ID-cards that do not meet security requirements

ID-cards and residence cards do not meet the security requirements if they were issued before October 2014 and renewed through the application of the card manufacturer at the service points of the Police and Border Guard Board. The Police and Border Guard Board will declare the certificates of these cards invalid from 1 June 2018.

ID-cards with invalid certificates can no longer be used electronically. To enter e-services or give digital signatures, the cardholder must either apply for a new card or use mobile-ID. ID-cards with invalid certificates will still be valid both as an identity document and as a travel document until the expiry date indicated on the card. The cards can also still be used at pharmacies and as customers’ loyalty cards.

The state will replace under warranty all ID-cards that do not meet the security requirements and are valid for longer than three months after submitting the application for a new document. The Police and Border Guard Board will contact holders of these ID-cards and provide information about replacing the ID-card.

Cards affected by the security risk

ID-cards issued from 1 January 2011 to 16 October 2014 and residence cards issued from 1 January 2011 to 17 December 2014, which have been renewed at the service points of the PPA from July 2012 to July 2017.

These cards totalled at over 74,000; today, about 12,500 such cards are still valid.

Check whether your card meets the security requirements at the website www.eesti.ee.

The following cards are not affected:

  • - cards that were affected with the security risk discovered in 2017;
  • - cards that have been renewed from a home computer;
  • - cards that have not been renewed at all;
  • - cards that were issued after October 2014 (in the case of residence cards, later than 17 December 2014).

  • What is the security risk about?

    The state has required that the ID-card keys must always be generated inside the chip to rule out the possibility that someone else has access to the private key of the card user and thereby, to the digital use of the card. It has become clear that the manufacturer of the Estonian ID-cards has not complied with this requirement and has generated the keys outside the chip for some documents.

  • Which cards are affected?

    The affected cards are:

    • ID-cards issued from 1 January 2011 to 16 October 2014 and
    • Residence cards issued from 1 January 2011 to 17 December 2014,
    • which have been renewed at the service points of the Police and Border Guard Board from 12 July 2012 to 30 June 2017.

    The following cards are not affected:

    • cards that were affected with the security risk discovered in 2017;
    • cards that have been renewed from a home computer;
    • cards that have not been renewed at all;
    • cards that were issued after October 2014 (in the case of residence cards, later than 17 December 2014).

    Go to the website www.eesti.ee to check whether your document is affected.

  • What is next?

    According to the Directive No 15.2-9/91-1 of the Director General of the Police and Border Guard Board of 16 May 2018, all certificates of valid cards affected by the security risk will be declared invalid on 1 June 2018 and cards expiring after more than three months will be replaced under warranty. A document replaced under warranty has the same expiry date as the original document.

  • How many cards are affected?

    There are more than 12,000 valid cards. Altogether, 74,000 cards were affected by this risk.

  • Is it possible to abuse cards that are invalid?

    People who know the keys of invalid cards can open the documents encrypted on these cards. Other actions (digital signing, logging into e-services) cannot be performed with invalid cards.

  • Has the security risk realised?

    So far, the Police and Border Guard Board and the Information System Authority do not know of any cases of an ID-card being electronically misused.

  • How was this discovered only now?

    The Information System Authority received information about the possible violation of requirements last February. However, this information had to be thoroughly investigated and evidence had to be found.

  • Is using the ID-card safe?

    The state will mitigate the risk from 1 June, when the affected cards – about 12,000 of them – can no longer be used electronically. All other cards are safe and people can use them. Today, we also have no reason to believe that the affected cards have been misused or that someone has access to the private keys of these cards. It is theoretically possible, but in reality, there is no sign of any incidents.

    Using the ID-card as an identity document is completely safe.

  • How can I use an ID-card affected by the security risk?

    ID-cards affected by the security risk will still be valid both as an identity card and as a travel document until the expiry date indicated on the card. The cards can also still be used at pharmacies and as customers’ loyalty cards.

    From 1 June 2018, ID-cards affected by the security risk cannot be used in e-services and for digital signing.

    The Police and Border Guard Board will replace cards under warranty which are valid for more than three months from the moment of contacting the Police and Border Guard Board. To use e-services, people can conclude a mobile-ID contract.

  • Do I need to apply for a new ID-card?

    If the card is used only as an identity document, it is not necessary to replace the card.

    If the card is valid beyond 1 September 2018, it will be replaced under warranty for free for a card with the same validity period. ID-card holders whose certificates were declared invalid received an e-mail with a guide to their eesti.ee e-mail address on how to be issued a new document under warranty. For more information on applying for a document under warranty, please refer to the information number of the Police and Border Guard Board – 612 3000.

    ID-card holders whose document expires no later than on 31 August 2018 must apply for a new document in the online application environment or at a service point of the Police and Border Guard Board. After 1 September 2018, the documents will be replaced under warranty only if the document will expire in more than 3 months.

    Go to the website www.eesti.ee and enter the document number to check what needs to be done with the document.

  • Whom can I ask for help?

    For more information on applying for a document, please refer to the information number of the Police and Border Guard Board – 612 3000.

    For information on mobile-ID, contact your mobile operator by calling their hotline or visiting their online service.

  • In which cases can the state declare my certificates invalid?

    The state can declare the certificates of an identity document invalid in the cases provided by law and one of these cases is that the private key entered on the card can be used without the consent of the user (in other words – the document can or could formerly be digitally used without the consent of the user). As in this case, the state has reason to believe that the security risk means that it has been possible to use the private key of the document user without the user of the document knowing of it, the state has made a decision to declare all certificates affected by this risk invalid.

     
  • Can I replace a faulty ID-card with a new one? How quickly can it be done?

    The Police and Border Guard Board will replace cards under warranty which are valid for more than three months from the moment of contacting the Police and Border Guard Board. Until 31 May 2018, the existing ID-cards can be used in e-services and for digital signing.

    The ID-card is still valid until the date indicated on the document as a physical identification document.

  • Can the error be fixed on the web?

    This security risk cannot be corrected online or at the service points of the Police and Border Guard Board – a new document must be applied for.

  • Can I check whether somebody has misused my card/identity? How can I do so?

    In case of suspicion of electronic abuse of the ID-card, contact the police and inform the Incident Response Department of the Information System Authority (cert@cert.ee).

  • Can any of the operations be questioned? Which ones? Do I have to carry them out again?

    Neither the Information System Authority nor the Police and Border Guard Board has any information about cases of misuse. All signatures given and transactions made with the card are valid.

  • Did the state not check what the manufacturer is doing?

    One of the basic requirements for ensuring the security of ID-cards is that the keys can only be generated inside the chip. The principle of generating the security keys in the chip has also been clearly set out in the certification process, which has been audited. None of the auditors found this error. Gemalto has previously confirmed to the Police and Border Guard Board that keys are generated inside the chip.

  • Have you checked the scientists’ allegations?

    The Information System Authority has checked the claims and ordered an analysis which confirmed that the keys of some ID-card certificates s were generated outside the chip.

  • What have you done so far?

    The Information System Authority analysed the provided information and forwarded the hypothesis set in the research to the Police and Border Guard Board, who requested clarification from their contractor who manufactures ID-cards for Estonia. In accordance with the requirements established by the Estonian state, ID-card keys can only be generated on the chip. Generating keys outside the chips allows using the ID-card without having the physical card and knowing the PIN.

    At the request of the Information System Authority, AS Cybernetica also analysed the claim regarding the generation of keys. The group of specialists, who also collaborated with a University of Tartu researcher, concluded that from July 2012 to 30 June 2017, keys were generated outside the chip during the renewal of ID-cards at the service points of the Police and Border Guard Board in 74,583 cards. There are more than 12,000 valid cards. All these documents were issued before 16 October 2014.

    Cards that people have renewed from their home or that were issued after 16 October 2014, including cards which were renewed at the service points of the Police and Border Guard Board from this date, meet the requirements.

    The Information System Authority has, based on the findings of AS Cybernetica and the researcher, prepared a risk assessment and submitted it to the Police and Border Guard Board with the recommendation of declaring the certificates of ID-cards in question invalid.


ASK FOR HELP

If you didn't find an answer to your question, send it to our team.



  • See instructions
  • Please estimate your ability to use the computer, so that we can provide you with the best guidance

         

  • Verification failed

How can we improve the article and be more helpful?
Send Close