The Information System Authority (RIA) presented their suggestions to SK ID Solutions (SK), the provider of the Smart-ID service, for how to better prevent the creation of Smart-ID accounts by criminals. Many Smart-ID accounts have been created for people without their knowledge and people have also lost funds in some occasions.
As Smart-ID can be used to access a person’s bank account, the eesti.ee portal designed for information exchange between the state and citizens and other environments, it is important for the RIA to make the process of applying for a Smart-ID account clearer and prevent situations in which a criminal creates an account for a person without their knowledge.
The main suggestion was concerned with how to better prevent cheating people into disclosing their data. ‘According to our initial suggestion, a separate channel or environment would be created which a person creating a Smart-ID account would be required to use to activate the service. As SK has developed their own solution which has been in use since 1 July, we are not currently requesting the creation of a separate environment. Should the measure implemented by SK prove insufficient, however, a new risk analysis must be performed and the initial solution proposed by the RIA in the form of an alternative environment should be implemented,’ said Uku Särekanno, Director of Cyber Security of the RIA.
As of 1 July, SK ID Solutions implemented a change which makes the process of registration of a Smart-ID account clearer. A separate notification and a code are now sent to the device connected to the person’s Mobile-ID. The code must also be entered to create a Smart-ID account. The RIA has suggested that SK should perform a security analysis to assess the risks involved with creating an account and draw up a risk alleviation plan, as well as provide further information about the creation of a Smart-ID account to persons by using their existing contact details. Furthermore, the next compliance assessment report must include an assessment of the new measures.
The main issue of the Smart-ID scheme is that the person whose personal details have fallen into the hands of a criminal may not realise that they are providing a digital signature for the creation of a Smart-ID account. ‘The activation process must be clearer and it must be clear to the person that a Smart-ID account is being created. Criminals were using fake websites and left people under the impression that the digital signature was required for updating their bank details. In actual fact, they started the process of creating a Smart-ID account,’ said Särekanno.
There were phishing e-mails circulating between February and June which were used by criminals to coax people to disclose their PIN codes and to create Smart-ID accounts for them behind their backs. The fraud scheme consisted of sending text messages in the name of a well-known person to people which appeared to direct them to the website for logging into the online bank. There, the user was redirected to a phishing website to enter with their Mobile-ID. Once the victim had entered their username, personal identification code, and PIN 1, the criminals launched the process of creating a new Smart-ID account. They took advantage of people’s lack of attention to force them into taking the following necessary steps, such as entering their PIN 2, to complete the process of creating a Smart-ID account on the background. This enabled the criminals to create a new Smart-ID and to use the victim’s details to log into various e-services which use Smart-ID, including online banks.
Completion of the supervision proceedings of the RIA will not affect the criminal proceedings initiated by the Police and by the Prosecutor’s Office with the aim of identifying the persons behind the fraud scheme.
Press Officer of the RIA
Source: Information System Authority