The digitization officers, especially in the health sector, should not panic when it comes to the procedure, says Professor Norbert Pohlmann.

With the increasing degree of digitization, the of users is becoming more and more important. When opening a bank account, concluding a mobile phone contract or other IT services, personal identity verification is a necessary requirement – usually even regulated by law. In the past, identity verification was implemented by personally presenting the ID card on site. Nowadays, the videoident procedure and the eID function of the identity card offer a natural person and an IT service provider the opportunity to carry out an identity verification quickly and without changing location or without making an appointment, which is also becoming increasingly necessary due to the distributed and new IT services.

When presenting the ID card in person, we have come to terms with the possibility of fraud – since it is well known that most people have not learned to accurately distinguish a real ID card from a fake ID card. Therefore, the results of an identity verification can never be 100% perfect or correct.

The danger lies in theft of the identity card

With the eID procedure, the existing attack vectors are aimed at protecting the security chip in the ID card, in which the cryptographic keys are stored. Even if the security level of the eID procedure is very high, it does not offer 100% security in all possible attacks. For example, the theft of the ID card together with the activation PIN is an attack vector that is successfully implemented in real life. Unfortunately, the eID function of the identity card is still used very little by citizens and is also rarely offered by IT service providers – although it has some security advantages over the other identification methods.

With the planned Smart eID procedure, the keys will be integrated into a wallet app on our smartphone, which will certainly increase usability enormously. How high the security level can be here also depends on whether the security modules of the smartphone manufacturer can be used for the Smart eID.

CCC attack route not new, protective procedures not implemented

With the VideoIdent procedure, security lies in the manipulation-free transmission of the video image of an ID card via smartphone and in the training and diligence of the employees who are responsible for identity verification. These must be extensively trained for the check in order to recognize attack attempts as well as possible.

It was precisely at this point that a valid attack was recently shown, which has in principle been known to experts since 2017. Attacks of this type, however, have not become known in the last five years. Protection methods that can counteract the attacks described have been researched in principle and now just need to be implemented quickly.

Identification procedures will never be 100 percent secure

No identity verification process is 100 percent secure, not even the on-site verification of the ID card. From my point of view, it is particularly important in the future that we know the remaining risks of identification processes or IT security systems in general and learn to deal with them appropriately and confidently. We must detect attacks aimed at identity verification as quickly and as well as possible in order to prevent further potential damage – for example by deleting the false identities that have arisen in this way. Here, for example, further and reliable detection mechanisms for false identities must be researched, developed and implemented.

It is also important that we cover the damage that can still occur with insurance, so that not only a few users and IT service providers have to bear the damage caused by the remaining residual risks. This procedure works very successfully in road traffic. Although we still have a lot of accidents, that doesn’t stop most people from driving. In addition, the automotive industry is also doing a great deal to prevent or reduce damage, for example through ever more intelligent protective measures in and on the car. We have learned how to deal with the remaining risks of mobility.

For this reason, the people responsible for digitization in the various areas and industries, including healthcare, for example, should not panic unnecessarily. You should do everything with those responsible to ensure that the identification procedures improve after each new successful attack and that the remaining residual risks remain as small as possible.

What is the next step?

Since we will not have perfect systems, it is our common task to get the remaining residual risks under control so that we are able – for example through modern IT services in the healthcare sector – to significantly improve our health and well-being.

We should all jointly put significantly more energy into dealing with the remaining residual risks in order to be able to shape our digital future in a sovereign and trustworthy manner.