SHARE
COPY LINK

DIGITAL ID

Denmark’s MitID secured after discovery of security weakness

A flaw that allowed hackers to lock users out of Denmark’s secure digital ID, MitID, has now been fixed, digital authorities say.

Denmark’s MitID secured after discovery of security weakness
MitID's reputation has been bruised by reports of security weaknesses. Photo: Liselotte Sabroe/Ritzau Scanpix

An update resulted in a weakness that could let hackers block users out of their own MitID accounts if the hacker knew the user’s personal registration or CPR number. The flaw has now been fixed, making the system secure, broadcaster DR reports.

The update, added to the system by Nets, the secure online payment system used in Denmark, resulted in a weakness that could allow hackers to send a log-in request by adding a CPR number to a browser URL, DR writes.

If repeated requests are sent without the user actually logging in, they can be frozen out of their digital ID, meaning they are unable to access public service platforms, online banking and secure payments.

The issue was identified and fixed by IT security staff last week, according to DR.

The Danish Agency for Digitisation (Digitaliseringsstyrelsen) told DR in a written comment that there was “regrettably an unintended implementation with an individual broker”. The issue has now been fixed, it said.

The issue follows an earlier problem with MitID identified by engineering journal Ingeniøren, which reported last month that a coding trick could enable hackers to easily identify the usernames of MitID users.

The Agency for Digitisation told DR users who have lost confidence in the system’s security can “confidently obtain and use MitID”.

The MitID digital ID system is gradually replacing NemID as the online ID used in Denmark for access to public service platforms, online banking and shopping online.

NemID will be turned off for secure platforms like banking and public services on October 31st. After this date, only MitID can be used to log on.

Other platforms, like online shopping, will still accept NemID for now. The old system will be fully decommissioned on June 30th, 2023. 

READ ALSO: Concerns over Denmark’s MitID security after media finds vulnerability to ‘simple hack’

Member comments

Log in here to leave a comment.
Become a Member to leave a comment.

CRIME

Danish courts issue warning over SMS scam

An SMS scam is in circulation in Denmark involving messages which falsely purport to have been sent by the country’s court system.

Danish courts issue warning over SMS scam

The Courts of Denmark (Danmarks Domstole), the country’s judiciary, has issued a general warning to the public after several people were reported to have received scam text messages claiming to be from the legal system.

In a message displayed on its website, Courts of Denmark said that “several members of the public have stated that they have receive an SMS from the courts in which they are told they have received digital mail from the courts”.

The messages direct the recipient to click on a link within the SMS to “update their information”.

“Courts of Denmark did not send these messages. If you receive such an SMS, delete the SMS,” the message on the Courts of Denmark website reads.

A message alerting the public to an SMS scam was posted to the Courts of Denmark (Dansk Domstole) website on Tuesday. Image: screengrab

 

Police data suggests that criminal SMS scams are proliferating in Denmark.

Special economic crime unit NSK said in April that the number of cases of SMS fraud increased by 130 percent last year.

 

Police say that the scam text messages primarily attempt to appear as though they come from a trustworthy source like a bank, shipping company or the Tax Agency.

They usually contain a link to a false website which enables the scammers to collect and abuse victims’ personal information, such as bank card or digital ID (MitID) data.

Scams of this type are defined by NSK as IT-related crime. Police received over 35,000 reports of this type of crime last year.

The police unit has also encouraged the public to pause and think carefully when they receive and SMS – but also a telephone call or email – which asks them to provide personal details or log in with MitID, Denmark’s digital ID system.

It is a good idea to ask someone you trust for advice before responding or reacting to such messages, NSK also says.

Earlier this month, reports also emerged of a scam involving QR codes which were stuck onto parking payment machines in Copenhagen, with a message saying the code could be used to pay for parking.

But Copenhagen Municipality said that it is not possible to pay for parking in the city via a QR code. It has removed the stickers and reported the scam to police.

SHOW COMMENTS