Why did I have to wave my hand in front of my ID card?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
223
down vote
favorite
I recently had to authenticate myself online to use an internet-based service. The authentication process was done via video call with me holding my ID card in front of my laptop camera beside my face. I also had to wiggle the ID card so the person on the other end of the video call could see the security features that are printed on the ID card.
Then the person asked me to wave my hand in front of the ID card, so that it was shortly fully covered by my hand several times.
What is this method supposed to achieve or is this just security theater?
authentication security-theater
asked Aug 13 at 9:31
Tom K.
4,73931946
add a comment |Â
up vote
223
down vote
favorite
I recently had to authenticate myself online to use an internet-based service. The authentication process was done via video call with me holding my ID card in front of my laptop camera beside my face. I also had to wiggle the ID card so the person on the other end of the video call could see the security features that are printed on the ID card.
Then the person asked me to wave my hand in front of the ID card, so that it was shortly fully covered by my hand several times.
What is this method supposed to achieve or is this just security theater?
authentication security-theater
asked Aug 13 at 9:31
Tom K.
4,73931946
39
Seeing how you're located in Germany, an interesting follow-up question would be whether they took a picture while you authenticated, or whether they wrote down the serial number, and whether there is in principle any way any of the information could be accessed automatically (which is de facto the case when on a computer connected to a network) etc. Thinking about the massive joy of PAuswG there.
– Damon
Aug 13 at 13:49
2
"these are not the droids you are looking for" is all I could thinking about after reading the title
– Eonasdan
Aug 20 at 19:00
add a comment |Â
up vote
223
down vote
favorite
up vote
223
down vote
favorite
I recently had to authenticate myself online to use an internet-based service. The authentication process was done via video call with me holding my ID card in front of my laptop camera beside my face. I also had to wiggle the ID card so the person on the other end of the video call could see the security features that are printed on the ID card.
Then the person asked me to wave my hand in front of the ID card, so that it was shortly fully covered by my hand several times.
What is this method supposed to achieve or is this just security theater?
authentication security-theater
asked Aug 13 at 9:31
Tom K.
4,73931946
I recently had to authenticate myself online to use an internet-based service. The authentication process was done via video call with me holding my ID card in front of my laptop camera beside my face. I also had to wiggle the ID card so the person on the other end of the video call could see the security features that are printed on the ID card.
Then the person asked me to wave my hand in front of the ID card, so that it was shortly fully covered by my hand several times.
What is this method supposed to achieve or is this just security theater?
authentication security-theater
asked Aug 13 at 9:31
Tom K.
4,73931946
asked Aug 13 at 9:31
Tom K.
4,73931946
asked Aug 13 at 9:31
Tom K.
4,73931946
asked Aug 13 at 9:31
Tom K.
4,73931946
4,73931946
39
Seeing how you're located in Germany, an interesting follow-up question would be whether they took a picture while you authenticated, or whether they wrote down the serial number, and whether there is in principle any way any of the information could be accessed automatically (which is de facto the case when on a computer connected to a network) etc. Thinking about the massive joy of PAuswG there.
– Damon
Aug 13 at 13:49
2
"these are not the droids you are looking for" is all I could thinking about after reading the title
– Eonasdan
Aug 20 at 19:00
add a comment |Â
39
Seeing how you're located in Germany, an interesting follow-up question would be whether they took a picture while you authenticated, or whether they wrote down the serial number, and whether there is in principle any way any of the information could be accessed automatically (which is de facto the case when on a computer connected to a network) etc. Thinking about the massive joy of PAuswG there.
– Damon
Aug 13 at 13:49
2
"these are not the droids you are looking for" is all I could thinking about after reading the title
– Eonasdan
Aug 20 at 19:00
39
39
Seeing how you're located in Germany, an interesting follow-up question would be whether they took a picture while you authenticated, or whether they wrote down the serial number, and whether there is in principle any way any of the information could be accessed automatically (which is de facto the case when on a computer connected to a network) etc. Thinking about the massive joy of PAuswG there.
– Damon
Aug 13 at 13:49
Seeing how you're located in Germany, an interesting follow-up question would be whether they took a picture while you authenticated, or whether they wrote down the serial number, and whether there is in principle any way any of the information could be accessed automatically (which is de facto the case when on a computer connected to a network) etc. Thinking about the massive joy of PAuswG there.
– Damon
Aug 13 at 13:49
2
2
"these are not the droids you are looking for" is all I could thinking about after reading the title
– Eonasdan
Aug 20 at 19:00
"these are not the droids you are looking for" is all I could thinking about after reading the title
– Eonasdan
Aug 20 at 19:00
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
262
down vote
accepted
Given that this identification was likely performed according to German law, this request was to conform with BaFin Circular 3/2017 which demands (in their non-binding English translation):
Any substitution/manipulation of parts or elements of the identity document must be countered by suitable measures. To this end, the person to be identified must be asked, for example, to place a finger over security-relevant parts of the identity document (variable and determined at random by the system) and move one hand across their face.
Using stills from these movements that are cut out and enlarged, the employee must verify that the identity document, along with all the security features visually identifiable in white light, is completely covered at the right point and that no artefacts indicating manipulation are evident at the transition points.
So the stated reason for that is to uncover potential manipulation in the video feed you send them. There have to be enough and unpredictable tasks which you may be asked to make it harder for you to have a suitable substitution prepared.
answered Aug 13 at 15:32
neo
1,746124
45
I accepted this answer because it gives the actual reason why this is done, but schroeder's answer is certainly also correct and gives good reason.
– Tom K.
Aug 13 at 19:29
2
So basically a sort of man in the middle check?
– Anthony
Aug 13 at 22:16
1
Wouldn't this be fooled easily by green screen software?
– JonathanReez
Aug 14 at 2:13
4
@JonathanReez - I don't think green screen software is as good as you think it is. It might be able to post-process this kind of erratic behaviour, but to do it live would be very difficult. Especially when demonstrating the security features of the card.
– Shadow
Aug 14 at 5:01
2
@JonathanReez In theory, maybe. In practice, you need some pretty advanced software to keep tracking an object even when it's been completely hidden, and pick it up on the 'other side'. There are a lot of problems involved in that, and that's not even considering the standard green screen issues (the chroma color being reflected onto other surfaces and those being cropped out, for example)
– Nic Hartley
Aug 16 at 17:16
 |Â
show 6 more comments
up vote
306
down vote
Movement that blocks the view of the item under inspection helps to defeat someone trying to use an overlay image on the video as a replacement for the actual item.
For instance, I could take a short video of your ID (that shows the security features) and overlay that on the live video instead of my actual ID. But by waving my hand in front, then the remote viewer can see that it is not a video overlay.
A real threat? Yes. Just look at the fake videos that we have seen where someone can make it look like someone is saying something that they never did. The technology exists and is in use.
A credible threat? Questionable, but the mitigation is no cost, easy for all involved, and simple. So, the cost of mitigation is negligible.
That means that it is not "security theatre". It actually treats a risk. But I might agree that at this point in time, it might be borderline. Next year, I might have to edit this answer.
answered Aug 13 at 9:44
schroeder♦
62.1k23133168
78
@TheLethalCoder Okay. Almost anything can be broken given sufficient resources. Security is about relative costs, and this significantly increases the minimum effort for this type of fraud.
– user369
Aug 13 at 12:35
15
A green screen overlay is much more complicated. The ability for the overlay to smoothly process your hand's partial covering of the object will also help the viewer determine if it is real. They can ask for the wave at various speeds to detect artifact sheering of an overlay that did not process fast enough.
– Nelson
Aug 13 at 15:56
14
Wouldn't a fake ID defeat this method?, it doesn't has to be the best fake ever, good enough to be used through a laptop camera
– Felipe Pereira
Aug 13 at 20:35
10
@FelipePereira a fake ID would not have the visual security features of a real card (holograms, etc.)
– schroeder♦
Aug 14 at 9:57
7
@schroeder Good IDs have security features such as embossed text, special card material, microprinting, UV ink, etc. that would be impossible to verify over a camera. Even a hologram or color changing ink would be difficult to demonstrate over a consumer grade webcam.
– user71659
Aug 15 at 15:50
 |Â
show 7 more comments
up vote
66
down vote
Lethalcoder and others have made the point that duping the hand wave is easy to do. But that's missing the point of the request - it is an unexpected request that probably wouldn't be duped ahead of time. Tomorrow, they might ask you to show your cellphone's time, or today's paper (as if anyone reads those), or any other random item in front of the ID. This only becomes security theatre if they always ask for the same task, at about the same time in the ID process.
As to why you need to wave your hand, Schroeder explained it very well in their answer:
"Movement that blocks the view of the item under inspection helps to
defeat someone trying to use an overlay image on the video as a
replacement for the actual item. For instance, I could take a short
video of your ID (that shows the security features) and overlay that
on the live video instead of my actual ID. But by waving my hand in
front, then the remote viewer can see that it is not a video overlay."
edited Aug 13 at 17:13
schroeder♦
62.1k23133168
answered Aug 13 at 12:58
Jim
64115
29
@pipe That day, they may have asked you to wave your hand in front. Tomorrow, they might ask you to wave a pen, or your mouse in front. Another time, they might ask you to spin the id front-to-back two or three times. As Jim says, anything unexpected. It's not that you couldn't fake these requests, but that you're unlikely to have a ready-faked video to hand for whatever they ask.
– TripeHound
Aug 13 at 14:24
3
The unpredictability of task is confirmed by neo's answer
– schroeder♦
Aug 13 at 17:14
1
@TripeHound Not sure why you're trying to tell me this in a comment. I've already read the other answers, and I didn't ask the question.
– pipe
Aug 13 at 18:56
1
For true and proper randomness one would want a diceware version of the steps to take, otherwise it's probably just all a bunch of handwaving
– Wayne Werner
Aug 15 at 19:15
2
@Joan And were such things to become widespread "in a few years", they'd probably change their security procedures.
– TripeHound
Aug 18 at 23:34
 |Â
show 3 more comments
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
262
down vote
accepted
Given that this identification was likely performed according to German law, this request was to conform with BaFin Circular 3/2017 which demands (in their non-binding English translation):
Any substitution/manipulation of parts or elements of the identity document must be countered by suitable measures. To this end, the person to be identified must be asked, for example, to place a finger over security-relevant parts of the identity document (variable and determined at random by the system) and move one hand across their face.
Using stills from these movements that are cut out and enlarged, the employee must verify that the identity document, along with all the security features visually identifiable in white light, is completely covered at the right point and that no artefacts indicating manipulation are evident at the transition points.
So the stated reason for that is to uncover potential manipulation in the video feed you send them. There have to be enough and unpredictable tasks which you may be asked to make it harder for you to have a suitable substitution prepared.
answered Aug 13 at 15:32
neo
1,746124
45
I accepted this answer because it gives the actual reason why this is done, but schroeder's answer is certainly also correct and gives good reason.
– Tom K.
Aug 13 at 19:29
2
So basically a sort of man in the middle check?
– Anthony
Aug 13 at 22:16
1
Wouldn't this be fooled easily by green screen software?
– JonathanReez
Aug 14 at 2:13
4
@JonathanReez - I don't think green screen software is as good as you think it is. It might be able to post-process this kind of erratic behaviour, but to do it live would be very difficult. Especially when demonstrating the security features of the card.
– Shadow
Aug 14 at 5:01
2
@JonathanReez In theory, maybe. In practice, you need some pretty advanced software to keep tracking an object even when it's been completely hidden, and pick it up on the 'other side'. There are a lot of problems involved in that, and that's not even considering the standard green screen issues (the chroma color being reflected onto other surfaces and those being cropped out, for example)
– Nic Hartley
Aug 16 at 17:16
 |Â
show 6 more comments
up vote
262
down vote
accepted
Given that this identification was likely performed according to German law, this request was to conform with BaFin Circular 3/2017 which demands (in their non-binding English translation):
Any substitution/manipulation of parts or elements of the identity document must be countered by suitable measures. To this end, the person to be identified must be asked, for example, to place a finger over security-relevant parts of the identity document (variable and determined at random by the system) and move one hand across their face.
Using stills from these movements that are cut out and enlarged, the employee must verify that the identity document, along with all the security features visually identifiable in white light, is completely covered at the right point and that no artefacts indicating manipulation are evident at the transition points.
So the stated reason for that is to uncover potential manipulation in the video feed you send them. There have to be enough and unpredictable tasks which you may be asked to make it harder for you to have a suitable substitution prepared.
answered Aug 13 at 15:32
neo
1,746124
45
I accepted this answer because it gives the actual reason why this is done, but schroeder's answer is certainly also correct and gives good reason.
– Tom K.
Aug 13 at 19:29
2
So basically a sort of man in the middle check?
– Anthony
Aug 13 at 22:16
1
Wouldn't this be fooled easily by green screen software?
– JonathanReez
Aug 14 at 2:13
4
@JonathanReez - I don't think green screen software is as good as you think it is. It might be able to post-process this kind of erratic behaviour, but to do it live would be very difficult. Especially when demonstrating the security features of the card.
– Shadow
Aug 14 at 5:01
2
@JonathanReez In theory, maybe. In practice, you need some pretty advanced software to keep tracking an object even when it's been completely hidden, and pick it up on the 'other side'. There are a lot of problems involved in that, and that's not even considering the standard green screen issues (the chroma color being reflected onto other surfaces and those being cropped out, for example)
– Nic Hartley
Aug 16 at 17:16
 |Â
show 6 more comments
up vote
262
down vote
accepted
up vote
262
down vote
accepted
Given that this identification was likely performed according to German law, this request was to conform with BaFin Circular 3/2017 which demands (in their non-binding English translation):
Any substitution/manipulation of parts or elements of the identity document must be countered by suitable measures. To this end, the person to be identified must be asked, for example, to place a finger over security-relevant parts of the identity document (variable and determined at random by the system) and move one hand across their face.
Using stills from these movements that are cut out and enlarged, the employee must verify that the identity document, along with all the security features visually identifiable in white light, is completely covered at the right point and that no artefacts indicating manipulation are evident at the transition points.
So the stated reason for that is to uncover potential manipulation in the video feed you send them. There have to be enough and unpredictable tasks which you may be asked to make it harder for you to have a suitable substitution prepared.
answered Aug 13 at 15:32
neo
1,746124
Given that this identification was likely performed according to German law, this request was to conform with BaFin Circular 3/2017 which demands (in their non-binding English translation):
Any substitution/manipulation of parts or elements of the identity document must be countered by suitable measures. To this end, the person to be identified must be asked, for example, to place a finger over security-relevant parts of the identity document (variable and determined at random by the system) and move one hand across their face.
Using stills from these movements that are cut out and enlarged, the employee must verify that the identity document, along with all the security features visually identifiable in white light, is completely covered at the right point and that no artefacts indicating manipulation are evident at the transition points.
So the stated reason for that is to uncover potential manipulation in the video feed you send them. There have to be enough and unpredictable tasks which you may be asked to make it harder for you to have a suitable substitution prepared.
answered Aug 13 at 15:32
neo
1,746124
edited Aug 13 at 15:46
answered Aug 13 at 15:32
neo
1,746124
answered Aug 13 at 15:32
neo
1,746124
answered Aug 13 at 15:32
neo
1,746124
1,746124
45
I accepted this answer because it gives the actual reason why this is done, but schroeder's answer is certainly also correct and gives good reason.
– Tom K.
Aug 13 at 19:29
2
So basically a sort of man in the middle check?
– Anthony
Aug 13 at 22:16
1
Wouldn't this be fooled easily by green screen software?
– JonathanReez
Aug 14 at 2:13
4
@JonathanReez - I don't think green screen software is as good as you think it is. It might be able to post-process this kind of erratic behaviour, but to do it live would be very difficult. Especially when demonstrating the security features of the card.
– Shadow
Aug 14 at 5:01
2
@JonathanReez In theory, maybe. In practice, you need some pretty advanced software to keep tracking an object even when it's been completely hidden, and pick it up on the 'other side'. There are a lot of problems involved in that, and that's not even considering the standard green screen issues (the chroma color being reflected onto other surfaces and those being cropped out, for example)
– Nic Hartley
Aug 16 at 17:16
 |Â
show 6 more comments
45
I accepted this answer because it gives the actual reason why this is done, but schroeder's answer is certainly also correct and gives good reason.
– Tom K.
Aug 13 at 19:29
2
So basically a sort of man in the middle check?
– Anthony
Aug 13 at 22:16
1
Wouldn't this be fooled easily by green screen software?
– JonathanReez
Aug 14 at 2:13
4
@JonathanReez - I don't think green screen software is as good as you think it is. It might be able to post-process this kind of erratic behaviour, but to do it live would be very difficult. Especially when demonstrating the security features of the card.
– Shadow
Aug 14 at 5:01
2
@JonathanReez In theory, maybe. In practice, you need some pretty advanced software to keep tracking an object even when it's been completely hidden, and pick it up on the 'other side'. There are a lot of problems involved in that, and that's not even considering the standard green screen issues (the chroma color being reflected onto other surfaces and those being cropped out, for example)
– Nic Hartley
Aug 16 at 17:16
45
45
I accepted this answer because it gives the actual reason why this is done, but schroeder's answer is certainly also correct and gives good reason.
– Tom K.
Aug 13 at 19:29
I accepted this answer because it gives the actual reason why this is done, but schroeder's answer is certainly also correct and gives good reason.
– Tom K.
Aug 13 at 19:29
2
2
So basically a sort of man in the middle check?
– Anthony
Aug 13 at 22:16
So basically a sort of man in the middle check?
– Anthony
Aug 13 at 22:16
1
1
Wouldn't this be fooled easily by green screen software?
– JonathanReez
Aug 14 at 2:13
Wouldn't this be fooled easily by green screen software?
– JonathanReez
Aug 14 at 2:13
4
4
@JonathanReez - I don't think green screen software is as good as you think it is. It might be able to post-process this kind of erratic behaviour, but to do it live would be very difficult. Especially when demonstrating the security features of the card.
– Shadow
Aug 14 at 5:01
@JonathanReez - I don't think green screen software is as good as you think it is. It might be able to post-process this kind of erratic behaviour, but to do it live would be very difficult. Especially when demonstrating the security features of the card.
– Shadow
Aug 14 at 5:01
2
2
@JonathanReez In theory, maybe. In practice, you need some pretty advanced software to keep tracking an object even when it's been completely hidden, and pick it up on the 'other side'. There are a lot of problems involved in that, and that's not even considering the standard green screen issues (the chroma color being reflected onto other surfaces and those being cropped out, for example)
– Nic Hartley
Aug 16 at 17:16
@JonathanReez In theory, maybe. In practice, you need some pretty advanced software to keep tracking an object even when it's been completely hidden, and pick it up on the 'other side'. There are a lot of problems involved in that, and that's not even considering the standard green screen issues (the chroma color being reflected onto other surfaces and those being cropped out, for example)
– Nic Hartley
Aug 16 at 17:16
 |Â
show 6 more comments
up vote
306
down vote
Movement that blocks the view of the item under inspection helps to defeat someone trying to use an overlay image on the video as a replacement for the actual item.
For instance, I could take a short video of your ID (that shows the security features) and overlay that on the live video instead of my actual ID. But by waving my hand in front, then the remote viewer can see that it is not a video overlay.
A real threat? Yes. Just look at the fake videos that we have seen where someone can make it look like someone is saying something that they never did. The technology exists and is in use.
A credible threat? Questionable, but the mitigation is no cost, easy for all involved, and simple. So, the cost of mitigation is negligible.
That means that it is not "security theatre". It actually treats a risk. But I might agree that at this point in time, it might be borderline. Next year, I might have to edit this answer.
answered Aug 13 at 9:44
schroeder♦
62.1k23133168
78
@TheLethalCoder Okay. Almost anything can be broken given sufficient resources. Security is about relative costs, and this significantly increases the minimum effort for this type of fraud.
– user369
Aug 13 at 12:35
15
A green screen overlay is much more complicated. The ability for the overlay to smoothly process your hand's partial covering of the object will also help the viewer determine if it is real. They can ask for the wave at various speeds to detect artifact sheering of an overlay that did not process fast enough.
– Nelson
Aug 13 at 15:56
14
Wouldn't a fake ID defeat this method?, it doesn't has to be the best fake ever, good enough to be used through a laptop camera
– Felipe Pereira
Aug 13 at 20:35
10
@FelipePereira a fake ID would not have the visual security features of a real card (holograms, etc.)
– schroeder♦
Aug 14 at 9:57
7
@schroeder Good IDs have security features such as embossed text, special card material, microprinting, UV ink, etc. that would be impossible to verify over a camera. Even a hologram or color changing ink would be difficult to demonstrate over a consumer grade webcam.
– user71659
Aug 15 at 15:50
 |Â
show 7 more comments
up vote
306
down vote
Movement that blocks the view of the item under inspection helps to defeat someone trying to use an overlay image on the video as a replacement for the actual item.
For instance, I could take a short video of your ID (that shows the security features) and overlay that on the live video instead of my actual ID. But by waving my hand in front, then the remote viewer can see that it is not a video overlay.
A real threat? Yes. Just look at the fake videos that we have seen where someone can make it look like someone is saying something that they never did. The technology exists and is in use.
A credible threat? Questionable, but the mitigation is no cost, easy for all involved, and simple. So, the cost of mitigation is negligible.
That means that it is not "security theatre". It actually treats a risk. But I might agree that at this point in time, it might be borderline. Next year, I might have to edit this answer.
answered Aug 13 at 9:44
schroeder♦
62.1k23133168
78
@TheLethalCoder Okay. Almost anything can be broken given sufficient resources. Security is about relative costs, and this significantly increases the minimum effort for this type of fraud.
– user369
Aug 13 at 12:35
15
A green screen overlay is much more complicated. The ability for the overlay to smoothly process your hand's partial covering of the object will also help the viewer determine if it is real. They can ask for the wave at various speeds to detect artifact sheering of an overlay that did not process fast enough.
– Nelson
Aug 13 at 15:56
14
Wouldn't a fake ID defeat this method?, it doesn't has to be the best fake ever, good enough to be used through a laptop camera
– Felipe Pereira
Aug 13 at 20:35
10
@FelipePereira a fake ID would not have the visual security features of a real card (holograms, etc.)
– schroeder♦
Aug 14 at 9:57
7
@schroeder Good IDs have security features such as embossed text, special card material, microprinting, UV ink, etc. that would be impossible to verify over a camera. Even a hologram or color changing ink would be difficult to demonstrate over a consumer grade webcam.
– user71659
Aug 15 at 15:50
 |Â
show 7 more comments
up vote
306
down vote
up vote
306
down vote
Movement that blocks the view of the item under inspection helps to defeat someone trying to use an overlay image on the video as a replacement for the actual item.
For instance, I could take a short video of your ID (that shows the security features) and overlay that on the live video instead of my actual ID. But by waving my hand in front, then the remote viewer can see that it is not a video overlay.
A real threat? Yes. Just look at the fake videos that we have seen where someone can make it look like someone is saying something that they never did. The technology exists and is in use.
A credible threat? Questionable, but the mitigation is no cost, easy for all involved, and simple. So, the cost of mitigation is negligible.
That means that it is not "security theatre". It actually treats a risk. But I might agree that at this point in time, it might be borderline. Next year, I might have to edit this answer.
answered Aug 13 at 9:44
schroeder♦
62.1k23133168
Movement that blocks the view of the item under inspection helps to defeat someone trying to use an overlay image on the video as a replacement for the actual item.
For instance, I could take a short video of your ID (that shows the security features) and overlay that on the live video instead of my actual ID. But by waving my hand in front, then the remote viewer can see that it is not a video overlay.
A real threat? Yes. Just look at the fake videos that we have seen where someone can make it look like someone is saying something that they never did. The technology exists and is in use.
A credible threat? Questionable, but the mitigation is no cost, easy for all involved, and simple. So, the cost of mitigation is negligible.
That means that it is not "security theatre". It actually treats a risk. But I might agree that at this point in time, it might be borderline. Next year, I might have to edit this answer.
answered Aug 13 at 9:44
schroeder♦
62.1k23133168
answered Aug 13 at 9:44
schroeder♦
62.1k23133168
answered Aug 13 at 9:44
schroeder♦
62.1k23133168
answered Aug 13 at 9:44
schroeder♦
62.1k23133168
62.1k23133168
78
@TheLethalCoder Okay. Almost anything can be broken given sufficient resources. Security is about relative costs, and this significantly increases the minimum effort for this type of fraud.
– user369
Aug 13 at 12:35
15
A green screen overlay is much more complicated. The ability for the overlay to smoothly process your hand's partial covering of the object will also help the viewer determine if it is real. They can ask for the wave at various speeds to detect artifact sheering of an overlay that did not process fast enough.
– Nelson
Aug 13 at 15:56
14
Wouldn't a fake ID defeat this method?, it doesn't has to be the best fake ever, good enough to be used through a laptop camera
– Felipe Pereira
Aug 13 at 20:35
10
@FelipePereira a fake ID would not have the visual security features of a real card (holograms, etc.)
– schroeder♦
Aug 14 at 9:57
7
@schroeder Good IDs have security features such as embossed text, special card material, microprinting, UV ink, etc. that would be impossible to verify over a camera. Even a hologram or color changing ink would be difficult to demonstrate over a consumer grade webcam.
– user71659
Aug 15 at 15:50
 |Â
show 7 more comments
78
@TheLethalCoder Okay. Almost anything can be broken given sufficient resources. Security is about relative costs, and this significantly increases the minimum effort for this type of fraud.
– user369
Aug 13 at 12:35
15
A green screen overlay is much more complicated. The ability for the overlay to smoothly process your hand's partial covering of the object will also help the viewer determine if it is real. They can ask for the wave at various speeds to detect artifact sheering of an overlay that did not process fast enough.
– Nelson
Aug 13 at 15:56
14
Wouldn't a fake ID defeat this method?, it doesn't has to be the best fake ever, good enough to be used through a laptop camera
– Felipe Pereira
Aug 13 at 20:35
10
@FelipePereira a fake ID would not have the visual security features of a real card (holograms, etc.)
– schroeder♦
Aug 14 at 9:57
7
@schroeder Good IDs have security features such as embossed text, special card material, microprinting, UV ink, etc. that would be impossible to verify over a camera. Even a hologram or color changing ink would be difficult to demonstrate over a consumer grade webcam.
– user71659
Aug 15 at 15:50
78
78
@TheLethalCoder Okay. Almost anything can be broken given sufficient resources. Security is about relative costs, and this significantly increases the minimum effort for this type of fraud.
– user369
Aug 13 at 12:35
@TheLethalCoder Okay. Almost anything can be broken given sufficient resources. Security is about relative costs, and this significantly increases the minimum effort for this type of fraud.
– user369
Aug 13 at 12:35
15
15
A green screen overlay is much more complicated. The ability for the overlay to smoothly process your hand's partial covering of the object will also help the viewer determine if it is real. They can ask for the wave at various speeds to detect artifact sheering of an overlay that did not process fast enough.
– Nelson
Aug 13 at 15:56
A green screen overlay is much more complicated. The ability for the overlay to smoothly process your hand's partial covering of the object will also help the viewer determine if it is real. They can ask for the wave at various speeds to detect artifact sheering of an overlay that did not process fast enough.
– Nelson
Aug 13 at 15:56
14
14
Wouldn't a fake ID defeat this method?, it doesn't has to be the best fake ever, good enough to be used through a laptop camera
– Felipe Pereira
Aug 13 at 20:35
Wouldn't a fake ID defeat this method?, it doesn't has to be the best fake ever, good enough to be used through a laptop camera
– Felipe Pereira
Aug 13 at 20:35
10
10
@FelipePereira a fake ID would not have the visual security features of a real card (holograms, etc.)
– schroeder♦
Aug 14 at 9:57
@FelipePereira a fake ID would not have the visual security features of a real card (holograms, etc.)
– schroeder♦
Aug 14 at 9:57
7
7
@schroeder Good IDs have security features such as embossed text, special card material, microprinting, UV ink, etc. that would be impossible to verify over a camera. Even a hologram or color changing ink would be difficult to demonstrate over a consumer grade webcam.
– user71659
Aug 15 at 15:50
@schroeder Good IDs have security features such as embossed text, special card material, microprinting, UV ink, etc. that would be impossible to verify over a camera. Even a hologram or color changing ink would be difficult to demonstrate over a consumer grade webcam.
– user71659
Aug 15 at 15:50
 |Â
show 7 more comments
up vote
66
down vote
Lethalcoder and others have made the point that duping the hand wave is easy to do. But that's missing the point of the request - it is an unexpected request that probably wouldn't be duped ahead of time. Tomorrow, they might ask you to show your cellphone's time, or today's paper (as if anyone reads those), or any other random item in front of the ID. This only becomes security theatre if they always ask for the same task, at about the same time in the ID process.
As to why you need to wave your hand, Schroeder explained it very well in their answer:
"Movement that blocks the view of the item under inspection helps to
defeat someone trying to use an overlay image on the video as a
replacement for the actual item. For instance, I could take a short
video of your ID (that shows the security features) and overlay that
on the live video instead of my actual ID. But by waving my hand in
front, then the remote viewer can see that it is not a video overlay."
edited Aug 13 at 17:13
schroeder♦
62.1k23133168
answered Aug 13 at 12:58
Jim
64115
29
@pipe That day, they may have asked you to wave your hand in front. Tomorrow, they might ask you to wave a pen, or your mouse in front. Another time, they might ask you to spin the id front-to-back two or three times. As Jim says, anything unexpected. It's not that you couldn't fake these requests, but that you're unlikely to have a ready-faked video to hand for whatever they ask.
– TripeHound
Aug 13 at 14:24
3
The unpredictability of task is confirmed by neo's answer
– schroeder♦
Aug 13 at 17:14
1
@TripeHound Not sure why you're trying to tell me this in a comment. I've already read the other answers, and I didn't ask the question.
– pipe
Aug 13 at 18:56
1
For true and proper randomness one would want a diceware version of the steps to take, otherwise it's probably just all a bunch of handwaving
– Wayne Werner
Aug 15 at 19:15
2
@Joan And were such things to become widespread "in a few years", they'd probably change their security procedures.
– TripeHound
Aug 18 at 23:34
 |Â
show 3 more comments
up vote
66
down vote
Lethalcoder and others have made the point that duping the hand wave is easy to do. But that's missing the point of the request - it is an unexpected request that probably wouldn't be duped ahead of time. Tomorrow, they might ask you to show your cellphone's time, or today's paper (as if anyone reads those), or any other random item in front of the ID. This only becomes security theatre if they always ask for the same task, at about the same time in the ID process.
As to why you need to wave your hand, Schroeder explained it very well in their answer:
"Movement that blocks the view of the item under inspection helps to
defeat someone trying to use an overlay image on the video as a
replacement for the actual item. For instance, I could take a short
video of your ID (that shows the security features) and overlay that
on the live video instead of my actual ID. But by waving my hand in
front, then the remote viewer can see that it is not a video overlay."
edited Aug 13 at 17:13
schroeder♦
62.1k23133168
answered Aug 13 at 12:58
Jim
64115
29
@pipe That day, they may have asked you to wave your hand in front. Tomorrow, they might ask you to wave a pen, or your mouse in front. Another time, they might ask you to spin the id front-to-back two or three times. As Jim says, anything unexpected. It's not that you couldn't fake these requests, but that you're unlikely to have a ready-faked video to hand for whatever they ask.
– TripeHound
Aug 13 at 14:24
3
The unpredictability of task is confirmed by neo's answer
– schroeder♦
Aug 13 at 17:14
1
@TripeHound Not sure why you're trying to tell me this in a comment. I've already read the other answers, and I didn't ask the question.
– pipe
Aug 13 at 18:56
1
For true and proper randomness one would want a diceware version of the steps to take, otherwise it's probably just all a bunch of handwaving
– Wayne Werner
Aug 15 at 19:15
2
@Joan And were such things to become widespread "in a few years", they'd probably change their security procedures.
– TripeHound
Aug 18 at 23:34
 |Â
show 3 more comments
up vote
66
down vote
up vote
66
down vote
Lethalcoder and others have made the point that duping the hand wave is easy to do. But that's missing the point of the request - it is an unexpected request that probably wouldn't be duped ahead of time. Tomorrow, they might ask you to show your cellphone's time, or today's paper (as if anyone reads those), or any other random item in front of the ID. This only becomes security theatre if they always ask for the same task, at about the same time in the ID process.
As to why you need to wave your hand, Schroeder explained it very well in their answer:
"Movement that blocks the view of the item under inspection helps to
defeat someone trying to use an overlay image on the video as a
replacement for the actual item. For instance, I could take a short
video of your ID (that shows the security features) and overlay that
on the live video instead of my actual ID. But by waving my hand in
front, then the remote viewer can see that it is not a video overlay."
edited Aug 13 at 17:13
schroeder♦
62.1k23133168
answered Aug 13 at 12:58
Jim
64115
Lethalcoder and others have made the point that duping the hand wave is easy to do. But that's missing the point of the request - it is an unexpected request that probably wouldn't be duped ahead of time. Tomorrow, they might ask you to show your cellphone's time, or today's paper (as if anyone reads those), or any other random item in front of the ID. This only becomes security theatre if they always ask for the same task, at about the same time in the ID process.
As to why you need to wave your hand, Schroeder explained it very well in their answer:
"Movement that blocks the view of the item under inspection helps to
defeat someone trying to use an overlay image on the video as a
replacement for the actual item. For instance, I could take a short
video of your ID (that shows the security features) and overlay that
on the live video instead of my actual ID. But by waving my hand in
front, then the remote viewer can see that it is not a video overlay."
edited Aug 13 at 17:13
schroeder♦
62.1k23133168
answered Aug 13 at 12:58
Jim
64115
edited Aug 13 at 17:13
schroeder♦
62.1k23133168
edited Aug 13 at 17:13
schroeder♦
62.1k23133168
edited Aug 13 at 17:13
schroeder♦
62.1k23133168
62.1k23133168
answered Aug 13 at 12:58
Jim
64115
answered Aug 13 at 12:58
Jim
64115
answered Aug 13 at 12:58
Jim
64115
64115
29
@pipe That day, they may have asked you to wave your hand in front. Tomorrow, they might ask you to wave a pen, or your mouse in front. Another time, they might ask you to spin the id front-to-back two or three times. As Jim says, anything unexpected. It's not that you couldn't fake these requests, but that you're unlikely to have a ready-faked video to hand for whatever they ask.
– TripeHound
Aug 13 at 14:24
3
The unpredictability of task is confirmed by neo's answer
– schroeder♦
Aug 13 at 17:14
1
@TripeHound Not sure why you're trying to tell me this in a comment. I've already read the other answers, and I didn't ask the question.
– pipe
Aug 13 at 18:56
1
For true and proper randomness one would want a diceware version of the steps to take, otherwise it's probably just all a bunch of handwaving
– Wayne Werner
Aug 15 at 19:15
2
@Joan And were such things to become widespread "in a few years", they'd probably change their security procedures.
– TripeHound
Aug 18 at 23:34
 |Â
show 3 more comments
29
@pipe That day, they may have asked you to wave your hand in front. Tomorrow, they might ask you to wave a pen, or your mouse in front. Another time, they might ask you to spin the id front-to-back two or three times. As Jim says, anything unexpected. It's not that you couldn't fake these requests, but that you're unlikely to have a ready-faked video to hand for whatever they ask.
– TripeHound
Aug 13 at 14:24
3
The unpredictability of task is confirmed by neo's answer
– schroeder♦
Aug 13 at 17:14
1
@TripeHound Not sure why you're trying to tell me this in a comment. I've already read the other answers, and I didn't ask the question.
– pipe
Aug 13 at 18:56
1
For true and proper randomness one would want a diceware version of the steps to take, otherwise it's probably just all a bunch of handwaving
– Wayne Werner
Aug 15 at 19:15
2
@Joan And were such things to become widespread "in a few years", they'd probably change their security procedures.
– TripeHound
Aug 18 at 23:34
29
29
@pipe That day, they may have asked you to wave your hand in front. Tomorrow, they might ask you to wave a pen, or your mouse in front. Another time, they might ask you to spin the id front-to-back two or three times. As Jim says, anything unexpected. It's not that you couldn't fake these requests, but that you're unlikely to have a ready-faked video to hand for whatever they ask.
– TripeHound
Aug 13 at 14:24
@pipe That day, they may have asked you to wave your hand in front. Tomorrow, they might ask you to wave a pen, or your mouse in front. Another time, they might ask you to spin the id front-to-back two or three times. As Jim says, anything unexpected. It's not that you couldn't fake these requests, but that you're unlikely to have a ready-faked video to hand for whatever they ask.
– TripeHound
Aug 13 at 14:24
3
3
The unpredictability of task is confirmed by neo's answer
– schroeder♦
Aug 13 at 17:14
The unpredictability of task is confirmed by neo's answer
– schroeder♦
Aug 13 at 17:14
1
1
@TripeHound Not sure why you're trying to tell me this in a comment. I've already read the other answers, and I didn't ask the question.
– pipe
Aug 13 at 18:56
@TripeHound Not sure why you're trying to tell me this in a comment. I've already read the other answers, and I didn't ask the question.
– pipe
Aug 13 at 18:56
1
1
For true and proper randomness one would want a diceware version of the steps to take, otherwise it's probably just all a bunch of handwaving
– Wayne Werner
Aug 15 at 19:15
For true and proper randomness one would want a diceware version of the steps to take, otherwise it's probably just all a bunch of handwaving
– Wayne Werner
Aug 15 at 19:15
2
2
@Joan And were such things to become widespread "in a few years", they'd probably change their security procedures.
– TripeHound
Aug 18 at 23:34
@Joan And were such things to become widespread "in a few years", they'd probably change their security procedures.
– TripeHound
Aug 18 at 23:34
 |Â
show 3 more comments
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f191460%2fwhy-did-i-have-to-wave-my-hand-in-front-of-my-id-card%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
39
Seeing how you're located in Germany, an interesting follow-up question would be whether they took a picture while you authenticated, or whether they wrote down the serial number, and whether there is in principle any way any of the information could be accessed automatically (which is de facto the case when on a computer connected to a network) etc. Thinking about the massive joy of PAuswG there.
– Damon
Aug 13 at 13:49
2
"these are not the droids you are looking for" is all I could thinking about after reading the title
– Eonasdan
Aug 20 at 19:00