Skip to main content

tv   Doc Film  Deutsche Welle  June 11, 2019 3:15am-4:01am CEST

3:15 am
that evil feeling that you feel when you think. your past is. stopped you know on his mobile and come. and religious clash that brings many polls tonight. are there to really solve your reconcilable carved. into. 17 w. . biometric features like the iris or fingerprints are unique and can't be changed. that's why there used to provide secure protection for passports mobile phones and bank accounts. but these features are easily accessible
3:16 am
fingerprints every time we touch something so our biometric feature is really secure after all they're often used to protect some of our most sensitive data. companies and government agencies do a proper job of protecting biometric data from cyber attacks or are the criminals one step ahead. what happens when that data falls into the wrong hands. a growing number of people are using biometric data to access digital devices like mobile phone use. the data are easy to use and you can't forget that as you might a password. but most people don't realize that when they access their devices they
3:17 am
leave a data trail. and so do you unlike your phone which in fact my finger fingerprint is the phase a fingerprint it's safer and i think it's safer i use the phone they figure a pretty good friend felony but why they figure enough the pin number you know much . easier and faster yes it's all use touch id. we're at munich airport to meet i.t. security specialist going up. governments and private sector companies often make use of his expertise for example if their systems have been hacked. do we place too much trust in the security of biometric data. given this data is not secure and it's vulnerable to attack.
3:18 am
we usually have no idea where and how our biometric data are stored sometimes this information is encrypted sometimes not. only did it can also be stored on the device that we're using or in an app or in a cloud. it's certainly convenient to just use a fingerprint to unlock a digital device part of the system works well to do until the data falls into the wrong hands this is new technology and we don't have a lot of experience using it as if something goes wrong it's often too late to fix it and this is showing some speeds. this is how the buy a much. fingerprint authentication process usually works the image is evaluated converted into digital form and then stored in a database. and when you try to access the device with the fingerprint it's
3:19 am
compared with the image in the database if it matches your in. if it doesn't access is denied but how secure are these systems. to find out more we've arranged to meet a berlin hacker who calls himself star bug. last year he showed us how easy it is to forge a fingerprint. we meet up at the chaos computer club a german hacker association where starbuck wants to demonstrate a biometric fingerprint. it involves us swapping fingerprints. a starbucks fingerprint on the phone screen is scanned in. editors on the computer
3:20 am
and then printed out on transparent film. the printer is then smeared with regular glue to create a mold. is it really that easy to outsmart a high tech scanner. 2 hours later when the glue is dry with the lid off. after breathing on it briefly we attach a starbucks fingerprint to our reporters finger. lo and behold the scanner says user identified and starbuck is in or rather we are . using a simple glue mold to trick the scanner. fing up to we were working with the only detection device that was certified in germany for that purpose and the company claimed that the device could distinguish between
3:21 am
a fingerprint mockup on the real thing. and so we used a fake fingerprint and the device couldn't tell the difference. in it and then for us that's definitely cause for concern today we want to find out whether there are similar problems with security systems that are based on the iris of the human eye. we take a photograph of starbucks iris. he loads the digital image onto his computer and adjust it to the correct proportions . to. get to. the next step is to print the resized image. and then. will switch the
3:22 am
security setting on his phone to iris detection. it's clear this should allow me to unlock the phone with an image of my iris. my access codes. and is it secure the suits the manufacturer says it is but we'll soon see that it's known as the stimulus inches. we bought some generic contact lenses at a drugstore will help to make the iris image more realistic. ringback told them so take the image and hold it up and give us a turn it on. you know we're in. the unbelievable. security system is outsmarted by
3:23 am
a simple piece of paper. cyber attacks on individuals are bad enough but it's even worse when criminals hack into databases where extensive numbers of such images are stored. today might involve just one person criminals can just select a victim of data and in those databases there are files and even hundreds of thousands of high quality fingerprint images. you don't have to waste time fixing them up. because. biometric data is widely available on a part of the internet that can only be accessed by means of special software. it's a virtual meeting place for criminals to.
3:24 am
hide their identity behind pseudonyms systems. millions of personal data records are offered for sale on the web. we've managed to track down some sites used by the identity theft mafia. covered was all kinds of data stolen from people all over the world. including names addresses credit card information and bank account details. we did a search using for search term biometric and found people were offering guides for forging fingerprints. and. fingerprints used to fool security systems we have no idea who this fingerprint actually belongs to.
3:25 am
we also saw numerous offers for illegal travel documents either complete forgeries or stolen ideas that had been tampered with. sports for most countries were on offer including germany. biometric passports are also available like this one from the us. we contacted one of the sellers. i need an e.u. passport with biometric features can you get me one. how much can you deliver. we wait for their reply. even the theft of conventional data can become a huge problem for those targeted. data
3:26 am
were stolen via social media. a company then sent her an invoice for 1000 euros for electronic goods. she initially ignored the demand for payment. but just a few days later she received a further demand this time from a debt collecting agency. not again. you know how you made me sick i'm calling about a letter telling me that i had ordered something except i didn't. start home the hopeful but yes i misses her but that's not me in a nobody's been nice to. the 1000 it became several 1000 euros in total one invoice for $300.00 euros another for $700.00 and then a 1000. in the mail kept on piling up 3 or 4 letters
3:27 am
a week anything. over in sky some eventually the bill was over 13000 euros then i thought you have to take action also on timing and discuss how i'd like to file a complaint. as i did. despite being the victim the onus was on her to convince the police that somebody had been shopping using her name for them to be rethought we need to know is that you didn't actually order anything and that you can't explain this no i ordered nothing. i'm sorry if i'm repeating myself but we do have to ask you have no explanation for these orders. so we're not equals no i asked my friends and my sister teresa true. although the criminals merely grabbed her name and date of birth from facebook the resulting trouble for claudia her coat was enormous hers was a case of straightforward conventional identity theft. but the repercussions
3:28 am
brought her to the edge of a nervous breakdown. going to her is sadly not surprised we asked him to comment on our research. he is convinced that the growing use of biometric data in digital systems will change the nature of identity theft with dramatic consequences for victims. once you. data have been misappropriated you will not be able to use them again. users with a stolen conventional password comprising letters and numbers can change at any time what they can never alter is their fingerprint. there's a good deal of evidence indicating that hackers are specifically targeting biometric data. our research indicates that millions of people have been affected.
3:29 am
in 2015 the u.s. office of personnel management issued the following statement it reads in part. all records indicate legal fingerprints were likely compromised during a cyber intrusion 5600000 people were affected. in the philippines in 2016 hackers broke into an official voter database where fingerprints were stored. 50000000 people were affected. in india last year there was a security breach in the government's metric identification system known as. point 2000000000 people were affected.
3:30 am
india is the world leader in the use of biometric authentication all citizens are required to submit data for a high tech government passport. people already use that document to register for pensions and benefits if they can't provide a jennifer cation with an iris image or a fingerprint they can't access the system or their benefits. last year the government effectively issued a cyber crime alert. do you know mission and cyber crimes and cyber the question of cyber security when you see these issues and i think you need a glance economy like american. indians biometric
3:31 am
databases have been repeatedly hacked into. one of our sources tells us where to look on the internet to find the still limited. we find both conventional and biometric information including digital fingerprints. and we also learned that criminals have used this data on the black market to buy state subsidized food. we travel to the city of about 300 kilometers north of mumbai where they have took place. on something we find several people whose data were stolen. one of them agrees to talk to us on camera. danish gojira is a furniture dealer he's 40 years old. he's going to show us his government receipt
3:32 am
book. it indicates whether someone has received food benefits but there are no entries in the book. egeria is doing ok financially so he doesn't need government help. but the official online monitoring system shows that gojira has purchased food. whoever did it used to go to your is biometric data his hard number. i think you're. going to be this confirms somebody has stolen my fingerprints. the government these days has been emphasizing fingerprints they've made it mandatory to link bank accounts with our hard numbers at the moment there is pressure on the police but i'm afraid it is so to see. prince are now available on the digital black market. if someone uses them to commit a crime could become
3:33 am
a suspect. people in the west have largely not paid enough attention to this problem. in india hackers have managed to penetrate the world's largest biometric database which contains information on more than a 1000000000 people. investigative journalist rock not discovered the leak in the database she wrote a newspaper article on the story in january 28th. and described how she contacted some criminals online. filthy sold her a software program that provided access to the government's biometric identification system with access to the data of 1200000000 people it was illegal for her to buy the program and she faced the possibility of criminal charges but she did it anyway i know all bush easing us off. but i have to do it
3:34 am
because. before me many reporters they try to highlight this issue they want to the flag this issue but they couldn't do it because they were not having any concrete evidence to prove he came. so i had 2 options to go for the call for this illegal way to follow this illegal we want to keep on flogging or to keep one highlight in the shows which no one was going to be from since it was a matter of national security as well as the privacy of every indian i took. to that decision and i finally went ahead with the software chasing the software. bought. the government continues to deny that someone broke into the system. shows us the original email that she received from the hackers. this message i received from my previous anonymous sources are those who are offering to these software i. believe in the days before they charge the equivalent of about 5 euros for access
3:35 am
to the system at the time just about anyone could buy the software program. and say . when sensitive data is hacked whether through carelessness security gaps or theft the consequences for those affected can be devastating. despite numerous serious incidents last year the indian authorities issued another call for citizens to submit biometric data. this letter to an individual was titled enrollment of residents whose biometrics matched that of other residents the recipient was told. if your biometrics are not updated within 15 days you're out our number will be deactivated. the authority in question refused to comment when we asked tell fingerprints and irises can be assigned to a number of individuals. for this
3:36 am
amounts to irresponsible behavior. when the state collects data on. citizens they in turn expect the state to take care of those data evidently that's not the case here but to be fair it's sometimes not possible. so you have to ask whether it's worth conducting a universal collection of citizens data given the risk that it could trigger total chaos this is an absolute coasters and. the police have to remain anonymous when investigating criminal behavior on the dark with just as the criminals do. to the police therefore use fake identities to make contact a transaction. they
3:37 am
need that online deal to be sealed in order to prosecute criminals in the real world. we want to show our findings from the dark web to an expert from the cyber crime task force of the getting in city police in germany. in the meantime we get a response from the person offering fake passports they tell us to send them the relevant data and even the desired place and date of issue and fingerprints. the post comes with a price list we pretend to be interested in a spanish passport valid through 2028. the
3:38 am
post offers worldwide delivery. police investigators fan violence specializes in dark net marketplaces and is familiar with how the criminals work. we showed him the results of our research. it's a commercial site not unlike e-bay or amazon buyers want to have a logo for recognition purposes and there are ratings to. these sites sell identities and buyers determine what data they want to have included a quote for you that might be made up names or those of real people you know i'm going to come up through it all via x. within a part of the ongoing. including photos and fingerprints which criminals used to create a new fake identity while also providing replica fingerprints. on
3:39 am
the go all the criminal needs is a suitable means of reproduction of this biometric feature. we've often seen fingerprints by the good will but more recently 3 d. printed faces in order to deceive apple face id. it's a growing trend them to those whom. so far the german black market usually deals only with conventional data you can buy lists of names addresses and financial information for $6.00 to $10.00 euro those. no one seems to be offering biometric data not yet and it seems to be merely a question of time until they do. experiences shown that all databases are hackable and have been hacked are good. we finally get a response from the person who offered to sell us a fake passport. he wants various kinds of data a fingerprint scan
3:40 am
a copy of our reporter's signature and an id photo. he shows us a sample of how the fingerprint scans need to look. we agree to this deal for journalistic purposes only. this person does not operate on the dark web which is unusual we used a computer program to generate the fingerprints and the id photos so no such person actually exists. we send off the data and add aquarian about the passport. will this data be in the chip. they say they can forge passports that have biometric features but is that really possible. today's id documents are supposed to enhance security for travelers and speed up
3:41 am
check in procedures as here at munich airport. oh metric data is integrated into an invisible radio frequency identification chip in the passport. the chip transmits facial data stored in the passport to a monitoring facility. there the data is compared with the digital material that's stored here on the screen at the time of the check. if they match the passenger is allowed through the security gate. the passports from different e.u. countries may look practically identical but we're told the technology involved is often different. you just long to get through these each country issues kids are these are if i d chips was the so if i have a german passport and i need a key from germany it's be do it if i have a french passport it came from france under the influence is involved some of the
3:42 am
buttons on the phone trying to. foment or passports are supposed to be forgery proof but the european border agency frontex told us in an official response. there have been some cases in the e.u. and showing an area of forged passports that had. manipulated chip. another disturbing development is that hackers are now able to access facial data included in european passports the from. here we use a simple mobile phone app to activate the chip in a german passport. and non encrypted data in some non european passports can sometimes also be accessed. the passport forger finally gets back to us. he says please send the money to the bitcoin address below so he can get started. this is where we
3:43 am
break off contact and then hand over our research to the german authorities we have no idea whether we would actually have received the forged biometric passport that the seller promised. when stolen data appears on the dark web hackers have usually acquired it by exploiting a vulnerability in a software program it takes about a week for these security loopholes to be discovered and close. by and it's usually too late to help those whose data have been compromised the data flow in many i.t. systems is not properly monitored. and security specialists say there are between 4 and 8000000 attacks every day. germany is 4th on the list of countries that have been hit hardest.
3:44 am
ve use new data protection regulations call on private sector companies to do more to protect sensitive information. but germany remains vulnerable to cyber attacks. the regulations don't seem to have helped much when it comes to improving the security systems the. professor would ahem breast is the executive director of the e use agency for network and information security. expertise is widely respected in the i.t. sector and he's increasingly concerned about the spread of identity theft. right now he's on his way to an i.t. security conference in potsdam. we asked him why experts can't get a grip on this ominous problem. isn't just having
3:45 am
a lot of companies are bringing i.t. products on to the market but no one seems to know whether they actually provide proper security i think is that possible today this is sort of like unfortunately yes when i buy a product i don't know what sort of security features it might have. that's the case was typical fingerprint readers or facial recognition software and smartphones . but it's not there's no guarantee that it will do what the manufacturer claims but it all i can do is hope that it does for those ought to come off hopefully. the head of the e.u. agency for network and information security can only hope that a product is safe. i.t. security will be a key topic at the cotton conference. a lot of participants say that the new regulations don't go far enough to protect private data which govern the death of regulations alone solve data security problems the private sector and security
3:46 am
authorities should adopt practical solutions but that's becoming more difficult to do because. as you have to look to see if you have escaped liability for i.t. products would be a big help when there's major pressure on developers to be the 1st to get products on the market that all. often leads to products that have not been verified being made available to merges pretty soon that they're vulnerable to all manner of attacks that gibson. and i that enables hackers and the cyber criminals to access the data on that service without authorization. of the dothan the action here would help to to cry from. the head of. e.u. regulations impose heavy fines for companies that don't protect identity related data. but what if the data protection software has security loopholes
3:47 am
that make it vulnerable to hackers. who. says that the manufacturers are not liable for this problem. and. there has to be a point where somebody in the chain sells a non-secure product that does not meet data protection stipulations with it off and they have to be made liable somehow. do you see a chance of comprehensive i-t. liability after. a moment is that right now it's not politically expedient to keep monitoring the situation. professor is on his way to the e.u. net security office in athens where there's plenty on the agenda. the e.u. is working on a new on line guidelines. we've come to the university of least in stein to visit. he's the co-director of the cyber security research
3:48 am
center here. he says german authorities need to do more to protect personal data despite the new e.u. regulations. and you agency has been set up to implement those regulations but ferrata believes that the legislation doesn't go far enough. to make his point that many i.t. systems are open to attack he's written some software code for us. this fingerprint scanner is similar to the ones that are used by german authorities . parata software captures a print. just open the capture area the fingerprint scan indicator starts flashing for you we put the print on it for you and it scanned into the system the view and so forth. the image of the printer is transferred to
3:49 am
a separate computer for processing. but there's a big security risk here because the transfer is not encrypted. florida has written a software program that exploits this flaw in the security system. it's a t.v. version i like to make the trojan with a keystroke and when i press a capture the program replaces the real data with some random material that we choose. will use an image of a skull and crossbones for this test. i told. them this software can also create fake fingerprints that look absolutely real money produce for. a hacker who has access to the image data including fingerprints can choose to copy them or alter them stories own purposes.
3:50 am
it is that's how fake fingerprints can end up in id documents that could be used by criminals who could new york to indian systems would a government office be able to spot and intercept this sort of malicious software. is doing to deal we've seen cyber attacks on the going to stalk of nuclear power plants and energy companies. are going any computer is vulnerable to attack. and of course that includes computers and population records offices in computer infancy and come to. in germany millions of citizens have submitted their fingerprints in recent years using scanners that don't offer proper security protection. see bit in hanover is the world's biggest computer trade fair. among the vendors is the company behind the think a print scanner. but. what do they know about
3:51 am
this serious security loophole and are they. willing to comment. the company in question is derma log a subsidiary of germany's federal printing office and as such a government agency. to. provide biometric authentication for governments who want to ensure that when they issue a passport driver's license or similar document diversion that individual is unable to engage in identity fraud between money and. their standing kluges a presentation of a similar scanner we put it to the test this thing martha stewart is that photo then encrypted in the device just know it's sent to a p.c. where it's in code it see fit to be called it a hot time to spoof as if so photo i'm going to transfer and then coding as a kind of but no corruption on the device no with this it's going to so in future
3:52 am
you know the images will be encrypted before they leave the device does not owe it to demand being made increasingly by banks it's somebody right now we can do encryption starting with the p.c. can be up to it's up to that say for the so this device right here is also used it does just get the state of health but i'm going to manage it by the citizens registration agency. so i can show you again a path that could. process that was that just this is the z f one used by the registration agency is this is that the same one it's a bit bigger. does it have encryption and if it's likewise starting on the p.c.'s often could see up to intensity ok a photo here then for all. of us would be blocking but so what else do banks want to see anybody. they want to know who they're dealing with this theme how he's i don't know your customer thought this is all stuff coming what do they want to. you
3:53 am
know fuzzy on i'm doing because they're assuming a huge scope. criminal minds on which to choose from strictly they want to prevent somebody capturing that fingerprint once it's transferred to the p.c. so i can see the notice is a picture. and that's possible yes too much. so the company is aware that the device is vulnerable something the german government is surely aware of given that the loophole has been around for 10 years. all the more puzzling then is the discovery of this article by a member of germany's federal administration agency which recommends this very same fingerprint scanner for the schengen system. a scanner that's vulnerable to hackers in germany and worldwide using any fingerprints or other personal data. the problem is one of global proportions. mr whatever new you know but don't forget
3:54 am
we have not been exactly state of the art for the last 10 years. and there is room for improvement with encryption and the hardware itself for example did not think it is able to in view of ordinary citizens have the right to expect top security for our data and that's not the case. does it really is time to take actions that sidestep one says it's an indispensable. we talked to officials at the german parliament and it various government ministries about these security problems. and got this response from the interior minister. the collection and or processing of personal data with or in information technology systems can be considered reasonably secure. not exactly a ringing endorsement. the european union needs to do more to prevent the misuse of
3:55 am
data based on fingerprints. for years e.u. external border facilities have been using a scanner that's not secure. starbuck proved that by creating replica fingerprints that the scanner accepted as real. on a more sinister level terrorists also use these replicas to hide their identities. last december police in turkey made a shocking discovery after raiding a suspected terrorist hideout in the city of care should hear. their raid was filmed and we managed to get a copy of the video. the authorities arrested 10 members of the islamic state organization ringback ringback. they also found evidence indicating that the individuals had been using forged biometric identity data.
3:56 am
police seized cash identity papers fingerprint molds and replica fingerprints. from the investigation later determined that the suspect had used a fake prince to provide identification for money transfers. this suggests that terrorists are fully capable of using forged biometric data. coming their loan for until it's clear that criminal sense particularly terrorists are using this technology for perpetrators are able to steal fingerprints by hacking a database or they simply forge them. do you do a version of the fake prints or then scanned into a specific database. that allows them to set up a fake identity profile that can then be used anywhere that uses fingerprints as a form of identification. like airports and passport facilities and if they do to dance with you. it's aware of. this data can also be used to open various kinds of
3:57 am
secure accounts up with him is that dangerous. it will make stream lee dangerous because we trust that biometric data but we often ignore or don't want to believe that it's fairly easy to manipulate that data was preceded. the illegal trade in digitized biometric data is booming. systems have become increasingly vulnerable governments and private sector companies are duty bound to protect our personal data because once that information falls into the hands of criminals it's gone forever.
3:58 am
to go off. it's 2019 come to america and the field is rising in south america this is highest it's brazil and the pressure is on but i. can hear it live at another victory to do such
3:59 am
a move to find out more. than 30 minutes on w. amsterdam is a beautiful city that draws people to it the most magnificent case the dutch capital has become so popular. that locals can barely afford to live there anymore gentrification exploding prices high demand this is a real estate crisis and the squeeze is on. close up in 90 minutes on d w. with him how to be done because others will lie and i know if i had known that the boat would be that small i never would have gone on
4:00 am
a trip of i would not have put myself and my parents in that dangerous job out of the dream of the open a beautifully it would. love one to the other one little room to give them i had serious problems on a personal level and i was unable to live there wasn't going to. want to know their story in full margaret scarified and reliable information for margaret's. germany's foreign min. mr heiko moss has held talks in iran in an attempt to salvage that country's nuclear deal with international powers he said germany was working to prevent the deal's complete failure his iranian counterpart mohammad java serif said the discussions had been frank and serious.


info Stream Only

Uploaded by TV Archive on