Estonia freezes resident ID cards due to security flaw

The flaw makes Estonians vulnerable to identity theft.

Estonia's residents use their mandatory national IDs to access pretty much anything, from online banking to online voting. So, it was a huge blow to the program when experts found a security flaw in the chip the ID used that makes it possible for bad players to impersonate and steal the identities of all 760,000 affected individuals. That might not sound like a huge number, but that's half the small country's population. Now, the country has blocked most of its residents from accessing all its online services for a weekend, so it can go in and and fix the vulnerability.

All ID cards issued from October 2014 to October 25th, 2017 will be frozen until their owners apply for updated certificates with the fix. They can do that online, but the online service kept crashing over the past week, leading people to flock to police stations and other government offices to get their IDs updated. For now, only medical professionals and the most frequent users will be able to apply for updated certificates online, but Estonia will open up the system to the public again on Monday.

Reports about the IDs' security flaw started going around in early September, when researchers found the flawed chips. (It was an issue with the manufacturer that affected its other chips and computer systems clients around the globe.) According to the ID program's managing director, though, there are "still no known incidents of an Estonian digital ID card being misused." Even so, officials still decided to suspend residents' cards, since the threat has recently been elevated. Those who were quick enough to authenticate their identities with the Smart-ID app before their certificates were suspended can still use the country's online services. However, they still have to act fast: the government is only giving people until March 2018 to update their certificates.

Prime Minister Jüri Ratas said in a statement:

"The functioning of an e-state is based on trust and the state cannot afford identity theft happening to the owner of an Estonian ID card. As far as we currently know, there has been no instances of e-identity theft, but the threat assessment of the Police and Border Guard Board and the Information System Authority indicates that this threat has become real. By blocking the certificates of the ID cards at risk, the state is ensuring the safety of the ID card."

Update: We updated the article to clarify that the ID program didn't begin in October 2014 and that the flawed chips were the manufacturer's fault.