Branddocs VideoID prevents attacks like the latest ones attributed to the CCC – Chaos Computer Club

Ver versión en Español

A

report by Europe’s largest hacker association, the CCC- Chaos Computer Club, claiming to have bypassed several video identification systems, leads to a ban on the use of recognition technology in Germany in the healthcare sector. Branddocs, in its commitment to security and respect for privacy, develops technology that prevents its customers from suffering the consequences of similar attacks.

Overcoming the barriers of the German healthcare video assistance provider and completing the registration of an ePA, or electronic patient card. This is what the Chaos Computer Club claimed to have achieved in a report published last August and signed by one of its leading members, information security expert Martin Tschirsich. This organization, also known simply as CCC, originated in Germany in the early 1980s and is now the largest ethical hacker association in Europe. Its activities focus, according to its own website, on outreach, the organization of events and congresses that promote freedom of information.

Tschirsich claimed in his report that it was very easy and cheap to bypass the Video Id service in order to register for the health card, using a combination of different video sources. Thanks to their operation, the CCC was able to access confidential medical information, including prescriptions, disability certificates, diagnoses, etc. The attack, considering that it occurred as described by the CCC, implied not only a technological failure but also a necessary human error, as the agent responsible for the verification did not analyze the document thoroughly enough.

The CCC stated that from this first operation it managed to carry out variants of the attack and bypass the controls of up to 6 different Video Id providers, in both assisted and unassisted modes, with simple tricks such as combining different parts of multiple ID documents shown in front of the camera (e.g. the layer where the personal information is with the layer where the photo is), which form a “new” document. The report detailed the different techniques used and referred to data breaches that were detected during the procedures, generated by human errors, which allowed access to credit contracts and other documents with confidential information: addresses, dates of birth, bank contracts, etc. The dossier asserted that in no case did such attacks come to the attention of those responsible for the service provider and that, on the publication date of the report, the open accesses had not been blocked.

In response to the release of the CCC report, the federal government stated that it is “not aware of a specific security incident at this time”, although Gematik, the national agency for the digitization of healthcare systems, in an official statement published one day after the release of Tschirsich’s report, banned the use of Video Id technology for telematic records with immediate effect and “until further notice”. Gematik opens the door to the reactivation of these services when providers demonstrate that their procedures “are no longer susceptible to the weaknesses shown”. Meanwhile, the Federal Financial Supervisory Authority (BaFin), which oversees some 2,700 banks, 800 investment services companies and some 700 insurance companies, is looking into the case and has so far taken no special measures.

Branddocs, in its unwavering commitment to the security of its customers, is working intensively and constantly to refine its security protocols. The Branddocs’ VideoID platform prevents attacks of this type from occurring. In the case of those described in the CCC report, it is inferred that the affected vendors were not implementing adequate levels of security. Aware that video identification processes can present certain weaknesses that allow incorrect verification or spoofing, the Branddocs solution is built on a powerful set of measures that progressively strengthen the security of the system. In both assisted and unassisted modalities, these security measures create new layers of protection that increase the reliability of the platform. This process is known as the Reliability Stack. These overlapping measures start at a minimum video stream quality, AI analysis of a valid identity document, human analysis of the documentation provided and biometric checks, going through real-time proof of life tests, and end with one-time passwords, verification of phone line ownership and multi-factor authentication based on digital certificates and verifiable credentials.

Branddocs VideoID has also developed mechanisms to prevent deepfakes and Generative Adversarial Networks (GANs), a technique to create synthetic images that can appear real to the human eye. These mechanisms primarily consist of recording the audio and video during the entire verification process without the possibility of manipulation, a backoffice service managed by specialized agents and the use of various AI and document fraud solutions.

Branddocs VideoID is a secure and reliable platform, which is constantly evolving, that prevents attacks such as the latest ones that the CCC has claimed to have committed from taking place. In any case, aware of the concerns that information of this kind can generate, the company is working closely with cybersecurity experts to produce an extensive audit report, which will be available in the coming weeks and can serve as a guide to increase security measures in video identification processes for all its customers.