Video-Ident Procedure - Easier to Trick Than You Think

Video-Ident -- also spelled Videoident -- is a convenient alternative to the PostIdent procedure familiar from the post office. It serves to verify identity and is designed to prevent money laundering and fraud. In principle, this makes it an ideal tool for signing new contracts or opening accounts. After all, the process is meant to reliably confirm identity and enhance security. However, video identification has serious vulnerabilities.

What Is a Video Identification Procedure?

If you have not yet opened an online account, you may be wondering: what exactly is a video identification procedure? At its core, it is a way to prove your identity digitally. The key advantage is that the identification process takes place conveniently via video, regardless of your location. All you need is a smartphone, tablet, or laptop along with a standard web browser or a dedicated app.

How Does Video-Ident Work?

Video-Ident requires only a few technical tools. But how exactly does the process work? For online verification via Video-Ident, you receive a link from your potential contractual partner. You open it in a browser or app, and the video identification begins immediately. Staff members at the Ident Center guide you step by step through the process.

For verification, you hold your ID card up to the camera. The software automatically recognizes the front and back and reads the data. As part of the security management process, the security features of your ID card are also checked. Finally, you enter the security code you previously received by SMS or email.

If your online identification via Video-Ident is successful, the staff transmit your data and documents in encrypted form to the contractual partner. This transmission takes only a few minutes -- one reason why the procedure is so popular.

The Chaos Computer Club Successfully Fooled the Video-Ident Procedure

However, the online identification method is not as secure as hoped. Security researchers from the Chaos Computer Club (CCC) have proven this. They managed to outsmart the technology -- despite the extensive security management measures in place.

The result: after video verification, the researchers gained access to an electronic patient record of their test subject. The CCC therefore calls for the technology to be used only in contexts with low potential for harm, since the existing security assessments are insufficient to guarantee the necessary level of protection.

How the CCC Managed to Outsmart the Video-Ident Procedure

There is no question that providers of online ID solutions aim to ensure security through assessments. They also account for security awareness requirements and conduct regular vulnerability checks. Nevertheless, the CCC managed to circumvent these mechanisms and gain access to sensitive personal data.

All that was needed was Open Source Intelligence and a small amount of red watercolor paint. This combination was enough to fake identities in front of verification staff and gain access to sensitive data. The approach demonstrates that deepfakes are not always necessary -- sometimes simple means suffice to bypass modern security systems.

The Chaos Computer Club Gained Access to Highly Sensitive Data

Since 2021, video identification has been a key method for accessing e-patient records and e-prescriptions. However, the CCC demonstrated that it is fundamentally possible to assume a false identity with minimal effort. This gives cybercriminals a potential path to viewing confidential health data.

The exposure goes beyond individual records. It encompasses all information stored at medical practices, hospitals, and health insurance providers -- including filled prescriptions, medical diagnoses, certificates of incapacity, and treatment documentation.

The Effort Required to Deceive Was Minimal

Perhaps the most alarming aspect of this vulnerability: only simple tools were needed for the fraudulent identification. Open Source Intelligence and a small amount of paint were sufficient to access sensitive information. These basic tools, combined with minimal time investment, represent a significant risk.

The German Federal Office for Information Security (BSI) and data protection experts have long warned about such attack scenarios. Since the federal government had not previously encountered concrete security incidents of this kind, the CCC's demonstration now underscores the urgent need for action.

Security Gaps in the Video-Ident Procedure: BaFin and Others React Cautiously

The CCC has proven beyond doubt that video identification is not as secure as previously assumed. Neither artificial intelligence nor attentive employees alone can address this problem. Although regular pentesting and a healthy error culture enhance IT security, there is an acute need for action. Yet BaFin and BNetzA continue to show restraint.

Both organizations oversee video identification for credit contracts and SIM card registrations, among other areas. Unlike the responsible authority in the healthcare sector, neither has imposed a ban on video verification. While both claim to be addressing the security issues and vulnerabilities, concrete action plans remain absent.

Prompted by the CCC, Gematik Bans Video-Ident

The CCC's findings prompted a very different response from Gematik. Germany's digital health infrastructure authority has banned video identification for the time being. The goal is to prevent irreparable harm. This decision demonstrates that the organization takes the protection of sensitive health data very seriously.

Video-Ident Procedure -- Problems Have Been Known for Some Time

By successfully circumventing the technology, the CCC makes one thing clear: current procedures must become more secure. The BSI shares this view and acknowledges the fundamental possibilities for manipulation. The risks associated with Video-Ident procedures were already flagged in the 2020 activity report.

The Customs' Financial Intelligence Unit also supports this assessment in its 2020 annual report. The relevant authorities specifically identify social engineering attacks targeting third-party ID data as a concrete risk. These expert assessments confirm that Gematik's response to Video-Ident is a sensible step toward greater security.

Fundamental Concerns About Video Identification

Multiple security experts have now confirmed that video verification carries inherent risks. Notably, the online identification process does not leverage the biometric data it captures for actual identity proofing.

This means that although biometric information is available during the identification process, it is not transmitted when verifying identity in business transactions. Video-Ident instead relies solely on the essential information -- which, in principle, could be relatively easily falsified through a manipulated video stream.

Video-Ident Procedure: What the Chaos Computer Club Recommends

The CCC recommends that procedure providers implement additional security measures in existing identification systems. After all, the responsibility for demonstrating security does not rest with you, but with the providers themselves.

An important foundation for improving security should be independent testing under realistic attack conditions. Classic examples of such security measures are pentests. The belief that AI powered by machine learning alone can solve all problems must not prevail.

At the same time, the CCC urges that the recommendations of the German Federal Commissioner for Data Protection and Freedom of Information be taken seriously. These and other security experts warned as early as 2020 against the use of Video-Ident under the existing security precautions. Robust data protection is not only essential for small and medium-sized enterprises -- sensitive health and personal data in particular must be protected from unauthorized access.