RIA: ID card patch ready, expect errors as thousands update
Following the conclusion of a trial phase for the software, Estonia's Information System Authority (RIA) is recommending owners of ID cards vulnerable to the security risk discovered in late August begin remotely renewing their cards' certificates.
All ID cards issued after Oct. 16, 2014 that are used electronically must be updated.
ID card holders can enter their document number on the Police and Border Guard Board (PPA) homepage to check whether the certificates of their ID card need to be renewed.
Individuals who do not use their ID card for digital signatures or to access and use e-services using their ID card's PIN1 or PIN2 do not need to update their certificates, as otherwise valid cards can continue to be used as personal identity documents and bonus cards as well as by patients to access digital prescriptions.
How to update
In order to update one's ID card, card holders need a computer and a card reader. Users must download the newest version of the ID card software (available here) and follow the instructions on the screen. Precise instructions and an instructional video for updating the card's certificates are available in English here.
Anyone who does not have the opportunity or has trouble with updating their ID cards on their computer can update their certificates at a PPA service point.
The chips of ID cards produced on or after Oct. 26 have already employed the new software, rendering the update unnecessary. ID cards produced earlier which have not yet been picked up by their owners will be updated by a PPA employee.
Expect delays as thousands try to update
According to RIA Director General Taimar Peterkop, the current remote update solution was developed in a race against the clock and is not perfect. "The technical ability of the remote update application is limited, and nearly 1,000 people at a time can update their cards," he explained, adding that there will definitely be delays caused by overloads and points where it won't be possible to remotely update and users have to simply try again later.
"Those renewing their ID cards have to take these inconveniences and errors into account, but this is the only solution with which we can minimize the ID card security risk as quickly as possible and continue securely using e-services," Peterkop added. "Following the update, Mac users will have to take browser restrictions into account. For about a month, they will lose the ability to encrypt documents; RIA is in the process of developing a solution to this issue."
According to PPA Director General Elmar Vaher, the most convenient option is for card holders to update their cards on their own computers, but the PPA is prepared to help and advise in person at PPA service points as well. "In order to alleviate the burden, we will extend opening hours by one hour to 6 p.m. at service points in larger cities, and in case of a very large load, we will have our service points open on weekends as well," he said.
800,000 cards vulnerable
A total of 800,000 cards are vulnerable to the detected security risk, 500,000 of which are in active use as digital IDs. According to the police chief, 45,000 cards are in very intensive use.
Police have urged residents who actively use their ID cards as electronic ID to also sign up for the SIM card-based Mobile ID, which is unaffected by the security risk.
For security reasons, Estonia will restrict the electronic use of the ID cards beginning the second week of November. The certificates associated with the cards affected by the security risk will be revoked on April 1 next year, which means that holders of affected cards must apply for a new card if they have not updated their current cards in the meantime.
On Aug. 30, an international group of researchers informed the RIA that they had discovered a security risk affecting all ID cards issued in Estonia beginning in Oct. 2014, including ID cards issued to Estonian e-residents.
ID cards issued prior to Oct. 16, 2014 used a different kind of chip and are not affected by the current risk. The security risk likewise does not affect Mobile-ID users.
Approximately 20,000 card holders have already updated their ID cards.
Editor: Aili Vahtla