combined with a small amount of time, pose a high risk.
Incidentally, the German Federal Office for Information Security (BSI) and data protection experts have long warned against such access. Since the federal government has not yet had any concrete security incidents, the demonstration from the CCC now presents the acute need for action.

Security Gaps in the Video ID Procedure: BaFin and Co. React Cautiously so Far

The CCC has proven beyond doubt that video identification is not as secure as thought. Neither artificial intelligence nor attentive employees can counteract this problem. Although regular pentesting and a practiced error culture in the company increase IT security, there is an acute need for action. Nevertheless, Bafin and BNetzA are showing restraint.
Both organizations are responsible, for example, for video identification in credit contracts or SIM card registrations. Unlike the responsible body in the healthcare sector, neither has yet imposed a ban on video verification. While both sides say they are addressing the security issues and vulnerabilities. But authoritative action plans are currently lacking.

Prompted by the CCC, Gematik Bans Video-Ident

The CCC's findings have prompted a completely different reaction at Gematik. The digital health infrastructure for Germany prohibits video identification for the time being. The reason is to counteract irreparable damage. This approach shows that the organization does not handle access to your intimate health data lightly at all.

Video-Ident Procedure - Problems Have been Known for a Long Time

By circumventing modern technology, the CCC shows: current procedures must become more secure. This is the opinion of the BSI, which admits the basic possibilities of manipulation. The fact that Video-Ident procedures are fraught with risk was already mentioned in the 2020 activity report.
Customs' Financial Intelligence Unite also supports this assessment in its 2020 annual report. The relevant authorities see one such possibility in social engineering attacks that could target third-party ID data. These expert assessments show: Gematik's response to Video-Ident is a sensible step toward security.

These are Fundamental Concerns About Video Identification

The fact that video verification is risky has now been noted by various security experts. At the same time, Online-Ident does not use the compulsorily captured biometric data for identity proofing.
This means that although this information is available for the identification process, it is not transmitted during proof of identity in business transactions. Instead, Video-Ident focuses on the necessary information. However, these would basically be easy to falsify by a manipulated video stream.

Video-Ident Procedure: What the Chaos Computer Club Recommends

The CCC recommends that the providers of the procedure ensure additional security in the existing ID procedures. After all, it is not up to you to prove that there are security gaps, but up to the procedure providers themselves.
An important basis for increasing security in the future should be independent tests. And these tests should take place under real attack conditions. Classic examples of such security measures are pentests. The sole belief in an AI that solves all problems thanks to machine learning must not prevail.
At the same time, the CCC recommends taking the recommendations of the German Federal Commissioner for Data Protection and Freedom of Information seriously. These and other security experts warned as early as 2020 against the use of Video-Ident under the present security precautions. This is because impeccable data protection is not only necessary in small and medium-sized enterprises. Sensitive health and personal data in particular must be protected from third-party intrusion.

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: