Denmark’s MitID secured after discovery of security weakness
A flaw that allowed hackers to lock users out of Denmark’s secure digital ID, MitID, has now been fixed, digital authorities say.
An update resulted in a weakness that could let hackers block users out of their own MitID accounts if the hacker knew the user’s personal registration or CPR number. The flaw has now been fixed, making the system secure, broadcaster DR reports.
The update, added to the system by Nets, the secure online payment system used in Denmark, resulted in a weakness that could allow hackers to send a log-in request by adding a CPR number to a browser URL, DR writes.
If repeated requests are sent without the user actually logging in, they can be frozen out of their digital ID, meaning they are unable to access public service platforms, online banking and secure payments.
The issue was identified and fixed by IT security staff last week, according to DR.
The Danish Agency for Digitisation (Digitaliseringsstyrelsen) told DR in a written comment that there was “regrettably an unintended implementation with an individual broker”. The issue has now been fixed, it said.
The issue follows an earlier problem with MitID identified by engineering journal Ingeniøren, which reported last month that a coding trick could enable hackers to easily identify the usernames of MitID users.
The Agency for Digitisation told DR users who have lost confidence in the system’s security can “confidently obtain and use MitID”.
The MitID digital ID system is gradually replacing NemID as the online ID used in Denmark for access to public service platforms, online banking and shopping online.
NemID will be turned off for secure platforms like banking and public services on October 31st. After this date, only MitID can be used to log on.
Other platforms, like online shopping, will still accept NemID for now. The old system will be fully decommissioned on June 30th, 2023.
READ ALSO: Concerns over Denmark’s MitID security after media finds vulnerability to ‘simple hack’
Comments
See Also
An update resulted in a weakness that could let hackers block users out of their own MitID accounts if the hacker knew the user’s personal registration or CPR number. The flaw has now been fixed, making the system secure, broadcaster DR reports.
The update, added to the system by Nets, the secure online payment system used in Denmark, resulted in a weakness that could allow hackers to send a log-in request by adding a CPR number to a browser URL, DR writes.
If repeated requests are sent without the user actually logging in, they can be frozen out of their digital ID, meaning they are unable to access public service platforms, online banking and secure payments.
The issue was identified and fixed by IT security staff last week, according to DR.
The Danish Agency for Digitisation (Digitaliseringsstyrelsen) told DR in a written comment that there was “regrettably an unintended implementation with an individual broker”. The issue has now been fixed, it said.
The issue follows an earlier problem with MitID identified by engineering journal Ingeniøren, which reported last month that a coding trick could enable hackers to easily identify the usernames of MitID users.
The Agency for Digitisation told DR users who have lost confidence in the system’s security can “confidently obtain and use MitID”.
The MitID digital ID system is gradually replacing NemID as the online ID used in Denmark for access to public service platforms, online banking and shopping online.
NemID will be turned off for secure platforms like banking and public services on October 31st. After this date, only MitID can be used to log on.
Other platforms, like online shopping, will still accept NemID for now. The old system will be fully decommissioned on June 30th, 2023.
READ ALSO: Concerns over Denmark’s MitID security after media finds vulnerability to ‘simple hack’
Join the conversation in our comments section below. Share your own views and experience and if you have a question or suggestion for our journalists then email us at [email protected].
Please keep comments civil, constructive and on topic – and make sure to read our terms of use before getting involved.
Please log in here to leave a comment.