Header Ads

Management after new security hole You can safely use MitID in 2023

 An update meant that hackers could block anyone from MitID if they knew the social security number.

The article has been updated 26/10 at 9.30 with the information that according to the MitID broker Criipto was not here, the error occurred.

Confusion. Waiting time at Borgerservice. Crashes and security holes.

The rollout of the Danes' new digital ID has been bumpy to say the least.

According to Fagbladet Ingeniøren's IT media Version2 , security personnel discovered and closed a serious security hole in MitID during the autumn holidays. The error meant that hackers could potentially block access to large parts of digital Denmark.

The problem arose after an update from Nets , which operates MitID for the banks and the public sector. Security people at MobilePay discovered that by adding a social security number to the address in the browser, a login request could be sent to MitID. Obviously without knowing the username.

If that request is repeated, the user will be locked out. The same could be repeated on a large scale, potentially against the social security numbers of all Danes.

- We had MobilePay testing it for four days. It dawned on them that this was a vulnerability, and therefore we switched it off again, says Niels Flensted-Jensen, co-founder and director of Criipto, to Version2.

Criipto is one of the so-called brokers that mediate the contact between MitID and the users.

The brokers are one of the main differences to NemID . Where companies and service providers such as online shops previously had to connect directly to NemID themselves , they are now referred to a broker who is responsible for ensuring that it all takes place securely and flexibly.

The new update of the MitID system gave the brokers the opportunity to approve users whose social security number, for example, a website already knew, without the users having to enter the MitID username. It could be useful, for example, in connection with payments.

Experts are appalled

According to a number of experts Version2 has spoken to, the vulnerability should have been found earlier, especially because MitID's documentation shows how to exploit it.

- These are completely basic errors, and this must not happen in an ID solution like MitID, says IT consultant Lucas Lundgren to Version2.

Professor of IT security at the IT University of Copenhagen Carsten SchĂĽrmann explains that this and previous revelations indicate that there may be more fundamental problems with MitID's design:

- It is completely incomprehensible why they implement functionality that is so obviously insecure. This indicates that there are problems with their internal requirements and specifications, says the professor to the tech media.

'The citizen can do absolutely nothing'

According to a written reply to from the Danish Agency for Digitalisation , the new function is not in itself a problem. But, the agency informs DR Nyheder, "unfortunately, there has been an inappropriate implementation with a single broker". It is now fixed.

According to the agency, it is up to the brokers to ensure that social security records are used securely as a key. Therefore, they are subject to strict safety requirements and an extensive annual process to be approved.

It is not clear from the response from the Digital Agency which broker implemented the vulnerability. Niels Flensted-Jensen states that it was not Criipto, but he believes that the possibility of posting CPR places too much responsibility on the serv

ice providers, who, unlike the brokers, are not subject to the same strict requirements.

- A service provider with bad intentions, or just an unsafe integration with MitID, can block any Dane's MitID without guesswork or luck. The citizen can do absolutely nothing to protect himself against such an attack.

DR has also asked the Digital Agency what it wants to say to Danes who, after recent problems, have lost trust in MitID.

- As a citizen , you can safely obtain and use MitID, was the reply .

No comments

Powered by Blogger.