Millions of euros have been stolen by scammers this year, and earlier this week, it was revealed that criminals had gained access to over 1,000 eesti.ee state service accounts. Thieves can often use publicly available data to help them break the law.

Estonia's online commercial register can be a gold mine for scammers. Data, including names, personal identification codes and telephone numbers can be found on the repository if a criminal is lucky enough.

With this information, it is possible to start logging into a person's online bank using Smart-ID or Mobile-ID. However, to carryout a full transaction, a PIN code is also required.

Scammers have various ways of obtaining this information, not only from the commercial register. Often, people disclose their personal identification code and PINs during scam calls.

Rain Vosman, head of the criminal bureau of the Police and Border Guard Board's (PPA) Southern Prefecture, said thieves always try to use the internet and publicly available data. This can give them "quite a good picture" of a person they intend to scam.

Data can also be purchased illegally on the black market from hackers, including customer databases.

The less public information, the better

On Thursday, the police said criminals had gained access to an estimated 1,500 eesti.ee state service accounts. They had used electronic identification and fraudulently obtained PIN codes.

Vosman said the aim is to use the data to commit further crimes, to build trust with people and then swindle money from them.

"The criminal already has the personal identification code, and if they also have that person's phone number, then they call and very skillfully manipulate the conversation to the point where the person is ready to disclose their PIN 1. That way, remotely, the criminal gains access to the eesti.ee account, where there is already a very large amount of various sensitive personal data that they can use with regard to that person in the future," he explained.

The police officer said hiding personal identification codes would certainly have an effect, because the less data about a person there is in the public sphere, the harder it is for scammers.

"If my personal identification code or contact details are not circulating anywhere on the internet and I myself have not publicly given them anywhere, then the risk of attacking me is obviously smaller," he added.

Several laws linked to personal identification codes

The European Union's General Data Protection Regulation allows member states to regulate the disclosure of personal identification codes. In Estonia, this has been done through several laws.

Kristi Värk, head of the data protection law department at the Ministry of Justice, said, in Estonia's case, personal data is often made public for the sake of transparency.

However, in the autumn, the justice ministry issued guidance to other ministries that the rules must be laid down in law.

"Disclosure of personal data is a major interference with fundamental rights, because in such a case, basically, anyone can access that data. A person can thus lose control over their data. In certain cases, this may be justified, but that justification must now be decided by the legislator, that is, the Riigikogu," Värk said.

She could not immediately say if all the current cases in which personal identification codes are publicly disclosed are regulated by law.

"But the general principle we have had in Estonia is that the commercial register is public; it has been that way for several years already," the official said.

The PPA's Rain Vosman pointed out that personal identification codes also become public, for example, when a digital signature is placed on a public document.

Värk said this should be the case because it allows the validity of the digital signature on the document to be verified.

Whether personal identification codes should be hidden should be decided by politicians.

"This would certainly require a public debate and a decision by the legislator. If the legislator decides so, then of course it is possible to make the change," she said.

Everyone is responsible

Anna Õuekallas, head of the electronic identity department at the Information System Authority (RIA), said that everyone involved must take responsibility in combating fraud schemes.

"All providers of e-services should assess the risks of their environments. If there is indeed potential for large financial losses, then they should reassess which eID tools are used and in what form. Likewise, all providers of eID tools should assess whether their service is designed in the best possible way so that it cannot be exploited for payment fraud. There are more parties involved as well. The only thing that helps is if everyone thinks through what they themselves could do to reduce fraud," Õuekallas said on Vikerraadio on Friday morning.

Vosman acknowledged that everyone can certainly do more, but that the most important role lies with the individual.

"The weakest link in this whole chain of scams is indeed the person themselves," he said. "We can make these links as secure as we like on the state side or on the side of telecom companies, but scammers still manipulate the situation so that the person themselves enters their codes in the wrong place, where they actually would never in good faith enter a code."

--

Follow ERR News on Facebook and Twitter and never miss an update!