In Estonia, large-scale phishing scams began in 2019, after banks phased out password cards and moved customers to Smart-ID. Impressed by Smart-ID's cryptography, banks overlooked the fact that it offers weaker resistance to phishing than the password cards it replaced.

While password cards had their own vulnerabilities, scammers calling victims had to explicitly ask them for passwords, something that often raised suspicion even among the least cautious people. With Smart-ID, however, all a scammer needs is to get a victim to confirm a Smart-ID request, which is exactly how the system is intended to be used. And while payments authorized with password cards were subject to a daily limit of a few hundred euros, banks have not introduced any comparable limits for Smart-ID despite its known security issues.

These scams also place a significant burden on law enforcement, which is left to deal with the consequences of weaknesses that banks have chosen not to fix.

The core weakness of Smart-ID

The main security weakness of Smart-ID is that its safety depends entirely on users being able to recognize phishing websites or verify the identity of callers. Most people simply cannot do this reliably. Decades of empirical research show that the average user's ability to identify phishing websites is close to random guessing and even technically knowledgeable users are frequently fooled by well-crafted phishing pages. Yet this reality is largely ignored when discussing the security of Smart-ID.

Banks warn customers not to approve Smart-ID requests during suspicious calls, yet their own helplines use the very same method to identify customers. How are users supposed to understand why this is acceptable in one case but not in another? In real life, proving our identity to a stranger does not allow that stranger to impersonate us to a bank, but with Smart-ID, this is exactly what happens.

From the user's perspective, it is unexpected that a solution marketed as providing the highest level of security requires users to assess the identity and trustworthiness of the party requesting authentication. Placing such a burden on the user contradicts basic expectations of what secure authentication should provide.

SK ID Solutions (SK), the creator of Smart-ID, continues to insist that Smart-ID is secure and that the problem lies with users who "use it incorrectly." But if most people are unable to use a digital tool correctly, the flaw lies not with the people but with the tool. Human error is expected and safety must be built into the system. We do not give sharp knives to children and then blame them for cutting themselves. The same must hold true in the digital world.

Banks neglecting anti-phishing measures

In their public communication, banks often place phishing in the same category as scams that do not exploit technological weaknesses, such as investment scams or romance fraud, and act as if they can do nothing more than feel sorry for victims and advise them to "be more careful next time". But this is simply not true.

To begin with, this narrative ignores the fact that every Estonian resident possesses an ID card whose authentication process is immune to phishing attacks. Unlike Smart-ID, an ID-card authentication performed on a phishing website cannot be reused by an attacker to impersonate the user at a bank. Yet no bank advises customers to use ID cards because that would require acknowledging the weaknesses of Smart-ID. It is also worth noting that Swedbank and SEB, which dominate Estonia's retail banking market, are among the owners of SK, giving them an obvious interest in promoting Smart-ID and downplaying concerns about its security.

When banks publicly claim that protecting customers from fraud is very important to them, one should ask why, among major banks in Estonia, only LHV has enabled a Smart-ID security feature that requires users to check the verification code by selecting the correct one from multiple choices. The answer is that other banks consider even minimal security checks an unacceptable inconvenience for customers, which they fear could affect their competitiveness. In essence, by improving its protection against Smart-ID phishing attacks, LHV has placed itself at a competitive disadvantage compared to other banks.

In reality, banks could do far more to proactively detect and prevent fraud. Banks process a vast amount of user data that could be used to identify suspicious online banking activity — logins from new devices or unusual locations, changes to transaction limits, unusual transactions, access from a device located in a different country from the Smart-ID device used, IP reputation and more. Yet there is no public evidence that banks meaningfully apply these fraud-detection heuristics. And why should banks try if the fraud losses are borne by their customers and not by the banks?

By law, banks are not obliged to refund fraudulent payments if they were authorized using the method agreed with the bank. Yet it is the bank's responsibility not to accept insecure authentication methods. Only the bank, not its customers, fully understands the risks of various authentication means and is able to implement the security measures needed to protect customers from fraud.

In June last year, SK introduced the Smart-ID+ security feature, which requires users to initiate the operation themselves by scanning a QR code. This feature makes call-based phishing attacks dramatically harder. Even more importantly, when the Smart-ID+ authentication flow is initiated on the same mobile device that runs the Smart-ID app, the process becomes fully phishing-resistant — matching the security level of ID-card authentication. Despite this, banks show no urgency in enabling Smart-ID+.

One might ask why SK allows banks to use Smart-ID without enforcing stronger security. The reason is simple: SK's paying customers are banks and other service providers, not Smart-ID users. This creates a clear incentive to prioritize convenience and adoption over safeguards that would protect people from fraud and users themselves are not given the option to enable stronger security even if they want it.

In essence, the rapid success of Smart-ID has been built in large part on the suffering of phishing victims who have borne the cost of a security model that prioritizes convenience over protection. Convenient payment methods certainly have their place, but it is the bank's responsibility to take the corresponding technology risks into account and enforce safeguards — just as they do with contactless payments, which are limited to €50 per transaction.

Banks' responsibility for the safety of their services

When discussing liability, banks insist that victims must bear full responsibility for confirming fraudulent Smart-ID PIN2 payment requests. However, this ignores the fact that the security breach occurs earlier, when the bank grants a scammer access to the victim's online banking account. That access enables the scammer to place a fraudulent Smart-ID PIN2 payment request on the victim's device in the first place.

From the customer's perspective, confirming such requests is entirely reasonable, as customers correctly assume that only they themselves or an authorized representative of the bank could have initiated them. Customers have every right to expect that banks use sufficiently secure systems in which third parties cannot gain access to their online banking accounts or initiate operations on their behalf.

The problem does not end with the lack of phishing resistance in the Smart-ID authentication process. Scammers have recently begun exploiting weaknesses in the Smart-ID issuance process itself. Responsibility for ensuring that electronic identification means are delivered only to their rightful holders rests primarily with the Smart-ID provider, SK.

At the same time, banks must recognize that authentication tools issued without physical identity verification inherently offer weaker security and this must be factored into banks' risk assessments and safeguards accordingly.

Given that bank customers cannot influence the security of the bank's systems or the authentication means used by their bank, victims of Smart-ID phishing scams should stop blaming themselves and instead seek compensation from their bank. A bank's civil liability may arise not only from unlawful actions but also from breaching its general obligation to ensure the safety and reliability of its services. 

As the examples above show, banks have engaged in systematic negligence by failing to use available measures to prevent Smart-ID phishing attacks or to limit their impact.

To summarize, solving this problem requires acknowledging that the cause of successful Smart-ID phishing scams lies not with people, but with insecure technology and placing responsibility where it belongs.

Banks are highly effective at managing risks for which they bear liability and since they are also best positioned to mitigate these technological risks, holding banks responsible is fully justified. This can be achieved either through legislative clarification or through established court practice that obliges banks to bear responsibility for the security of their solutions and to compensate for losses caused by Smart-ID phishing scams.

--

Follow ERR News on Facebook and X and never miss an update!