Monthly Archives: October 2017

MyFitness self-service portal accounts created with weak default passwords

The self-service portal of the biggest Estonian sports club MyFitness has a major flaw, which allows for strangers to easily log in to the accounts and see people personal information. The club already knows the mistake for a month, but it has not been fixed so far.

The test showed that knowing the MyFitness client’s completely public information is possible to sign in to his account if he has not manually changed his password. Namely, the client will be assigned a default password when opening a self-service account, which is very easy to guess even to completely strangers. Another problem is that the client is not forced to change this password after logging in, which means that people will continue to use the unsecure password. Thirdly, the person’s password is sent to them in plain via e-mail, making it easy for it to leak.

Signing in to a person’s account will at least allow to see his contact details, contracts with MyFitness, training preferences, history and schedule.

The username is incremental number and the password is the last name of the account holder. MyFitness was informed about the flaw through CERT-EE already year ago.
This is another example that some flaws get fixed only after they are published in media.

Links:
https://geenius.ee/uudis/myfitnessi-iseteeninduses-laiutab-isikuandmeid-paljastav-ulilihtne-turvaauk-ettevote-pole-kuu-ajaga-seda-parandanud/

Contactless card payment limit rises to 25 EUR

All banks, which issue contactless credit cards in Estonia, starting from October 16 will raise the payment limit from 10 to 25 EUR.

“The ten euro limit established in Estonia initially proved that both consumers and merchants are interested in the new payment method and it is also safe, because only the special equipment for which a contract with the bank is necessary is required to pay the payment,” said Meelis Nurk, chairman of the banking union card working group.

15% of the bank cards used in Estonia are contactless cards. By the end of the year, 80% of payment terminals should support contactless payments; by 2020, all terminals must be able to provide pay-as-you-go payments.

In Estonia the contactless payment cards are issued by Swedbank, SEB Pank, LHV Bank, Krediidipank and Nordea Bank.

Links:
http://kasulik.delfi.ee/news/uudised/viipemakse-limiit-touseb-kumnelt-eurolt-25-euroni?id=79535098

SK Annual Conference 2017

E-identity event SK Annual Conference 2017 will take place on November 2, 2017, Baltic Station old waiting area (Toompuiestee 37, Tallinn).

Agenda:
09:00-09:30 Registration and morning coffee
09:30-10:30 Overview of SK 2017, Kalev Pihl, SK
10:30-11:00 Smart-ID: fast start and future plans, Kaido Irval and Georg Nikolajevski, SK
11:00-11:15 Cofee Break
11:15-11:45 The future of authentication in SEB. When will the code cards disappear? Ragnar Toomla, SEB
11:45-12:15 TBA
12:15-13:00 Lunch
13:00-14:00 Keynote: Pablos Holman
14:00-14:45 Panel discussion, Pablos Holman and Taavi Kotka
14:45-15:00 Cofee Break
15:00-15:30 TBA
15:30-16:00 eID year in retrospect, Anto Veldre, RIA
16:10-16:40 Round of question and answers
16:40-17:00 Summary of the day by digital world enthusiasts
17:00-18:00 Evening snack

Registration till October 20.

Links:
https://www.sk.ee/ettevottest/sk-aastakonverents/aastakonverents-2017

RIA Cyber Security Report 2016

The Estonian version of the report was released already in March.

One interesting piece of information disclosed in the report is the case of targeted attack against the SCADA system used at Viru Keemia Grupp AS. The case was also widely covered in Estonian media.

In 2016, traffic bearing the hallmarks of malware was spotted in the computer network of Viru Keemia Grupp (VKG), an Estonian group of oil shale, power and public utility companies. Software experts found the Mimikatz malware in the VKG office network, used in Windows systems to extract identity credentials (such as passwords, password hashes etc.). [..] Upon further investigation, it was found that a workstation in the SCADA monitoring segment was infected. The workstation was then removed from the network. Network traffic and examples of malware found on computers all pointed to a targeted attack. The malware and control server used have been linked to the APT28 cyber espionage group.

The report also includes RIA position statement on technology backdoors:

From Estonia’s perspective, strong encryption is vital for ensuring trust in the state’s digital services, as all of the e-services provided by the government and many private sector e-services are based on strong encryption (Estonian digital identity). In the longer term, building in backdoors would thus reduce trust in the digital state, but trust is an extremely important value for Estonia. As a result, Estonia has not supported building backdoors into e-services, and the objective and function of RIA continues to be to ensure the high level of trust in Estonian digital identity.

Links:
https://www.ria.ee/en/ria-cyber-security-more-important-than-ever.html
https://www.ria.ee/public/Kuberturvalisus/RIA_CSA_2017.PDF

Use of password cards for online banking will be limited

Modern security requirements will also be applied to online payments, which is why the field of use of password cards will be limited. The bill will also seek to coordinate Estonian laws with the new European Union Payment Services Directive.

In the future, payment service providers must apply so-called strong authentication requirements when identifying a customer. In Estonia, for example, it means ID-card, mobile-ID, as well as different applications and password calculators. To reduce the security risks associated with payments, the use of existing password cards will be limited because they are easily copied. Limitations also apply to those online payments, where a combination of numbers printed on a bank card is used as the only security feature.

The security measures in question are expected to fully enter into force in the first half of 2019. The exact date depends on when the European Commission will approve the relevant implementing regulation.

Links:
http://news.err.ee/612354/government-approves-amendments-to-payment-institutions-act
http://majandus24.postimees.ee/4206571/uue-eelnouga-muutuvad-makseteenused-turvalisemaks