The German mass media received a video from an anonymous “white” hacker, which indicates possible problems with the security of citizens when using a state application for online identification, similar to the Ukrainian “Dia”. With the help of this application, a hacker remotely opened a German bank account on behalf of another person, having access to their private data, including retirement savings.
The incident raises questions about the security of the eID system, which is used by 56 million German citizens and has become a key element in the digitization of the country’s administrative services.
Despite the growing number of eID uses, discovered “holes” in security can create serious risks for users.
The cybersecurity expert who demonstrated the vulnerability developed a program to intercept the 6-digit passcode while using the open source code of the official ID app. The hacker warned that in order to steal access, it is necessary to first gain control over the smartphone through spyware or compromised applications. He contacted the authorities responsible for the operation of the application and received a response that his findings were recognized as “technically correct”.
BSI’s response to a journalist’s inquiry indicates that it sees no need to change its risk assessment, as the threat does not come from the eID system, but from the possibility of smartphone hacking. However, another cybersecurity expert interviewed by journalists believes that the protection system should prevent the possibility of opening third-party applications that imitate the official one.
This case highlights the need for further strengthening of security measures in the use of digital identification systems.