Potential security risk detected in the ID-card chip and questions and answers to our customers

05.09.2017 - 16:00

We hereby bring you the announcement of the State Information System Authority on the security risk detected in the ID-card chip and questions-answers to our customers in connection with using the ID-card in the Internet bank.

On September 5, the State Information System Authority published a press release on its homepage at www.ria.ee/en/potential-security-risk-detected-in-the-id-card-chip.html:

Potential security risk detected in the ID-card chip

On August 30, an international scientific researchers team informed the Estonian Information System Authority (RIA) that they discovered a security risk affecting ID cards issued in Estonia since October 2014.

"According to the current assessment of Estonian experts, there is a security risk and we will continue to verify the scientists' claims," said Taimar Peterkop, Director-General of RIA. "We have already developed the primary solutions to mitigate the risks, and we will do our utmost to ensure that the security of the ID-card is guaranteed."

"According to current information, this security risk is still theoretical and no-one's digital identity has not been misused," said Peterkop. "All ID-card operations are still valid and we will take appropriate actions to secure the functioning of our national digital-ID infrastructure. We have restricted the access to Estonian ID-card public key database to prevent any illegal actions”.

The possible security risk concerns ID cards issued since October 2014 (including cards issued to e-residents) of a total of almost 750,000 cards. ID cards issued before October 17, 2014 use an alternate chip and are not affected by this risk. This security risk does not affect the security of mobile-IDs.

"The Estonian digital society is using cutting edge innovative technologies. Those new technologies provide good value and services for the public, but may also impose risks. What´s important is that the potential risks are detected and mitigated. This particular case is a good example of how scientific discovery can impose impact to risk profile and Estonia has to solve them," said Taimar Peterkop, head of RIA.

Additional information and questions-answers to our customers:

ID-card is a document issued by the state. We accept ID-cards for using the bank services until the state considers it to be sufficiently safe. As a bank, we apply additional risk-based methods to ensure further control over the payments. To make bank payments in the Internet bank, it is not sufficient to use only the ID-card data. You must also know the username of Internet bank. The latter, however, is not publicly available information.

Is ID-card safe?
ID-card is a document issued by the state. The banks accept ID-cards for using the bank services until the state considers it as sufficiently safe. Yet, the banks may apply additional risk-based methods, if they deem it necessary.
As long as the state considers it a safe method for identifying a person and signing in Internet bank, so do we.

Are there any alternatives to the ID-card?
It is possible to use Mobile-ID instead of the ID-card. Also, Smart-ID and a PIN-calculator may be used for logging into many other services, such as banking services.

Where can I get the Mobile-ID?
To get the Mobile-ID, please contact a mobile operator for concluding the contract.

Where can I get the Smart-ID?
The Mobile-ID and ID-card users can join the Smart-ID on the web at www.smart-id.com.

Where can I get a PIN-calculator?
PIN-calculator can be bought from a bank office.

Are the Mobile-ID and Smart-ID safe?
Smart-ID and Mobile-ID use a different technology and accordingly, are not affected by the risk in question.

What does it mean for me?
At the moment, nothing will change. You can use the Internet bank as before. We will inform our customers through our homepage and social media immediately, should there occur changes in using the Internet bank with an ID-card.

Should I do something already now?
There are five possibilities for using the Internet bank: Smart-ID, Mobile-ID, PIN-calculator, ID-card and code-card. An overview in Estonian of different options can be found at www.seb.ee/foorum/igapaevased-rahaasjad/milline-alternatiiv-koodikaardile.

What kind of ID-cards does this concern?
The possible security risk concerns ID-cards issued since October 2014 (including cards issued to e-residents). ID cards issued before October 17, 2014 use an alternate chip and are not affected by this risk.

Is logging into Internet bank and signing transactions/contracts with an ID-card unsecure?
ID-card is a document issued by the state. We accept ID-cards for using the bank services until the state considers it as sufficiently safe. Should we consider it necessary, we will apply additional risk-based methods to using ID-cards and we will inform the customers of using these methods via our homepage, Internet bank and social media.

Where can I get information about the application of restrictions related to ID-card in Internet bank?
Should we apply any restrictions to logging into Internet bank and/or signing by using the ID-card, we shall inform of it on our homepage and also via social media.

What social media accounts does SEB have?
Facebook: www.facebook.com/seb.eesti/ and www.facebook.com/seb.eesti.ru/
Twitter: https://twitter.com/SEB_eesti

I am abroad and cannot sign up for a Mobile-ID
When staying in abroad you can download the Smart-ID application and activate it with your ID-card.

Why should I apply for a Smart-ID or Mobile-ID?
It is always good to have several solutions. For example, it is wise to have a spare key. If something happens to it, another one can be used. The same applies to personal identification and digital signing. If one solution cannot be used, you can use another. It is wise to have the option available before a need arises for it.

Which one do you recommend? Smart-ID or Mobile-ID?
The options of using a Mobile-ID are currently wider than when using a Smart-ID. If we are talking only about using the Internet bank, we advise to order both, since it is always good to have several options available (Smart-ID will not work without Internet connection, Mobile-ID is message-based and accordingly, the service fees of using it abroad will be added. In addition, there may be delays in forwarding the messages depending on the roaming operator, which may jeopardise the operations).

Can I annul the certificates of my ID-card and how? Should this be done?
Certificates can be suspended by ID-card helpline at 1777. Further information is available on the page www.id.ee.
Certificates can be suspended or annulled by the cardholders themselves or by the service provider. There is currently no need for that. If the situation changes, the cardholders will be informed of it immediately.
If the cardholder wants to prevent the risk of misuse, they may subscribe to a Mobile-ID or Smart-ID and after activating these, suspend or annul the ID-card certificates.
Upon suspension of certificates, these can be reactivated. Upon annulling, the card cannot be used anymore digitally and a new card must be ordered.