Arnis Paršovs, a cybersecurity researcher at the University of Tartu, argues in an article for ERR that Smart-ID fraud should not be blamed on victims, but rather on insecure technology and the inaction of banks.

Last year, the company behind the Smart-ID authentication tool introduced a security feature called Smart-ID+, which makes phishing attacks based on phone calls more difficult.

However, Paršovs writes: "Despite this, banks show no urgent interest in adopting Smart-ID+."

Banks have not yet decided whether to adopt the solution. Among the major banks operating in Estonia, only LHV uses a Smart-ID security feature that requires users to check the verification code by selecting the correct one from multiple choices. The bank also notifies clients when their account is accessed from a new device.

Kätlin Kukk, senior specialist in fraud prevention at SEB, said each company takes a different approach to security. However, she said scammers often put so much pressure on victims that nothing could solve the problem.

"It won't bring them [scams] down drastically. Why? Because even now, Smart-ID clearly outlines: You are logging in here, doing this, doing that, confirming PIN2 for a transfer of this amount to that recipient. Very detailed information is there, and yet we are already seeing that people do not read it," said Kukk.

However, banks are discussing introducing a delay period on transactions. Under the law, this option can only be offered on a voluntary basis.

"We have been discussing within the banks whether we should start thinking about introducing extra steps to the transaction process. For example, you could choose for your payments not to go through in ten seconds, as the regulation currently allows, but instead choose for them to be processed two days later," Kukk said.

Kalev Pihl, CEO of SK ID Solutions, the creator of Smart-ID, said that adding a confirmation prompt such as "are you sure you want to make this transaction?" would not be effective.

"A short delay before entering the PIN code would mean that the user simply learns, within a week, to wait before even picking up their phone," he said.

In the coming months, Smart-ID plans to roll out changes to make account creation more secure. But for those who have already fallen victim to fraud and shared their Smart-ID credentials, unfortunately, there is little recourse against the banks.

"If we look at the law, it says that from the bank's perspective, the transaction is considered valid once the person has entered their PIN1 and PIN2 — and that is where the story ends. However, if we look toward the European Union, there is now an agreement under the Payment Services Regulation that gives people the right to file claims against banks if fraudsters impersonate bank employees and use the bank's communication channels to do so," said Kristena Kutti, an attorney at the law firm Triniti.

The change is expected to take effect next year.

--

Follow ERR News on Facebook and Twitter and never miss an update!