07 June 2017

170607 Swedish Digital Identification System BankID from Finansiell ID-Teknik BID AB byepassed on Android

 170607 Swedish Digital Identification System BankID from Finansiell ID-Teknik BID AB byepassed on Android

Quote from:

"BankID is the leading electronic identification in Sweden.
Many services are provided where citizens can use their BankID for digital identification as well as signing transactions and documents.
The services vary from online and mobile banking, e-trade to tax declaration and are provided by government, municipality, banks and companies.
BankID is used both for identification as well as signing.
According to Swedish law, and within the European Union, BankID is an advanced signature and a signature made with a BankID is legally binding.
The customer’s identification is guaranteed by the bank issuing the BankID.
Authorities, companies and other organizations must check the validity of the customer’s identity and signature.
BankID is available on smart card, soft certificate as well as mobile phones, iPads and other tablet devices."

Android app:
Google Play:

Quote from:

"Jag har skaffat en ny smartphone. Kan jag flytta över mitt Mobilt BankID till den?

Nej, det går av säkerhetsskäl inte att flytta ett Mobilt BankID men har du fortfarande tillgång till din gamla smartphone så kan du använda den för hämta ett nytt Mobilt BankID.

    Ladda ner BankID säkerhetsapp från Google Play eller App Store till din nya smartphone.
    Tänk på att telefonen behöver vara ansluten till internet via antingen wifi eller 3G.
    Logga in i internetbanken med din gamla smartphone och beställ ett nytt Mobilt BankID under Tillval – BankID
    Starta BankID säkerhetsapp och skapa en säkerhetskod ange aktiveringskoden som du fick i internetbanken.

Vi rekommenderar också att du spärrar ditt Mobilt BankID som var kopplat till din gamla smartphone. Detta gör du internetbanken under Tillval – BankID"

Unfortunately, I discovered a way to copy and restore Mobilt BankID on a device after full system restore.
And have it completely functional with all services using it.
No longer reauthentication with bank and create a new Mobilt BankID, as they say for security reasons.
That means the whole authentication system based on Mobilt BankID from Finansiell ID-Teknik BID AB is byepassed.
Tested with Swedbank.

Further escalation would be to test recreate the Mobilt BankID on an other device.

I informed Finansiell ID-Teknik BID AB and Swedbank about the critical security flaw which byepasses the leading electronic identification in Sweden.

No technical details are given publicly.
Only directly (no phone/email/other internet based communication) to implied authorities.