Estonia to block access to digital ID cards over identity theft risk

3 Nov 2017

Tallinn, Estonia. Image: dimbar76/Shutterstock

A security flaw in the chips used in Estonian ID cards could make holders vulnerable to cybercrime.

Estonia is viewed as a digital leader in Europe, with many government and public services provided online through its nationwide identity system. Estonians can access services including health and pension records, medical prescriptions, and voting information using the system.

As the country currently holds the presidency of the European Union (EU), Estonia is involved in multiple digital projects within the bloc. These projects include e-governance initiatives, creating a digitally literate society and developing the EU Digital Single Market.

Every Estonian citizen can provide digital signatures using their ID card in order to gain access to the bank of online services offered by the state and private companies alike.

Issues in a digital Estonia

However, a digital society is not without its issues. Yesterday (2 November), Estonia announced plans to block access to online services by removing security certificates for about 760,000 people from midnight (UTC) tonight to remedy a security flaw in some of the ID cards.

According to Reuters, the country’s online ID service cards were found to have an encryption vulnerability identified by researchers earlier this year, potentially exposing smart cards, security tokens and other secure hardware chips made by a company called Infineon.

Infineon said that it had resolved the issue but cards still need to be updated. The risk was quite substantial, as the chips are also used in other cards and computers, potentially opening up the private data of Estonians to cyber-criminals. The Estonian government and the chip manufacturer have both said there have been no signs of any exploits of the security flaw.

Estonian prime minister Jüri Ratas said: “The functioning of an e-state is based on trust, and the state cannot afford identity theft happening to the owner of an Estonian ID card.”

Priority upgrades

Priority updates will be supplied to security service employees and medical staff over the next couple of days, totalling around 35,000 people.

Estonian news outlet Delfi said that not all ID card holders need to be concerned about replacements but if their work is heavily connected to the running of the e-state, they must receive a new card.

Those who do not need a replacement ID card can still use the old one as an identity document, despite the fact that the certification will have been suspended. Estonia has multiple alternative digital IDs that citizens can still use to access services safely, and smartphones and tablets can also be used to access digital identity.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects