In connection with a security flaw revealed in the chip used in hundreds of thousands of Estonian ID cards, residence permits and e-Residency cards, the Estonian government will prioritize enabling access to important information systems via Mobile-ID and is ready to provide €670,000 toward developing services with Mobile-ID access.
The government has compiled a list of important e-services the work of which would be affected should the ID card security risk be realized as they do not support the SIM card-based Mobile-ID. There are currently 136 such services nationwide, 44 of which were deemed high priority. Most of these services are in the area of government of the Ministry of Social Affairs, including healthcare services.
To prevent potential problems, the government has proposed filing an application for financing the development work and authorizing the Ministry of Finance to disburse €670,000 for developing Mobile-ID support. Of this money, €260,000 would go toward the Ministry of the Interior and €230,000 to the Ministry of Social Affairs.
Services which would become unaccessible for cardholders affected by the security risk should the cards be deactivated include, for instance, population register processing software, the issuing system of digital prescriptions, the activity license register of the Agency of Medicines as well as services of the national gazette Riigi Teataja, which would mean that it would not be possible to publish new laws. The information system of surveillance procedures as well as various medical institutions' systems would likewise be affected.
750,000 ID cards affected
On Aug. 30, an international group of researchers informed the RIA that they had discovered a security risk affecting all ID cards issued in Estonia beginning in Oct. 2014, including ID cards issued to Estonian e-residents. Nearly 750,000 ID cards are affected by the issue.
ID cards issued prior to Oct. 16, 2014 used a different kind of chip and are not affected by the current risk. The security risk likewise do not affect Mobile-ID users.
Security patch to be rolled out in November
In late September, the Information System Authority (RIA) announced that they would be releasing a patch for the security risk in November after a test run in October.
Margus Arm, head of the eID field and work group at RIA, said that the application is currently being tested, and test cards have also been distributed to banks so that they can ensure it is compatible with various e-services.
"The new software will allow people to renew their ID cards' security certificates wtihout leaving home, and if all goes according to plan, the certificate renewal process will begin in November of this year," he said.
ID card security certificates can be renewed remotely from one's home or work computer during a two-month window that will last through the end of December. Cardholders must download the latest version of the ID card software and then follow the on-screen instructions.
From January through the end of March next year, ID card security certificates can only be renewed in person at Police and Border Guard Board (PPA) service points. As of April 2018, all unrenewed security certificates for at-risk ID cards will be voided.
Editor: Aili Vahtla
Source: BNS, ERR