According to leaked documents, Verimi has instructed employees to initiate the transactions necessary for a payment institution. There are also photo identification problems.
Things are not going well for the identity service provider Verimi at the moment. The accusation that the Berlin company, which started as a login service, deceived the Federal Financial Supervisory Authority (bafin) when it introduced its payment product “Verimi Pay” has now been criticized for a data breach that was not admitted in time and an insecure digital identification process.
Looking for a business idea
Verimi is supported by companies such as the Allianz insurance group, Axel Springer, Bundesdruckerei, Daimler, Deutsche Bank, Deutsche Telekom and Lufthansa and has been looking for a brilliant business idea since 2017. Originally, the start-up wanted to compete with US giants such as Google and Facebook with a universal login service (“single sign-on”), but that didn’t really work.
Since 2019, the company has focused on electronic identity (eID), i.e. a more comprehensive online ID. For example, she teamed up with the Fraunhofer Institute for Applied and Integrated Security (AISEC) and designed the concept of a “Germany ID” (DeID) as part of the state-sponsored innovation competition Schaufenster Secure Digital Identities.
However, the requirements for being able to identify people with the ID card and making the identity data collected available to third parties are high in this country. To do this, providers must fulfill due diligence requirements such as identification requirements in the fight against money laundering. Verimi therefore applied to BaFin for a license for a so-called payment institute that can offer services similar to PayPal.
In April 2019, the ID service provider received the Plazet of the Financial Supervisory Authority. Since then, however, he has also had to prove that he meets the requirements and, for example, report the number of transactions carried out monthly to BaFin. The company therefore developed the “Verimi Pay” payment solution. These can integrate online shops. It is then possible for users to pay by electronic direct debit.
However, the market for payment providers is already largely saturated. According to internal documents that the IT security researcher Lilith Wittmann published in a blog post on Thursday, Verimi was desperately looking for partners who would rely on the new payment service. With the required proof of activity to the BaFin, the company also at least tricked properly.
At the end of July 2019, according to an excerpt from a copy of an internal weekly newsletter, the Verimi board of directors explained to all employees that Verimi Pay had to be integrated in at least a handful of companies by mid-September. In November, the same channel was used to indicate that at least three partners had now been found, as another piece of document shows: the “Bild Shop” operated by Axel Springer, the “photo-druck.de” site operated by Photodruck PixArt GmbH, and the “Kwadrat.art” store specializing in “art prints”.
Employees should bring about 2000 transactions
The latter domain currently redirects to the website of a management consultancy run by Holger Junghanns. He was a partner at the consulting firm PwC until September 2019 and advised Verimi with his team, among other things. Beyond this taste, another email shows that Verimi boss Roland Adrian on November 13, 2019 asked all 80 employees of the company to make at least five payments in online shops with Verimi Pay as soon as possible in order to achieve the 2000 transactions that are necessary for the BaFin proof.
According to another snippet, the board was able to give the all-clear at the end of November: The “emergency staff”, which was responsible for compliance with the requirements of the Payment Services Supervision Act, can now be dissolved, it says. In the meantime, Verimi Pay is only integrated at Photo-Drucke.de. It is questionable whether the necessary transactions will continue to be generated via the niche offer in order to retain the payment license.
“We take Lilith Wittmann’s criticism very seriously, check it and are constantly working on making the Verimi system even safer for our users.” the company tweeted at the end of July. “We are always open to a critical dialogue.” The company did not want to comment on the documents published since then for “legal reasons”. The BaFin referred to their “legal duty of confidentiality”, Junghanns to reasons of confidentiality.
A case for the supervisory authorities should also be that Verimi relies on the “Foto-Ident” procedure for its own ID wallet to identify and verify users. In the digital wallet, the driver’s license should be easy to store in the smartphone. The associated data can then be presented from there or passed on to partner companies.
Foto-Ident is open to fraud attempts
Foto-Ident is considered by BaFin to be “not a secure method of determining identity”. The customer only has to send a photo of themselves and their ID card to service providers such as Verimi via an app. However, checking important security features of the ID card is not possible at all. Testers, for example, have already succeeded abroad in opening accounts with the N26 banking app using photos of ID cards that are actually recognizable as fakes.
The IT security researcher Martin Tschirsich now also showed at Verimi’s ID wallet on Twitterhow easy it is to trick Veriff’s photo identification process. “I photograph the front and back of my driver’s license, change the name digitally and print out the images larger than life at the photo kiosk in the nearest drugstore,” writes the expert. Then he took the manipulated pictures with the app and a selfie. The “AI-assisted process” confirmed the authenticity of the images in a matter of seconds: “Total duration of the ‘attack’: 30 minutes.”
According to the Verimi ID wallet, he is now “the proud owner of several digital driver’s licenses and Swiss citizenship,” explains Tschirsich. Due to known security deficiencies in Germany, Foto-Ident may only be used in sectors “that are not subject to any special regulation”. It remains unclear “why Verimi considered the procedure to be suitable for the second attempt at a digital driver’s license”. Previously, the ID wallet program promoted by the Federal Chancellery with similar identification goals had failed due to a previously identified security gap.
Verimi also has trouble with the Berlin data protection authority: After receiving a report of a data breach, they are currently examining the company’s precautions to protect personal information “in depth, especially technically”. Relevant documents on the original violation could therefore not be released at this time. Wittmann and former employees accuse Verimi of disregarding the basics of data protection.