Germany’s eID cards issued without adequate identity verification

Germany’s identity ecosystem is facing criticism on several fronts, as revelations about the country’s eID card program stir the embers of concern over its plans for an EU Digital Identity (EUDI) Wallet.

Investigations by the Süddeutsche Zeitung news team show a critical vulnerability in Germany’s eID card, which can be obtained by non-German EEA citizens aged 16 and over for 37 euros and is effectively equivalent to a German digital identity card, enabling the holder to many of the same benefits (but not travel). The cards contain numbers, family name, maiden name, given names, any doctorates, day and place of birth, address, nationality, order name or stage name, the type of identification document presented, and the expiry date of the eID card. Most banks accept the eID for remote identity verification when onboarding customers or opening new accounts.

But the cards are issued in person at citizen registration offices – which, says the newspaper, “presumably lack access to databases and, in some cases, the necessary technology to verify the authenticity of foreign identity documents.”

“This means that criminals with forged and stolen passports from anywhere in the EU can obtain a German eID card quickly and for under 40 euros – without potentially facing any serious scrutiny.” The scheme, says Süddeutsche Zeitung, is like an invitation to fraudsters, who are estimated to have circulated more than 75 million stolen identity and travel documents across Europe.

The eID cards “allow fraudsters to open bank accounts and set up entire corporate networks under false names. Because the cards contain no biometric data such as eye color or even a photograph, they can be passed around freely within a criminal organization. Investigators and IT experts, speaking to the Süddeutsche Zeitung, warn of a potentially large-scale fraud, which politicians have so far failed to address adequately.”

The Federal Minister of the Interior says some 47,000 eID cards have been issued since their introduction in 2021. How many of those have been spun into fraudulent identities is unknown, although “one investigator” suggests the number is high enough to be classified as “most.”

The expense of identity verification devices and services is cited as a reason for the shortcoming, suggesting a potential opportunity for a budget-friendly provider of biometric IDV, document verification and anti-money laundering (AML) tools. The report quotes a statement from Berlin police, who confirm that “a comparison of biometric data or a comparison with the European database of stolen documents does not take place. Not all registration offices are equipped with document verification devices.”

Such devices, and services that have vast libraries of international identity documents, are available, as readers of Biometric Update surely know. The report says one could argue that “a nationwide rollout of such devices, along with access to search databases, would be the very foundation required to ensure that such a card could be launched.” One can almost see the Request for Proposals coalescing in real time.

As it stands, the government faces allegations that “these shortcomings have been known for years, but too little is being done” to protect the banking and financial industries from eID-enabled fraud.

The story comes as the EU moves into 2026, the year in which member states must launch their digital wallet offering under the EUDI Wallet scheme to comply with eIDAS 2.0 regulations. Germany’s “blueprint” for the wallet has already been plagued by worries that centralized data processing would compromise user privacy – the so-called “phone home” server retrieval model that has faced staunch criticism from industry observers.

According to Heise, the German blueprint “stipulates that the exchange of proofs should only take place directly between the user’s digital wallet and the receiving body. The respective issuer of the proofs would not be involved in this transfer process and would not receive any information about their use. There is therefore no feedback (‘phone-home’).”

The country recently made moves to protect identity documents from quantum computer attacks, which can break modern encryption and compromise sensitive data stored in IDs.

Article Topics

biometrics  |  digital ID  |  digital wallets  |  document verification  |  e-ID  |  EU Digital Identity Wallet  |  fraud prevention  |  Germany  |  identity document