Why did I have to wave my hand in front of my ID card?
Why did I have to wave my hand in front of my ID card?
I recently had to authenticate myself online to use an internet-based service. The authentication process was done via video call with me holding my ID card in front of my laptop camera beside my face. I also had to wiggle the ID card so the person on the other end of the video call could see the security features that are printed on the ID card.
Then the person asked me to wave my hand in front of the ID card, so that it was shortly fully covered by my hand several times.
What is this method supposed to achieve or is this just security theater?
3 Answers
3
Given that this identification was likely performed according to German law, this request was to conform with BaFin Circular 3/2017 which demands (in their non-binding English translation):
Any substitution/manipulation of parts or elements of the identity document must be countered by suitable measures. To this end, the person to be identified must be asked, for example, to place a finger over security-relevant parts of the identity document (variable and determined at random by the system) and move one hand across their face.
Using stills from these movements that are cut out and enlarged, the employee must verify that the identity document, along with all the security features visually identifiable in white light, is completely covered at the right point and that no artefacts indicating manipulation are evident at the transition points.
So the stated reason for that is to uncover potential manipulation in the video feed you send them. There have to be enough and unpredictable tasks which you may be asked to make it harder for you to have a suitable substitution prepared.
I accepted this answer because it gives the actual reason why this is done, but schroeder's answer is certainly also correct and gives good reason.
– Tom K.
Aug 13 at 19:29
So basically a sort of man in the middle check?
– Anthony
Aug 13 at 22:16
Tom, i'm glad you didn't accept mine, since it was intended to be a comment on Schroeder's answer.
– Jim
Aug 14 at 0:38
Wouldn't this be fooled easily by green screen software?
– JonathanReez
Aug 14 at 2:13
@JonathanReez - I don't think green screen software is as good as you think it is. It might be able to post-process this kind of erratic behaviour, but to do it live would be very difficult. Especially when demonstrating the security features of the card.
– Shadow
Aug 14 at 5:01
Movement that blocks the view of the item under inspection helps to defeat someone trying to use an overlay image on the video as a replacement for the actual item.
For instance, I could take a short video of your ID (that shows the security features) and overlay that on the live video instead of my actual ID. But by waving my hand in front, then the remote viewer can see that it is not a video overlay.
A real threat? Yes. Just look at the fake videos that we have seen where someone can make it look like someone is saying something that they never did. The technology exists and is in use.
A credible threat? Questionable, but the mitigation is no cost, easy for all involved, and simple. So, the cost of mitigation is negligible.
That means that it is not "security theatre". It actually treats a risk. But I might agree that at this point in time, it might be borderline. Next year, I might have to edit this answer.
@TheLethalCoder Okay. Almost anything can be broken given sufficient resources. Security is about relative costs, and this significantly increases the minimum effort for this type of fraud.
– user369
Aug 13 at 12:35
A green screen overlay is much more complicated. The ability for the overlay to smoothly process your hand's partial covering of the object will also help the viewer determine if it is real. They can ask for the wave at various speeds to detect artifact sheering of an overlay that did not process fast enough.
– Nelson
Aug 13 at 15:56
Wouldn't a fake ID defeat this method?, it doesn't has to be the best fake ever, good enough to be used through a laptop camera
– Felipe Pereira
Aug 13 at 20:35
@FelipePereira a fake ID would not have the visual security features of a real card (holograms, etc.)
– schroeder♦
Aug 14 at 9:57
@schroeder Good IDs have security features such as embossed text, special card material, microprinting, UV ink, etc. that would be impossible to verify over a camera. Even a hologram or color changing ink would be difficult to demonstrate over a consumer grade webcam.
– user71659
Aug 15 at 15:50
Lethalcoder and others have made the point that duping the hand wave is easy to do. But that's missing the point of the request - it is an unexpected request that probably wouldn't be duped ahead of time. Tomorrow, they might ask you to show your cellphone's time, or today's paper (as if anyone reads those), or any other random item in front of the ID. This only becomes security theatre if they always ask for the same task, at about the same time in the ID process.
As to why you need to wave your hand, Schroeder explained it very well in their answer:
"Movement that blocks the view of the item under inspection helps to
defeat someone trying to use an overlay image on the video as a
replacement for the actual item. For instance, I could take a short
video of your ID (that shows the security features) and overlay that
on the live video instead of my actual ID. But by waving my hand in
front, then the remote viewer can see that it is not a video overlay."
@pipe That day, they may have asked you to wave your hand in front. Tomorrow, they might ask you to wave a pen, or your mouse in front. Another time, they might ask you to spin the id front-to-back two or three times. As Jim says, anything unexpected. It's not that you couldn't fake these requests, but that you're unlikely to have a ready-faked video to hand for whatever they ask.
– TripeHound
Aug 13 at 14:24
The unpredictability of task is confirmed by neo's answer
– schroeder♦
Aug 13 at 17:14
@TripeHound Not sure why you're trying to tell me this in a comment. I've already read the other answers, and I didn't ask the question.
– pipe
Aug 13 at 18:56
@pipe Maybe I got the wrong name (sorry if I did). I was replying to someone's comment (now deleted, from before neo's answer) who said something like "waving a hand could be faked".
– TripeHound
Aug 13 at 19:01
For true and proper randomness one would want a diceware version of the steps to take, otherwise it's probably just all a bunch of handwaving
– Wayne Werner
Aug 15 at 19:15
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Seeing how you're located in Germany, an interesting follow-up question would be whether they took a picture while you authenticated, or whether they wrote down the serial number, and whether there is in principle any way any of the information could be accessed automatically (which is de facto the case when on a computer connected to a network) etc. Thinking about the massive joy of PAuswG there.
– Damon
Aug 13 at 13:49