Advanced Applications of the DigiD – A Question of Safety

UTRECHT – With the announcement by the police that reports of certain online crimes in the Netherlands can now be filed digitally using the DigiD online signature, the digitalization of governmental issues has advanced a step further last week. DigiD is the only online authentication method at this moment, but its applications are not completely fool proof .

The site of the police. The DigiD login is now visible while reporting online scams.
The site of the police. The DigiD login is now visible while reporting online scams.

The DigiD is a digital passport that everyone with a Dutch ‘burgerservicenummer’ (BSN) can obtain. It consists of a combination of a user name and a password and it provides access to multiple administrative services of the government. Internationals who live in The Netherlands and who are officially registered at a municipality are also provided with a BSN. This way, internationals are able to acquire the DigiD identification method as well.

Since its launch in 2003, the use of DigiD has grown to over 12 million accounts. Not only online police reports can be arranged with it, but also for example the administration of taxes and enrolment to universities. From this summer onwards, the filing of online police reports will not be limited to online crime only: it will also be possible to report other minor offences such as shoplifting or bike theft.

However the use of the DigiD is visibly growing, its applications are not completely safe. In the case of handing in police reports, victims previously had to go over to a police station to provide a written signature for their files. Identification took place at the police station. With the new online procedure, falsifying one’s identity has become easier.

In the roughly ten years that the authentication method is active, several DigiD data leaks have already occurred, which illustrates the vulnerability of the method. In 2012 for example, it appeared that an advertising agency acquired the details of thousands accounts, simply because people logged in with their official data on the site of this agency, called Digi-D. Confusion  over the difference between Digi-D and DigiD was the cause. A year later, data interception led to more serious consequences when criminals successfully hacked the activation codes that are needed to activate DigiD accounts. The criminals were consequently able to intercept money transfers.

The question revolves around the safety of the DigiD. Minister Plasterk has recently given out a pilot of a new authentication method: an electronic ID. This should replace the DigiD in a couple of years and is based on a special card reader that can read out a chip in a real life ID card. This method will be tested this entire year. Afterwards, the idea still has to be approved by the Parliament.

In the meanwhile, safety issues surrounding the DigiD remain. The username- password authentication method has been made a little safer with an extra security method, which requires a code that is sent to your mobile phone while logging in. The idea is that it is too hard for hackers to get hold of their victim’s cellular account as well. Institutions can increase their safety level by requiring this extra authentication method, but this measurement is not obligatory and a lot of logins do not make use of this possibility.

The window where you can change your preferences regarding logging in: with or without text message.
The window where you can change your preferences regarding logging in: with or without text message.

The government is aware of the security issues, but on her information page on secure use of the DigiD, she fails to mention the importance of the multi factor authentication that protects the accounts with the extra text. On the personal DigiD page, one can choose to always use a double authentication method, even if the institution itself is not requiring it. Doing so would greatly enhance the safety of the individual accounts. In the long term, this might avoid a stream of police reports that have problems with DigiD.

The DigiD login page. The second bullet, ‘I want to log in with an extra check by text message’ is marked. This does not enlarge the safety, since the option without the extra check is also open.
The DigiD login page. The second bullet, ‘I want to log in with an extra check by text message’ is marked. This does not enlarge the safety, since the option without the extra check is also open.

Leave a Reply

Your email address will not be published. Required fields are marked *