The practice of high street banks issuing replacement PIN numbers for use in conjunction with the Estonian ID card is to come to an end. From the end of February, replacement PIN numbers can only be obtained at Police and Border Guard Board (PPA) stations.
The ID Card system uses two PIN numbers of four and five digits, used for digitally signing documents and securely engaging with the state in a variety of ways, including online voting.
The numbers, printed on paper and issued with any new ID Card, often get mislaid, causing people to seek replacements, something which happens an estimated 4,000 times per month, it is reported.
Change of ID Card supplier
Whereas banks including SEB and Swedbank had issued these replacement PINs in the past, this will no longer be the case after the end of February.
The reason given is the change in producer of the Estonian ID card, which had formerly been Dutch firm Gemalto.
"If people do not regularly use e-services and their digital signature, they sometimes forget their PIN codes,'' said Eliisa Sau, PPA identity and status bureau chief expert.
''Unfortunately, the envelope containing PIN codes is not always retained with care; sometimes it is simply thrown away. It would be sensible to keep PIN codes in a safe place, separately from one's ID card, so that the codes can be double checked if needed [in addition to avoiding fraud-ed.]''
The PPA terminated the contract with the Gemalto and has been issuing new ID cards since the start of December, made by French firm Idemia.
Critical time to have ID PINs in order
The coinciding of three important events only serve to make PIN code best practice even more important. First, tax returns season is almost here, beginning in mid-February. Second, the general election on 3 March will see many choosing to vote online. Third, the high street banks have now entirely phased out the use of pass code cards for online banking.
Naturally any of these situations is a bad time for a user to discover they no longer have their ID Card PIN numbers to hand.
"People often discover they have lost their PIN codes when they are in the middle of a specific digital operation," Ms Sau said.
"It is also advisable to have an alternative option for digital authentication on hand, for instance, Mobile-ID," she added.
Instead of using a pass code card, users wanting to access online banking can choose either the Mobile-ID mentioned (which involves having a special sim card issued by the telecoms provider), or their ID card using a card reader and the two PIN numbers.
In fact, the ending of the pass code option is the very reason the PPA have extended the issuing of ID PIN numbers from the banks to the end of February, to smooth the transition.
A third option for online banking is the SMART ID app. This is downloaded from an app store and allows online authentication for banking purpose.
SMART ID PIN codes a separate thing
Note that SMART ID also requires two four and five digit PIN codes, but that these are distinct from the ID Card numbers. Fortunately users can choose their own PINs when setting up SMART ID, but they must authenticate themselves when they first do so. To complete the circle, this authentication can be done via the ID Card log in or Mobile-ID outlined above. Another option is to present in person at a branch and authenticate that way.
Gemalto filed a counter action against the PPA in October 2018 after the latter's own action filed in September. The principal issue concerned a security flaw in the physical card, which, it is alleged, could be compromised as a result of private keys being generated off-chip. The PPA had been seeking damages and compensation to the tune of €152 million from Gemalto.
Editor: Andrew Whyte