A wave of identity theft cases has forced software giants and the European Union to introduce more stringent security requirements in order to ensure e-safety. For Estonians, this comes in the form of having to update ID-card certificates, which nearly 400,000 people failed to do by the July 1 deadline. Those who did are looking at a worst case scenario of having to apply for a new identification card.
«We have not seen a dangerous attack; however, it is better to be safe than sorry,» said analyst at the Information System Authority (RIA) Anto Veldre, commenting on the decision to switch to new certificates.
Western countries have experienced problems with identity theft and cybercrime in the past three to four years. Veldre says that elsewhere a computer virus is all one needs to access someone else’s bank account. «It is more complicated than that with the ID-card,» he said.
«Talking about identity theft, we are almost living in safety behind the Great Wall so to speak,» Veldre said. The expert explained that Estonia has two forms of identity theft: either the use of someone else’s ID-card or sharing someone else’s photographs without their permission.
The need to update certificates concerns owners of ID-cards issued before the middle of October 2014. These cards use the SHA-1 algorithm. The new certificates are based on the longer SHA-2 algorithm the world’s largest software companies are also adopting. «Google and Microsoft have said that the SHA-1 algorithm has become outdated, and that they will start working against it at one point,» the RIA analyst said.
It is difficult to predict the behavior of software titans. «We do not know whether support for SHA-1 will be taken out of web browsers. They have been changing deadlines. It is possible that Google Chrome will limit the use of certificates sporting weaker cryptographic security come fall. This could mean difficulties for users of ID-cards, for example in accessing online banking services,» Veldre said.
A solution was created in Estonia last year the likes of which exists nowhere in the world, which made it possible to update the certificates without having to spend hours queueing at a state agency. «I was amazed by the fact we managed to make it secure - updating one’s personal certificates from home over the internet,» he said.
Data from RIA suggests that a little under 400,000 digital documents - residence permit- and ID-card certificates - had not been updated by July. «The deadline for updating came and went on July 1, and it cannot be extended as it is an EU requirement,» Veldre said.
«The temporary solution is to use an alternative web browser, like Mozilla Firefox or Internet Explorer for Windows and Safari for Mac, come fall. Microsoft Edge cannot be used as an alternative as the browser does not support digital signatures,» the analyst said.
People who do not want to use other browsers (or experience problems using them) need to apply for a new ID-card. Both the physical document and certificates will remain valid even if the latter were not updated after July 1. Outdated certificates could manifest in problems when using e-services in the future. Potential problems concern card holders who use ID-card-based digital services.