Engineering journal Ingeniøren reported on Friday that a coding trick can enable hackers to easily identify the usernames of MitID users.
According to an investigation by Ingeniøren, MitID contains several serious design flaws that make it possible to guess the usernames of thousands of users and lock them out of the system for several days at a time.
In some instances, hackers may even be able to log on using victims’ MitID, the investigation concluded.
The MitID digital ID system is gradually replacing NemID as the online ID used in Denmark for access to public service platforms, online banking and shopping online.
An investigation of MitID’s security conducted by Ingeniøren’s supplement media Version2 resulted in 11,000 MitID usernames being correctly guessed in one night by applying a “simple stump code”.
Ingeniøren subsequently spoke to IT security professor Carsten Schürmann of the IT University of Copenhagen, who called the hack used an “unbelievably simple code”.
“My students learn this type of attack during the first two to three weeks on my courses,” he said to Ingeniøren.
Another commenter, Jan Kaastrup of IT security firm CSIS, told the journal he was surprised at the ease of the method.
“I knew this was possible but not how easy it was. I really think MitID has erred and I think your investigation proves that convincingly,” he said. Kaastrup is a former member of Europol IT security organ European Cybercrime Centre.
The Danish Agency for Digitisation (Digitaliseringsstyrelsen) told Ingeniøren that it would investigate the issue. The agency did not comment on the specific findings of the journal’s investigation, but said it has protections in place against the type of attacks described.
NemID will be turned off for secure platforms like banking and public services on October 31st. After this date, only MitID can be used to log on.
Other platforms, like online shopping, will still accept NemID for now. The old system will be fully decommissioned on June 30th, 2023.