A loophole in the security of NemID means that criminals can get access to your bank details, if they are systematic and patient enough.
It has come forward in connection with the investigation of a current information about from Jutland, where a 38-year-old nurse has been tried fiddled for 265.000 euros.
It says DR.
In the case it succeeded the perpetrators to have fingers in both the woman’s cpr number, NemID code and key card, without that she has written down or shown them to anyone.
Both the case’s and an it security expert who has examined the case of the DR, believe that the scammers have used so-called keyloggers to get hold of the cpr number and a NemID code.
With the information can the perpetrators be informed of how many keys, there is back and thus, when to lie in wait by the mailbox to intercept a new key card.
A keylogger looks like a USB key. It can save all keystrokes on the computer where it is installed. In several cases of computer fraud in the last few years, fraudsters have installed key loggers on computers at libraries on the way to get fingers in, for example, social security numbers, user id and codes from the citizens using the computers.
the Article continues after the image…
DR’ve got an it security expert to review the victim’s use of NemID. His analysis shows that the scammers have used the victim’s social security number and a NemID code to follow, when she would be sent a new key card and then have intercepted the new key card.
New form of fraud
When you type in his social security number and the code entered during login with NemID, you know how many keys are left on the existing card, and thus can continuously keep an eye on when a new key card will be sent.
In the case of eastern Jutland the perpetrators according to the police investigator pulls a nytilsendt NemID up from the mailbox before the nurse had checked the mail.
And exactly the method is, according to the police, and the it expert, who has examined the victim’s use of NemID for DANISH, a completely new form of fraud.
It sikkerhedseksperten called Christian Heinel and is the technical manager for Northern europe at Cisco, which is one of the world’s largest companies within the it-network and it-security.
Christian Heinel call it a security hole, that one can obtain the number of remaining NemID keys on a key card, which one is not in possession of.
– It is a great challenge, for it is actually what makes the perpetrators bother it here, have time for it, and get a win out of it, says Christian Heinel.
When the scammers got a hold of the woman’s new key-card, they managed to use her NemID 35 times in eight hours. Overall, there was according to police, tried, fiddled for good 265.000 dollars in Sigrids name, among other things, on the purchase of computers and iPhones as well as the raising of loans in her name.
the Perpetrators have gotten away with rigging around 124.000 dollars, while the remaining fraud of around 141.000 dollars was slowed down, before the perpetrators got a hold of the money.
the Case is still under investigation, but police have several suspects in the spotlight.
– We have found a group of people of the suspect in the case. They are scattered around the country and dispersed with respect to age, and the further investigation will show whether there will be more on, say, Jimmy Andreasen,?there is a policewoman in community policing in the Otter under the east Jutland Police, to DR.
NemID is driven by Nets. DR has for more than two weeks trying to get the Nets in the talk about the current case, where the identity of the thieves appears to have found a new way through the security of NemID.
But the Nets do not want to answer and instead refers to Race, which is the authority, who along with banks are buying NemID solution of Pbs.
With the Race for the will of the deputy director Adam Lebech not comment on the specific case. Instead, he says, is that there generally are many risks associated with digital solutions.
– But, fortunately, very few are subjected to the here crime. When you get it, so is it terrible for the individual. There is no doubt about it, he says.
the DR has asked Adam Lebech, on the Race will change, that they can obtain how many keys are left in a key card, if one is equipped with the cpr-number and code for a NemID.
– We are constantly working on to look at all the risks, there is by NemID and address them, said Adam Lebech.
On the basis of this case has Race asked the Nets for a safety assessment of the kind of abuse of NemID, which the nurse has been exposed to.
LSIK, which is the unit of the police, whose task is to monitor CYBER-crime on the web does not want for the present to comment on the specific case.
