By Arnis Paršovs, cybersecurity researcher at the University of Tartu.

Over the past six years, Estonians have lost millions to Smart-ID phishing scams. While victims are often blamed for being careless, the real problem lies in the design choices made by banks and the Smart-ID system.

In Estonia, large-scale phishing scams began in 2019, after banks phased out password cards and moved customers to Smart-ID. Impressed by Smart-ID’s cryptography, banks overlooked the fact that it offers weaker resistance to phishing than the password cards it replaced.

While password cards had their own vulnerabilities, scammers calling victims had to explicitly ask them for passwords, something that often raised suspicion even among the least cautious people. With Smart-ID, however, all a scammer needs is to get a victim to confirm a Smart-ID request, which is exactly how the system is intended to be used. And while payments authorized with password cards were subject to a daily limit of a few hundred euros, banks have not introduced any comparable limits for Smart-ID despite its known security issues.

These scams also place a significant burden on law enforcement, which is left to deal with the consequences of weaknesses that banks have chosen not to fix.

The core weakness of Smart-ID

The main security weakness of Smart-ID is that its safety depends entirely on users being able to recognize phishing websites or verify the identity of callers. Most people simply cannot do this reliably. Decades of empirical research show that the average user’s ability to identify phishing websites is close to random guessing and even technically knowledgeable users are frequently fooled by well-crafted phishing pages. Yet this reality is largely ignored when discussing the security of Smart-ID.

Read more: ERR.EE