After the CCC hack of video identification systems from various providers, the responsible authorities and ministries disagree on the assessment of the danger.
After serious security deficiencies in video identification systems became known, the responsible authorities and ministries are still divided in their assessment – Bitkom and the banking association see no problem for the time being. The Federal Ministry of Health welcomed the temporary ban on video identification issued by Gematik on Tuesday: patient and treatment data in particular are highly sensitive data, which is why the BMG is striving for high security standards. Gematik, which is responsible for the digitization of the healthcare system, had already pulled the ripcord on Tuesday in the run-up to the publication of the CCC attack documentation on Wednesday.
A second area in which video identification procedures are frequently used is online account openings. The competent Federal Financial Supervisory Authority (Bafin) said on request that the information was also taken very seriously, but the Bafin was not yet aware of the relevant details. “Therefore, a final assessment of the attack scenarios described and a decision on possible measures is not yet possible,” said a Bafin spokesman on request.
The banking association points out that the Bafin last rated the video identification process in connection with other measures as sufficiently secure in May 2022. According to a spokeswoman, these additional measures would include new customers being subject to strict transaction monitoring for a period of six to twelve months.
Federal Ministry of the Interior: Videoident is a bridging technology
The Federal Ministry of the Interior, on the other hand, is more skeptical: “The video and auto-identification process is basically a bridging technology that is currently used for remote identification due to its market penetration and availability,” explained a spokesman. They take the attack vectors documented by the CCC very seriously and want to examine them carefully – and then also assess the future of Videoident as a whole.
The Federal Office for Information Security (BSI), which is subordinate to the Federal Ministry of the Interior, is clearer: “With video-based remote identification solutions, it is fundamentally possible to manipulate the video stream, so that video-based solutions cannot achieve the same level of security as, for example, the online ID function of the ID card,” explains a Speaker. “The decision as to the extent to which the video identification process can continue to be used in other areas of application under the given circumstances is the responsibility of the respective supervisory authorities.”
According to the BSI, not all details of the respective attack scenarios are available yet, then a careful examination would take place. The attack variant now shown by the CCC was not previously known to the BSI in the form presented. It is true that possible manipulations of video streams have already been pointed out repeatedly in the past. What is new, however, is that the attacks by the CCC “apparently were also carried out in productive video identification systems,” explains the BSI spokesman. The Bonn authority has already been critical of videoident procedures in the past.
Meanwhile, the IT company association Bitkom has criticized the ban on video identification by Gematik. The online identification function of the ID card is currently not a practicable alternative. “The already sluggish introduction of the electronic patient file is unnecessarily complicated as a result,” criticizes Managing Director Bernhard Rohleder. The video identification process is “an integral part of many services” – from car sharing to credit checks, providers without known security gaps would therefore have to be approved again by the health insurance companies, Rohleder demanded.
