Tuesday, September 11th, 2018

Update: BankID Security Hole Patched

A previous post described a security hole used for big-time fraud abusing the Swedish BankID.

The company behind BankID, Finansiell ID-Teknik AB, announces a remedy, available immediately.

The solution is similar to the one used by WhatsApp Web and others since long. A QR code is shown on the device where the login request is made. It has to be scanned by the device doing the authentication.

The solution targets cases where login request and authentication occur on distinct devices. It more or less assumes that authentication is done on a mobile phone. This certainly is a common use case but others exist and are left unaddressed.

The solution is available from Finansiell ID-Teknik, the supplier of BankID technology, but licensees must actively adopt it.

To the extent that licensees embrace the new feature it reduces the “unlimited remote control” effect. “Unlimited remote control” means that the devices involved in a login may be separated geographically by any distance. With the new feature the two devices have to be close to each other.

Comments are closed.