Concerns over Denmark’s MitID security after media finds vulnerability to ‘simple hack’    

IT experts say that the discovery of a hack using “unbelievably simple code” raises concerns over the security of Denmark’s new online digital ID, MitID.

Concerns over Denmark’s MitID security after media finds vulnerability to ‘simple hack’    
Danish journal Ingeniøren reported that MitID is vulnerable to sabotage. File photo: Liselotte Sabroe/Ritzau Scanpix

Engineering journal Ingeniøren reported on Friday that a coding trick can enable hackers to easily identify the usernames of MitID users.

According to an investigation by Ingeniøren, MitID contains several serious design flaws that make it possible to guess the usernames of thousands of users and lock them out of the system for several days at a time.

In some instances, hackers may even be able to log on using victims’ MitID, the investigation concluded.

The MitID digital ID system is gradually replacing NemID as the online ID used in Denmark for access to public service platforms, online banking and shopping online.

READ ALSO: MitID takes over as default option on Danish platforms

An investigation of MitID’s security conducted by Ingeniøren’s supplement media Version2 resulted in 11,000 MitID usernames being correctly guessed in one night by applying a “simple stump code”.

Ingeniøren subsequently spoke to IT security professor Carsten Schürmann of the IT University of Copenhagen, who called the hack used an “unbelievably simple code”.

“My students learn this type of attack during the first two to three weeks on my courses,” he said to Ingeniøren.

Another commenter, Jan Kaastrup of IT security firm CSIS, told the journal he was surprised at the ease of the method.

“I knew this was possible but not how easy it was. I really think MitID has erred and I think your investigation proves that convincingly,” he said. Kaastrup is a former member of Europol IT security organ European Cybercrime Centre.

The Danish Agency for Digitisation (Digitaliseringsstyrelsen) told Ingeniøren that it would investigate the issue. The agency did not comment on the specific findings of the journal’s investigation, but said it has protections in place against the type of attacks described.

NemID will be turned off for secure platforms like banking and public services on October 31st. After this date, only MitID can be used to log on.

Other platforms, like online shopping, will still accept NemID for now. The old system will be fully decommissioned on June 30th, 2023. 

Member comments

Log in here to leave a comment.
Become a Member to leave a comment.


Danish stores and doctors call for digital ID to prevent underage alcohol sales

Stores and doctors in Denmark want politicians to look into the possibility of digital age checks for purchasing alcohol.

Danish stores and doctors call for digital ID to prevent underage alcohol sales

Instead of employees bearing responsibility for guessing a customer’s age based on their appearance and then deciding whether to ask ID, doctors and stores want a digital system to check the purchaser meets the age limit for buying alcohol.

A range of professional organisations and interest groups for doctors and businesses proposed digital IDs as a requirement to buy alcohol in a joint letter published by newspaper Berlingske.

When an alcoholic beverage – for example, a bottle of vodka – is scanned, checkout staff would automatically be alerted to an ID requirement, under the proposal.

If the customer uses their debit card (Dankort) to pay, a digital system would be able to check with the person’s bank whether they are over 18 years old, and reject the purchase of they are not.

The model would not completely prevent underage purchases because it could be circumvented by using cash or another person’s card.

READ ALSO: Denmark advises no alcohol consumption for under-18s

Nevertheless, the deputy chairperson of De Samvirkende Købmænd, the trade union for store owners, Claus Bøgelund Nielsen, argued the measure would make a worthwhile difference.

“Our belief and hope is that it would make a very big difference,” Nielsen told broadcaster TV2.

No other country has adopted a similar measure at the time of writing.

“This is a vision and a wish we have. There’s no country anywhere in the world that does this at the moment but we think it’s ideal to work in this direction,” Nielsen said.

“And if there’s a will all the way the table for this, we think it should be possible within the foreseeable future to achieve it,” he said.

A digital ID check would likely require a law change and thereby a parliamentary majority. Denmark is currently locked in negotiations to form a new government after elections on November 1st.

Banks, stores and payment service providers would need to work together to implement the measure.