236

I recently had to authenticate myself online to use an internet-based service. The authentication process was done via video call with me holding my ID card in front of my laptop camera beside my face. I also had to wiggle the ID card so the person on the other end of the video call could see the security features that are printed on the ID card.

Then the person asked me to wave my hand in front of the ID card, so that it was shortly fully covered by my hand several times.

What is this method supposed to achieve or is this just security theater?

Tom K.
  • 7,913
  • 3
  • 30
  • 53
  • 40
    Seeing how you're located in Germany, an interesting follow-up question would be whether they took a picture while you authenticated, or whether they wrote down the serial number, and whether there is in principle any way any of the information could be accessed automatically (which is de facto the case when on a computer connected to a network) etc. Thinking about the massive joy of PAuswG there. – Damon Aug 13 '18 at 13:49
  • 2
    "these are not the droids you are looking for" is all I could thinking about after reading the title – Eonasdan Aug 20 '18 at 19:00

3 Answers3

321

Movement that blocks the view of the item under inspection helps to defeat someone trying to use an overlay image on the video as a replacement for the actual item.

For instance, I could take a short video of your ID (that shows the security features) and overlay that on the live video instead of my actual ID. But by waving my hand in front, then the remote viewer can see that it is not a video overlay.

A real threat? Yes. Just look at the fake videos that we have seen where someone can make it look like someone is saying something that they never did. The technology exists and is in use.

A credible threat? Questionable, but the mitigation is no cost, easy for all involved, and simple. So, the cost of mitigation is negligible.

That means that it is not "security theatre". It actually treats a risk. But I might agree that at this point in time, it might be borderline. Next year, I might have to edit this answer.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 3
    @schroeder There's nothing stopping someone just having an overlay of a hand waving across the screen. I think that's the point anyway. – TheLethalCryptographer Aug 13 '18 at 12:11
  • @TheLethalCoder I was assuming we were talking about someone using a card sized device to play back the captured video. Because if we're simply talking about a purely virtual solution, your proposal of simply overlaying the other video is even simpler. Just seems like anybody already at this point one way or another is not going to be deterred by the minimal work to workaround this. – Voo Aug 13 '18 at 12:13
  • 2
    @TheLethalCoder not if the live video, as the post describes, includes the person's face in the live video stream. Lining up a hand/arm in such a scenario would be very difficult (and more easily detectable) – schroeder Aug 13 '18 at 12:15
  • @schroeder Sure but depends on the exact image/"zoom level". Point being it can still be faked and if determined enough it will be – TheLethalCryptographer Aug 13 '18 at 12:16
  • 81
    @TheLethalCoder Okay. Almost anything can be broken given sufficient resources. Security is about relative costs, and this significantly increases the minimum effort for this type of fraud. – Jeremy Aug 13 '18 at 12:35
  • 4
    Surely hand-waving would not defeat a green-screen overlay... as the hand is still hiding the green-screen, where said overlay would be. – djsmiley2kStaysInside Aug 13 '18 at 15:52
  • 16
    A green screen overlay is much more complicated. The ability for the overlay to smoothly process your hand's partial covering of the object will also help the viewer determine if it is real. They can ask for the wave at various speeds to detect artifact sheering of an overlay that did not process fast enough. – Nelson Aug 13 '18 at 15:56
  • 14
    Wouldn't a fake ID defeat this method?, it doesn't has to be the best fake ever, good enough to be used through a laptop camera – Felipe Pereira Aug 13 '18 at 20:35
  • an example of the voice auditing capabilities: https://youtu.be/I3l4XLZ59iw – WoJ Aug 14 '18 at 09:53
  • 11
    @FelipePereira a fake ID would not have the visual security features of a real card (holograms, etc.) – schroeder Aug 14 '18 at 09:57
  • @schroeder making fake IDs is an older _art_ than remote verification through video, I'm sure they can think of something, like alter the data on a real ID, mimic _good enough_ features, etc. If the ID is in the bad guys hands it should be considered compromised. – Felipe Pereira Aug 14 '18 at 12:42
  • 11
    @schroeder Good IDs have security features such as embossed text, special card material, microprinting, UV ink, etc. that would be impossible to verify over a camera. Even a hologram or color changing ink would be difficult to demonstrate over a consumer grade webcam. – user71659 Aug 15 '18 at 15:50
276

Given that this identification was likely performed according to German law, this request was to conform with BaFin Circular 3/2017 which demands (in their non-binding English translation):

Any substitution/manipulation of parts or elements of the identity document must be countered by suitable measures. To this end, the person to be identified must be asked, for example, to place a finger over security-relevant parts of the identity document (variable and determined at random by the system) and move one hand across their face. Using stills from these movements that are cut out and enlarged, the employee must verify that the identity document, along with all the security features visually identifiable in white light, is completely covered at the right point and that no artefacts indicating manipulation are evident at the transition points.

So the stated reason for that is to uncover potential manipulation in the video feed you send them. There have to be enough and unpredictable tasks which you may be asked to make it harder for you to have a suitable substitution prepared.

neo
  • 1,906
  • 1
  • 6
  • 4
  • 46
    I accepted this answer because it gives the *actual* reason why this is done, but schroeder's answer is certainly also correct and gives good reason. – Tom K. Aug 13 '18 at 19:29
  • 2
    So basically a sort of man in the middle check? – Anthony Aug 13 '18 at 22:16
  • Tom, i'm glad you didn't accept mine, since it was intended to be a comment on Schroeder's answer. – Jim Aug 14 '18 at 00:38
  • 1
    Wouldn't this be fooled easily by green screen software? – JonathanReez Aug 14 '18 at 02:13
  • 4
    @JonathanReez - I don't think green screen software is as good as you think it is. It might be able to post-process this kind of erratic behaviour, but to do it live would be very difficult. Especially when demonstrating the security features of the card. – Shadow Aug 14 '18 at 05:01
  • @Shadow Well the hand movement part is fairly trivial (I guess they're looking out for fringing here). But if you have a CGI card that can stand up to the scrutiny of all the security features (holograms etc) then yeah that's beaten the system and made a lot of money :D – Lightness Races in Orbit Aug 14 '18 at 12:13
  • 1
    So, the purpose is to prevent (defeat) anyone (including the person being verified), from recording the verification process, then in some manual/automated way, present that recording (or rearranged bits of it) for future verifications. – Kevin Fegan Aug 16 '18 at 14:15
  • 2
    @JonathanReez In theory, maybe. In practice, you need some pretty advanced software to keep tracking an object even when it's been completely hidden, and pick it up on the 'other side'. There are a lot of problems involved in that, and that's not even considering the standard green screen issues (the chroma color being reflected onto other surfaces and those being cropped out, for example) – Nic Aug 16 '18 at 17:16
  • Don't you mean "given that this identification was likely performed _in violation_ of German law"? You cite BaFin, which is the regulatory body for banks and such, which are, to my knowledge, the _only_ businesses allowed - and required by anti money laundering laws - to create copies of German IDs. Aren't all other uses of this - at least strictly speaking - illegal? – I'm with Monica Aug 21 '18 at 06:38
  • 1
    @AlexanderKosubek The description in the question sounded exactly like the process prescribed in the circular so I assumed it was done by one of the verification providers using that. Banks are not the only businesses that are required to use such a services (it is also done for e.g. age verification, mobile phone providers, insurance). This was always legal, but since 15.07.2017 creating a copy of IDs is almost always allowed. – neo Aug 21 '18 at 09:17
  • @neo Thanks for pointing out the change. I wasn't aware of it. Really sad, in my opinion. But that's definitively off topic. – I'm with Monica Aug 21 '18 at 09:24
69

Lethalcoder and others have made the point that duping the hand wave is easy to do. But that's missing the point of the request - it is an unexpected request that probably wouldn't be duped ahead of time. Tomorrow, they might ask you to show your cellphone's time, or today's paper (as if anyone reads those), or any other random item in front of the ID. This only becomes security theatre if they always ask for the same task, at about the same time in the ID process.

As to why you need to wave your hand, Schroeder explained it very well in their answer:

"Movement that blocks the view of the item under inspection helps to defeat someone trying to use an overlay image on the video as a replacement for the actual item. For instance, I could take a short video of your ID (that shows the security features) and overlay that on the live video instead of my actual ID. But by waving my hand in front, then the remote viewer can see that it is not a video overlay."

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jim
  • 671
  • 4
  • 5
  • 30
    @pipe That day, they may have asked you to wave your hand in front. Tomorrow, they might ask you to wave a pen, or your mouse in front. Another time, they might ask you to spin the id front-to-back two or three times. As Jim says, anything _unexpected_. It's not that you couldn't fake these requests, but that you're unlikely to have a ready-faked video to hand for whatever they ask. – TripeHound Aug 13 '18 at 14:24
  • 3
    The unpredictability of task is confirmed by neo's answer – schroeder Aug 13 '18 at 17:14
  • 1
    @TripeHound Not sure why you're trying to tell me this in a comment. I've already read the other answers, and I didn't ask the question. – pipe Aug 13 '18 at 18:56
  • @pipe Maybe I got the wrong name (sorry if I did). I was replying to _someone's_ comment (now deleted, from before neo's answer) who said something like "waving a hand could be faked". – TripeHound Aug 13 '18 at 19:01
  • 1
    For true and proper randomness one would want a diceware version of the steps to take, otherwise it's probably just all a bunch of handwaving – Wayne Werner Aug 15 '18 at 19:15
  • And then the person might refuse to perform any more stunts! – curiousguy Aug 15 '18 at 22:21
  • 1
    @TripeHound you can still defeat that if your AR platform supports occlusions (reconstruct depth and masks the occluded parts of the image). This will be widespread in a few years. – Joan Charmant Aug 18 '18 at 22:52
  • 2
    @Joan And were such things to become widespread "in a few years", they'd probably change their security procedures. – TripeHound Aug 18 '18 at 23:34