Security flaw in card chips could make holders vulnerable to cybercrime

At midnight last night, the Estonian government blocked the certificates of 760,000 ID cards after a flaw was discovered that could make cardholders vulnerable to identity theft.

The government-issued ID cards are mandatory for citizens of Estonia. In addition to functioning as a physical form of official identification, the cards are also used to authenticate a user’s digital identity, allowing them to gain access to online services such as banking, voting, and medical prescriptions.

According to Jevgeni Ossinovski, Estonia’s Minister for Health and Labor, a potential security threat was discovered in the ID card chips back in August. However, the government took the decision to block the certificates following the discovery of similar flaws in cards and computer systems around the world that use chips by the same producer.

As it became clear that the problem was growing in scale, the safety vulnerability was brought to the attention of international cybercrime networks, which have “significant means” to take advantage of the situation, the government said.

“Our first priority is the protection of people’s health data, which is why blocking the certificates is the only conceivable option,” said Ossinovski. “Over the past two months, a lot of work has been done to ensure the functioning of health and social services even in the case of the closure of the ID certificates.

“However, some disruptions may occur in hospitals in the coming weeks, which is why we ask for understanding from patients – this step will protect your data.”

All ID cards will continue to function as physical identification documents. However, given Estonia’s population of 1.3 million, more than half of the country’s residents will now have to renew their ID card certificates – either online or at police service points, which will remain open this weekend for that purpose.

Discussing the government’s decision to block the card certificates, Estonian Prime Minister Jüri Ratas said: “The functioning of an e-state is based on trust, and the state cannot afford identity theft happening to the owner of an Estonian ID card.

“As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real.

He added: “By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card.”

Since 2001 Estonian electronic ID cards have been manufactured by the Swiss company Trüb, which was acquired by Gemalto in April 2015. The company’s local subsidiary is said to be working with the Baltic state’s government to fix the issue.