The Gaping Security Hole in Swedish BankID
The Swedish BankID, a digital authentication and signature framework, is a huge success. Even with the small (10 M) population of Sweden, the number of authentications runs into billions annually.
However, unfavourable publicity recently hit BankID. A number of very public big time fraud convictions broke the hush-up wall that banks traditionally build around their security. All of a sudden customers of banks and financial institutions were flooded with information on how to handle their BankID in order to protect themselves.
Can BankID really be broken? A “yes” seems obvious, but, well, not exactly.
BankID is a joint venture initiated some 15 years ago by otherwise competing banks. Early on it was also adopted by public sector services, like the Swedish Tax Agency (the IRS counterpart). Today, in addition to e-banking, BankID is the key to an enormous selection of automated Internet services to the Swedish general public. It has simply permeated Internet authentication in Sweden.
Like any state of the art security solution, BankID relies on strong encryption. There are elements of security by obscurity in BankID, (it is not public key) but that is not the issue here. The heart of the technology, encryption, still holds.
The weak spot is a convenience feature that baffled me, a computing professional, from the very start. An authentication session may start on, for instance, a desktop computer. You request to be admitted to, say, your bank account, by entering your personal id number on a login page. (Every Swedish person has a personal id number consisting of the date of birth followed by four digits of something that used to be an ordinal number.)
The surprising feature is that you may choose to authenticate on a different device than the one where you are logging in. That other device may be your mobile phone, very convenient.
It works as a remote garage door opener. The difference is the range. The garage door has to be close to its remote control. Not so with BankID. The original login request and the authentication may occur at any geographical distance from each other. It is remote control carried to the extreme. The only closeness required is temporal. There is a window of a few minutes between the login request and the authentication.
So when you get a call from your bank to alert you to suspect activity in your bank account, of course you get upset. And when they go on to ask you to authenticate you are eager to help. What actually happens is that you use your remote control to open your account to crooks who impersonate bank staff. In minutes your savings are swept away, bouncing through intermediate accounts, landing somewhere in darkness.
The moral of the story is that, given a choice between security and convenience, convenience wins at the expense of security, every time.