The mObywatel app is a government tool that allows citizens to use digital versions of identity documents. According to the Act on the mObywatel app, the goal of introducing the mDowód (digital ID card) was to make it easier to confirm identity without the need for a traditional ID. mObywatel was developed by the Scientific and Academic Computer Network (NASK) at the initiative of the Ministry of Digitization. Launched in 2017, the project aimed to digitize public services and facilitate citizens’ access to electronic documents, such as mDowód and mPrawo Jazdy (digital driver’s licence). The idea stemmed from the growing need to simplify contact between the public administration and citizens and to increase the security and convenience of dealing with official matters. The system gradually evolved – from the introduction of basic functions, through the expansion of the offer to include more documents, to the latest version of the app – mCitizen 2.0, designed to be a digital assistant helping citizens in dealing with official matters. However, it turns out that the security features it employs may not be sufficient to effectively verify the authenticity of the documents presented, at least not with the way that most of the citizens currently use the app.
Trading in “fakes”
As demagog.org alerts, counterfeit versions of the mObywatel application have begun to flood the market. Fake versions of mDowód are available on various social media platforms, such as Facebook and TikTok, and their prices start from as little as… 20 zlotys!
“We usually come across fake mObywatel offers by chance on social media. Accounts with names alluding to the official name of the application encourage people to send private messages or join designated channels (the most popular one we found had more than 6.5 thousand members). A link to a fake mDowód website costs 20 zlotys. Some scammers use a script that allows only one specific page to be displayed but does not imitate the entire application. Sometimes such scripts are publicly available – although completely illegal.”- reads the Demagog portal.
Criminal loyalty program
Many scammers reassure their customers by convincing them that the offered version of mObywatel is safe and intended only for “educational” or “collector” purposes. In reality, however, scam apps are being used to circumvent the law – fake IDs can be used for purchasing alcohol by minors or identity theft, among other things.
For an additional 60 zlotys, one can get access to an app that copies mObywatel with, as scammers assure, “one-to-one” accuracy. What’s more, you can also encounter offers to buy the source code to create your own application. For entry into the criminal business, one must pay PLN 200. Some fraudsters offer discounts or free access to apps for referring a friend.
It is worth noting that fake mDowód cards can have serious consequences, especially in terms of elections. According to Polish regulations, an mDowód is equivalent to a traditional ID card, which means it can be used to cast a vote in elections. In a situation where a fraudster gains access to a fake mDowód, he or she can cast a vote instead of the rightful owner, posing a serious threat to the electoral process and citizens’ confidence in the voting results.
Fake mDowód cards can also be used for illegal purchases or SIM card registration, as well as identity theft. Scammers, operating on cheap counterfeits, can impersonate victims, gaining access to private bank accounts and other sensitive services. As a result, those unaware of the threat can suffer serious financial losses and experience a loss of privacy.
Example of the scam website for creating mDowód and the fake mDowód. The site has been disabled. / Graphics: Deamgog.org
Weaknesses of the system
Although the mObywatel app includes a number of security features, such as a QR code, verification of mDowód based on its graphic elements can lead to errors. There is a risk that document verifiers may rely only on visual features, such as the changeable image of the Polish flag, which can give a false sense of security. Security experts point out that visual verification of a document’s authenticity is not sufficient and can lead to mistakes.
One of the most important steps that can reduce the counterfeiting of mDowód is to educate the public about document verification. Citizens should learn how to use the option of scanning the QR code in the app, which is an effective way to confirm the authenticity of mDowód. The whole process of verifying documents using a QR code is surprisingly simple and does not require registration or downloading specialized applications, as all you need to do is visit the verification website and ask the person whose document you want to check to scan the QR code. Such verification provides an unequivocal confirmation of the authenticity of the document being presented, although in the context of, for example, handling many customers in a store during peak hours, it can be quite time-consuming. Unfortunately, as experts note, many mObywatel users do not use this feature which increases the risk of illegal use of fake documents.
“The state should create a consistent system for verifying e-documents wherever they are in use. This system should be implemented by both public and private entities. Identity verifiers should have a tool (system, technology, supporting equipment) that allows them to unambiguously recognize wheter a document is real or fake.”
– Gosia Fraser, editor-in-chief of TECHSPRESSO.CAFE, in a commentary for Demagogue
Description of an effective method of cryptographic verification of mDowód / source: Ministry of Digitization
State institutions should create a coherent e-Document verification system, available to both public and private entities, which would give identity verifiers at various places – from election commissions to conductors on trains – the ability to identify fake documents without errors.
It should also be reminded that the production of replicas of public documents is punishable by a fine or imprisonment for up to two years.
