– The safety of Bank-ID is very bad and as a researcher, I have duty to inform the people, says cryptologist and security specialist Kristian Gjøsteen to NRK.no.
Gjøsteen also criticizes the government’s decision allowing to log in to 270 public services with Bank-id from 27th of November, 2012.
He believes that the safety of Bank-ID is so bad that this technology should never have been used for logging in to services that require high degree of security.
– As a user, it is relatively easy to protect against fraud when you use only Bank-ID for banking services but this changes completely when you can use Bank ID for everything from checking health records, to tax returns, says the security expert.
Here is the demonstration video prepared by Gjøsteen
The attack is set up in a minute. The example of the entry is randomly selected.
The video features an attack against Posten website as an example of how fraud can occur.
– I consider myself an amateur and spent about a day to make this attack against Bank ID. Competent criminals could do this much faster than me, he says.
The expert recommends the following rules to prevent fraud:
- Never send personal or financial information via e-mail
- Do not click on links in e-mail, but rather copy the address manually
- Check sender and websites carefully before providing information.
- Check if the address is misspelled or the extension of the address is correct. .com instead of .no etc.
- Ensure that pages are encrypted
- Use e-mail filter, firewall and antivirus