Chaos Computer Club Hacks Videoident And Exposes Vulnerabilities
The Chaos Computer Club has hacked the video ident procedures of several service providers and exposed vulnerabilities. The hackers, in turn, described the identification method as a “total failure.” The German health insurance companies have already had to switch off the system.
Recovering forgotten passwords, opening bank accounts, or completing mobile phone applications: all this and more can be done online these days. Because that enables the so-called video ident procedure, with which one’s own identity can be proven via smartphone or computer.
However, the method is not as reliable as previously assumed. At the beginning of the week, the Chaos Computer Club published a report that led to health insurance companies switching off the video identification system.
Now the computer security experts showed in a detailed explanation how they outsmart the video identification system.
Also Read : USB Sticks
Table of Contents
This Is How The Chaos Computer Club Outwits Video Ident Procedures
During the Videoudent procedure, anyone who wants to identify themselves online will be asked by a service employee to hold their ID card in front of the camera at different angles.
The Chaos Computer Club used this process to manipulate the video call technically. To do this, the hackers first created a digital twin of a real ID document, replacing the name, address, and picture. The software then merges the original and the forged document into one video.
When calling the Videoident service, callers then have to hold the ID card in the picture, move it, and, if necessary, cover certain areas with their fingers. For this purpose, the virtual ID card created by the software was played in video form.
Thanks to the smartphones’ mediocre camera quality, the Ident service employees could not tell the difference between the video and a real document.
With the procedure, the Chaos Computer Club outwitted six national and international providers of the video identification procedure. A data leak was discovered during an identification call to a human operator: Signed customer documents, including loan agreements from private consumers, were accessible.
Even Lay People Can Outwit Video Ident
In the course of its investigations, the Chaos Computer Club criticises, among other things, that its hack attacks were even successful when errors caused by the video manipulation were visible in the ID document.
The security experts assume that lay people can also attack with the necessary equipment and appropriate instructions.
All information necessary to prepare was publicly available, including information about the exploited vulnerability itself.
The Video Identification Procedure Is A Total Failure
The Chaos Computer Club describes the security of the video identification process as a “total failure.” In addition, the test attacks confirmed the concerns expressed by data protectionists in the past.
However, the federal government has not been aware of any specific security incidents. The Chaos Computer Club is therefore happy to provide a concrete security incident and report a need for action.
In the light of these discoveries, it would be negligent in continuing to rely on video identification where misuse can potentially cause irreparable damage – for example, through the unauthorised disclosure of the most confidential health data. In addition, those responsible for the identification procedures should now also consider how to deal with identity determinations that have already been carried out.