They were pressed hundreds of thousands of times every day, to get a new license, adjust his tax rate, or even check his health insurance reimbursements. Some of the connection buttons of FranceConnect, the online identification tool of the State were inaccessible this Thursday, September 1, found L’Express. In question, many hacks identified this summer, pushing the platform to raise its level of security. The interface should gradually give way to more secure methods.
Used by 39 million people and the result of the government’s preference for French technologies rather than those of GAFAM, these buttons make it possible to connect to many dematerialized public services, by filling in a unique identifier, that, at your choice, of the Health insurance, Taxes, or La Poste, among others. But this method has a major flaw: if hackers copy the appearance of the site, they can steal these candidly typed identifiers, and take advantage of this access to carry out embezzlement.
Contacted by L’Express, the Interministerial Digital Department (DINUM), at the origin of FranceConnect, explains that “malicious individuals contact users to extort their Ameli or impots.gouv.fr usernames and passwords”. “During the summer, an intensification of these frauds was noted with a few hundred reports per month”, continues the DINUM. In some cases, hackers have used these credentials to access funding, such as those for My Training Account.
To reduce the risks, the organization attached to Matignon has thus undertaken “a gradual switch” from FranceConnect, towards “more secure identification services”, for “the most sensitive procedures, and in particular those allowing access to financial payments”. Finished then the simple button, followed by the password? “More restrictive”, the new version should be similar to the tools now well known to our fellow citizens to access their bank accounts.
A vague description, which suggests a system of “double authentication”. This method requires authorizing the connection with another device, most often a smartphone. Many banks, but also social networks and online services use this security. If a hacker usurps your credentials, he could be flushed out by the connection request sent to your smartphone, which you will have the opportunity to block. Other avenues of security are also mentioned by the government, “without further details to avoid giving the means to scammers to circumvent them”.
The fact remains that to protect your access to the digital public service as to other online tools, certain small gestures are essential. “Neither FranceConnect, nor Ameli, nor the Directorate General of Public Finances, nor My Training Account contact citizens to ask them to communicate identifiers or passwords, and it is therefore advisable never to respond to these requests, whether they occur by telephone, by SMS, or by e-mail”, recalls the government.
