Su, 1.10.2023

E-services suffer worst breach yet

Aivar Pau
, ajakirjanik
Photo: Mihkel Maripuu

Estonia, one of the three most proficient countries in the world when it comes to number and level of public e-services, had to deal with a serious cybersecurity breach earlier this year when unknown criminals managed to hijack several digital identities.

Technical weaknesses in Estonia’s secure authentication methods ID-card and Mobile-ID had remained theoretical so far, including the ID-card crisis of the year before last.

Widespread method of identification

A vulnerability manifested in reality for the first time this February. While only a single hijacked identity would constitute immense moral damage, this latest incident concerned those of between 10 and 20 people. Luckily, financial damage only came to around 1,000 euros.  We’re talking about the increasingly popular and undoubtedly the most modern and convenient identification tool Smart-ID.

Smart-ID can be used to access all commercial banks and through them all Estonian public e-services. Estonia’s e-Tax Board even has a shortcut for the application.

Using Smart-ID is convenient because, unlike Mobile-ID, it does not require the user to get a special SIM card and pay a monthly fee. Smart-ID is free to use on any smartphone or tablet that is connected to the internet. The service does not make use of SMS protocols, meaning it’s easy on the user’s cell phone bill when roaming.

The application is developed and marketed in Estonia and abroad by SK ID Solutions – the same company developing a competing Mobile-ID application for the Police and Border Guard Board and is in charge of creating digital identification certificates for the ID-card. Smart-ID accounts are created using ID-card or Mobile-ID identification.

The criminals’ scheme relied on Estonians’ habit of using Mobile-ID to access services or give digital signatures without checking who is asking for their PIN1 or PIN2 and whether verification codes in the e-service and on their screen match. People are also less than critical when it comes to the contents of SMS messages or emails. In this case, the victims received an SMS message seemingly by an Estonian bank, urging them to update their account information. The message was actually sent by the perpetrators who had included a link to a website that exactly mimicked that of the bank.

The website asked the victims to log in using Mobile-ID that gave the hackers access to people’s PIN1 and PIN2 codes as well as their personal identification code. The codes were needed to open Smart-ID accounts in the victims’ name at that very moment.

Criminal police on the case

The Smart-ID service provider learned of the breach in early March and filed a report with the State Information System’s Authority (RIA) and the police. The latter launched supervision proceedings and a criminal investigation.

Liisa Lukin, head of additional services at SK ID Solutions, said that providing your PIN2 code is akin to giving a signature and that people should never go ahead with it if they are unsure why they are being asked to provide it.

SK ID Solutions has complemented the text people see when they use Mobile-ID to open a Smart-ID account. The text now explicitly states that a Smart-ID account will be created for the user upon entry of the PIN number. If a person does not want a Smart-ID account, they must not provide their digital signature.