Things are not going well for identity service provider Verimi at the moment. Allegations that the Berlin company, which began as a login service, defrauded the Federal Financial Supervisory Authority (BaFin) when it introduced its payment product “Verimi Pay”, has now been criticized for a data breach that was not acknowledged in a timely manner and an insecure digital identification process
looking for a business idea
Verimi is backed by companies such as Allianz Insurance Group, Axel Springer, Bundesdrückrei, Daimler, Deutsche Bank, Deutsche Telekom and Lufthansa and has been looking for a great business idea since 2017. Originally, the start-up wanted to compete with US giants like Google and Facebook with a universal login service (“single sign-on”), but it didn’t really work out.
From 2019, the company has focused on electronic identification (EID), i.e. a more comprehensive online ID. For example, he conceptualized the “Germany ID” (DID) as part of the Schöfenster Secure Digital Identities, a state-sponsored innovation competition, in collaboration with the Fraunhofer Institute for Applied and Integrated Security (AISEC).
However, the requirements for identifying people with ID cards in this country and providing collected identification data to third parties are very high. To do so, providers must meet due diligence requirements such as identification requirements in the fight against money laundering. So Verimi applied to BaFin for a license to a so-called payment institution that could provide services similar to PayPal.
In April 2019, the ID service provider received the plate of the Financial Supervisory Authority. Since then, however, he has also had to prove that he meets the requirements and, for example, report the number of transactions made monthly to BaFin. So the company developed the “Verimi Pay” payment solution. These can integrate online shops. It is then possible for users to pay by electronic direct debit.
However, the market for payment providers is already largely saturated. According to internal documents IT security researcher Lilith Wittman published in a blog post on Thursday, Verimi was looking for partners who would rely on the new payments service. With the necessary proof of activity to BaFin, the company also at least properly defrauded.
In late July 2019, according to an excerpt from a copy of an internal weekly newsletter, Verimi’s board of directors explained to all employees that Verimi Pay was to be integrated into at least a handful of companies by mid-September. In November, the same channel was used to indicate that at least three partners have now been found, as another piece of the document shows: a “build shop” run by Axel Springer, powered by Photodrunk PicsArt. “Photo-druk.d” site GmbH, and “Kwadrat.art” store specializing in “art prints”.
Employees should bring about 2000 transactions
The latter domain currently redirects to the website of a management consultancy run by Holger Junghans. He was a partner in the consulting firm PwC until September 2019 and advised Verimi along with his team, inter alia. Beyond this taste, another email reveals that on November 13, 2019 Verimi boss Roland Adrian asked all 80 employees of the company to make at least five payments in online shops with Verimi Pay to achieve 2000 transactions. Asked for what is necessary. Baffin for proof.
According to another snippet, the board was able to clarify everything in late November: The “emergency worker,” which was responsible for complying with the requirements of the Paid Services Supervision Act, can now be dissolved, it says. Meanwhile, Verimi Pay is integrated only on Photo-Druke.de. It is questionable whether the necessary transactions will continue through Niche Offerings to retain the payment license.
“We take Lilith Wittman’s criticism very seriously, investigate it and are continually working to make the Verimi system even more secure for our users.” The company tweeted in late July, “We are always open to an important conversation.” The company did not wish to comment on documents published since then for “legal reasons”. Baffin referred to Junghans in his “legal duty of confidentiality”, for reasons of confidentiality.
There should also be a case for supervisory authorities that Verimi relies on a “photo-identification” process for its own ID wallet to identify and verify users. It should be easy to store the driving license in a smartphone in a digital wallet. The relevant data can then be submitted from there or given to the partner companies.
Photo-identity open to fraud attempts
Photo-detection is considered “not a secure method of identity determination” by BaFin. The customer only needs to send a picture of himself and his ID card to service providers like Verimi through an app. However, it is not possible at all to check the important security features of the ID card. For example, testers have already been successful in opening accounts with the N26 banking app using ID card photos, which can in fact be identified as fake.
IT security researcher Martin Tschirsich now also showed Verimi’s ID Wallet on TwitterHow easy is it to spoof Veriff’s photo recognition process. “I photograph the front and back of my driver’s license, digitally rename and print out larger-than-life images at photo kiosks,” the expert writes. Then he took pictures of himself with the app and selfies. An “AI-assisted process” confirmed the images’ authenticity in a matter of seconds: “Total duration of the ‘attack’: 30 minutes.”
According to Verimi ID Wallet, he is now “the proud owner of several digital driver’s licenses and Swiss citizenship,” explains Tschirsich. Due to known security deficiencies in Germany, photo-identification can only be used in areas that are “not subject to any special regulation”. It is not clear why “Verimi considered the process appropriate for a second attempt at a digital driver’s license”. Previously, the ID Wallet program promoted by the Federal Chancellor with similar identification goals had failed due to a previously identified security gap.
Verimi also has trouble with the Berlin Data Protection Authority: after receiving reports of a data breach, they are currently “deeply, especially technically” investigating the company’s precautions to protect personal information. Therefore the relevant documents on the original violation could not be issued at this time. Wittman and former employees accused Verimi of disregarding the fundamentals of data security.