Let’s talk about digital identity with Roberth Lundin, Senior Security Consultant at Knowit.

In episode 76, Senior Security Consultant at Knowit, Roberth Lundin, discusses identification services in Sweden alongside Smart Cards – what identification services are available in Sweden and why should someone have a BankID or Freja e-ID as well as what smart cards are and what is interesting about these.

[Transcript below]

“But if you take a smart card, for example, well, you can’t copy a smart card. That’s very important.”

Roberth LundinRoberth Lundin is Senior Security Consultant at Knowit.

For the last years he has been working with Bankgirot as an IT-security specialist, in which one of his most important duties is to coordinate all security audits using risk-based approach, also worked with SOC/SIEM system, identity governance and administration (IGA). In his vast experience he has seen and contributed to the evolution of eIDs in Sweden including smart cards.

Connect with Roberth on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

 

Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Come to meet us in person. Ubisecure are attending Security Leadership Belgium on October the 5th and 6th in Brussels. Come and meet us to find out how Ubisecure can help with your business challenges in cyber security and CIAM. To find out more, take a look at the Ubisecure events page, www.ubisecure.com/events. See you in Brussels.

Oscar Santolalla: Thank you for joining a new episode of Let’s Talk About Digital Identity. I was thinking, personally, I have been using for accessing many online services, I use many authentication methods, identification services that we have been discussing in this podcast, three years. But one that I have not used is a smart cards. For instance, even though hereby being a citizen of Finland, I have one, but I have not used it before. So that’s one of the things we’re going to discuss today, how to use a smart card for identification. And also, what are the other identification services in Europe and especially from Sweden that is from where our guest today is coming.

Our guest today is Roberth Lundin. He is a Senior Security Consultant at Knowit. For the last years, he has been working with Bankgirot as an IT Security Specialist in which one of his most important duties is to coordinate all security audits using risk-based approach. He also works with SOC SCM systems, Identity Governance and Administration, IGA among all the roles in his vast experience he has seen and contributed to the evolution of eIDs in Sweden, including smart cards.

Hello, Roberth.

Roberth Lundin: Hello.

Oscar: OK, Roberth. So, let’s talk about data identity. But first of course, we want to hear a bit more about yourself. So please, you can tell us, yeah, your journey to this world of the that identity.

Roberth: I started in 1989 at a company named Bull. The first project I got was to finish a secure login and file transfer tool for UNIX, which use smart cards, high security smart cards, actually. Then I have been working for the next 20 years at Bull, Integris, Steria with personalisation systems for smart cards, issue system for electronic IDs and so on.

2009, I started work at Cybercom, which is now named Knowit. 2014, I started the first signing service using DIGGs framework, which I still work with part-time and been working for since 2015 to 2018 with electronic medical certificate and signing of them as a security specialist. And then for 2019, I worked at Bankgirot to secure their operations. That’s my background basically, very shortly.

Oscar: Fantastic. We’re going to talk about smart cards and also the eIDs in Sweden and Europe. But first, I know something interesting is to think of in a broader aspect all the authentication methods and ways of verifying identities. So how can we trust one digital identity among all of the available ones?

Roberth: That’s a very good question. The Europe, basically, the authorities in Europe and everybody else is divided it into four levels. First level, it’s basically Facebook or something like, it’s an ID and password, and you have no control of your background, you basically check your email. Level two, you need to supply some kind of official registry, for example, in Sweden is the Tax Department’s register for example.

Level three is the level which the authority use in Sweden. And here you have one – added one feature. That’s when you get them digitally, you need to have a check with a physical ID card that you are the correct person in some way. And level four, which is basically only smart cards. This is the high security. And there you have also you need both at applying and picking up your electronic identity, you need to do physical ID check. For example, in Sweden, the Tax Department’s smart card you can buy. It’s both an ID card and an electronic ID card.

So basically, you need to put your digital identities in these four categories and base your trust on that. So, if you want to really secure, you will take level three and level four. So, Facebook, can you trust it? No, mm-mm. No. You have to be very careful because somebody can spoof the system very easily.

Oscar: Interesting to see that smart cards is at the top. Of course, you said at the top, the level three and four are the ones that are mostly recommended to be used. And I was thinking why smart card sit at the very top. It might be because of how the identity is stored. What can you say about that, so when trusting a digital identity secure in that storage?

Roberth: Yeah, that’s the difficult part because I have been working with, I mean, for 33 years now, basically how to store your keys, which you use for your electronic identity. Because machines, for example, where do we store the key which use the certificate, for example, is a web service certificate, it’s usually in the file system. It’s not very safely stored. And then you need to protect the whole system very, very hard. And that can be very tricky if you’re not very good at it.

But if you take a smart card, for example, well, you can’t copy a smart card. That’s very important. A phone, for example, you can make a copy of it, of a mobile phone. Most of them you can actually also break into if you’re very, very skilled, and have a lot of resources. And to smart card, you can’t, because its costs are enormous. It’s theoretically possible. Nobody has done it but if you have a very, very, very specialised equipment, which costs a lot of money, and there is not that many of them in the world, it’s theoretically, you can break one smart card. Is it cost effective? No, it’s not.

Basically, smartcards is the safest way can do it. Phones, it’s ­– as long as you have control over your phone, or don’t install a lot of apps on it, it should be OK. But same for a computer. And that means you need to don’t click on links, and so on. Make sure you have your antivirus and so on. You have a reasonably safe, so you can protect your keys, which is important for your electronic identities.

Take for example, I have the bank ID both mobile and card for Handelsbanken, which one is most safe of these two? Of course, the card. And certain operations in Handelsbanken, you can only do it by card and not by mobile phone. Interesting fact.

Oscar: Yes, I was not aware of that, actually. Yeah. Somehow it surprises me because smart cards are not on our – many people’s minds. So yeah, as you said, it’s the most secure of all of them. So, what makes it more secure than a mobile phone or any other device?

Roberth: It’s because it’s one chip. What they have done is from the beginning, they put everything on one chip. So, in the chip, you have CPU, ROM, RAM, you have a communication channel, and you have security systems on it. That means if you want to break into it, you need basically, you need to go inside the chip. And that’s very difficult. Your smart card you have in your pocket, in your wallet, normally. These two facts is why it’s safe.

If you take your mobile phone, it’s stored in a special area in operating system on the phone. That’s not as safe because it’s possible break into these areas in the phone, by having the right privileges in the system. And another fact is that take for example, a smart card. The smart card takes – I talked with a guy who did the software for the electronic identity application on the smart card, and they spent 18 man-years just in validating it’s safe, 18 man-years, certify that this software is safe. You don’t do that with a phone software, because the same software is used for national identity cards. And they must be safe because the state is issuing them, they want them to be safe.

Oscar: Well, quite impressing indeed. Yeah, focusing first of all in Sweden, what are the other identification services available in Sweden right now?

Roberth: It’s a difficult question to answer because every authority needs to procure an identification services from suppliers like Knowit, CGI and so on, which they use as – to help them to log on to their web pages. So, all authorities, all the local municipalities, for examples have these a log on services. So, for example, I used Ellevio, EON and Fastum for examples to pay my bills and was using the same identification services together with mobile bank ID.

So, you don’t you don’t see these services because you go to the web page and say, “I want to use my mobile bank ID,” for example. And here, you have to have a services which is invisible, basically, which helps you log on.

Oscar: Yeah, indeed. But if we will narrow down to the methods, these are like bank ID, smart cards, so what on others are available in Sweden?

Roberth: Yeah. I mean, if you think for as a private persons, you have the biggest is mobile bank ID, Freja eID Plus is contender, you had the Telia for a number of years, which is not very large. If you look at the health care for example, you have the SITHS card, which has 700,000 or 800,000 users, the same the authorities has their own card which you can use to log on to the PC, for example. So, there are a lot of this going on.

Oscar: What most of the users, I mean for the majority of people, what are the main eID for the people should be using?

Roberth: If you’re looking at look at it from my perspective, mobile bank ID has – its dominating, totally. I mean, it has 90 something basically, that everybody else is so small in comparison, I hope the Freja can be a contender. But they need to step up basically. In Sweden, everybody’s using mobile bank ID. And if they don’t using it, well, they will not get as good services from authorities or private companies.

Oscar: Yeah, so its methods are requirements for many services, right, to government, and also from some private services.

Roberth: Yeah.

Oscar: Tell us now more about smart cards. So how it started and why they are smart cards? I mean they are not only for identity, correct?

Roberth: I started to work with smart cards in 1989. And the first smart cards which were made was made in 1982. And they basically function the same way. Yes, it have upgraded the storage on it, instead of EEPROM, which you can only write once. You have EEROM, you can rewrite at certain memory cells. And you have standardised the cards very, very hard.

So, the standard ISO, standard 7816, 7816, it’s very, very good standard. I mean, it’s a very old standard, basically. And every national ID card you see is using it for example, SITHS card for the health care is using it and the bank ID on card is using it. It’s the same specification in the chip and how it’s handled. So, I have been using for 33 years already.

Oscar: Yeah, quite long. And yeah, you said that the first of these smart cards started in 1982. Yeah, it’s like 40 years already. Yeah.  It doesn’t feel, I don’t know, in Finland it’s not very popular. I don’t know if it’s more successful in other countries.

Roberth: Yeah, that has been a problem, because that’s why everybody’s still mobile bank ID type of applications because everybody has a phone. But smart cards you need a card reader. And a couple of years ago, a lot of the PCs had card readers implemented, but nowadays, started removing them, which I think is bad. Because smartcards is a European thing. And the manufacturers is not European basically.

But in Europe, definitely, smart card is here now, it’s going to be something for the future. Because if you look at it, if you want the highest security, you’re going to use a smart card. So certain EU services, you need to have a smart card already today. Or else you can’t use the services.

Oscar: Yeah. So, you said that the laptops most recent they are stopping shipping laptops with a with a reader, integrated reader.

Roberth: Yeah, because it has been a trend to remove all the ports on these – in mobile PC.

Oscar: Not only the smart card, yes.

Roberth: No, it’s everything, basically. So, you can be lucky if you have one or two USB ports.

Oscar: Yeah, exactly. It’s very rare. Now it’s typically it’s one I think in many laptops today.

Roberth: Yeah, and that’s a problem because then you need an accessory instead. I think is very bad idea.

Oscar: Yeah, but they’re still I mean, if you – you can still today find a laptop that comes with a smart card reader.

Roberth: Yeah, you can do that. Because in Sweden and the rest of Europe, a lot of authorities require it. They don’t buy them else. So, they need some models will have them.

Oscar: I think it’s super clear now that you mentioned the security aspect is what makes a smart card good reason to stay and to take it seriously. Anything else related to smart cards that you can tell us?

Roberth: As I say, in Europe, because you want to have a safe identification methods. I know the Germans for example, say liked the idea of using a smart card to sign the documents you are sending to the authorities, because a smart card with level four trust level, it’s very, very, very hard to fake it. And you have documents – you can see who signed it, you can’t deny it that you signed it, because you’ll have – at the same time where you get to smart card, you have the duty to report it if you lose it. If you have not lose it, you haven’t, then you can’t deny it, it was you who did it.

Then it’s going – I mean you still have a person which stands there – I don’t know the English word for it Målvakt (Goalkeeper) in Swedish. It’s basically, nobody, which takes all the blame. You need to show that you own the company. And then you can’t put somebody dummy in between yourself. It’s very difficult when you have – must personally sign the documents, or else you get the traceability which is very, very difficult to break.

Oscar: Yeah, exactly. In that perspective actually, if you just think of your own ID even if it’s not a smart card, so an ID is something that you would not leave it behind, right? You know where it is. And as you said, if you lose that one, you would report it, get a new one. So, with a bigger reason smart card.

Roberth: Yeah, I mean, take for example, if you lose your electronic identities, you’re really, really handicapped in today’s society. So, it’s very important that you protect your electronic identities. Because if you lose them, you’re in a mess.

Oscar: Yeah, you get – what kind of called excluded or disconnected or, yeah, from many services. That’s correct. Tell us what is now the scenario, the landscape of the digital identities in Europe being broadly, so what’s going on today in Europe regarding this?

Roberth: It’s a very mixed bag to start with. But you can say one thing, every country in Europe has some kind of national identities in some way, everyone, because you can’t live without them, you need to have them. The development pace of different countries is very different. Some is very advanced, some are not.

The difficult part here is not actually digital identity. I started – I worked for the Belgium authorities with the BelPIC, which is the Belgium national ID card. This was in – around 20 years ago. It was not the problem to issue the cards because at that time, they had issued 5 or 6 million cards. It’s to have services that used them. And most countries in Europe has problem.

Sweden is a country which has a very, very good number of applications use national ID or similar schemes. Take for example, I spent 10 years to standardise a citizen card in Europe, at the European National Institute for Standards, CEN. It’s actually the standard we use for national ID cards today, the technical standard, because we failed in one aspect, and that was get one card for all countries in Europe because every state wants to control their own identities. We’ve never managed to bridge that gap.

The technical standard is pretty decent, I think, because every national ID, if you take the Swedish national ID Card from the police, it looks the same as other countries in Europe. But one card for every country in Europe? No, is not going to happen. If not EU managed to get major – a decision on all countries to follow the same card which is not going to happen. Too many countries, too many wills. Take for example the Polish, they absolutely refuse to leave control over their own identities from Poland to somebody else in Europe.

Oscar: Yeah, it sounds difficult as you said, 20 something countries here, it’s difficult to get that consensus.

Roberth: Yeah, it’s not there. It’s the pain of not having – I mean, today, we’re talking about being able to use it. And pain for having different systems is not big enough, basically. There must be a problem first.

Oscar: And which other – besides the smart cards, what do you think would be a good solution for Europe?

Roberth: Basically, what the eIDAS regulation from EU actually requires Swedish authorities, for example, to have a page where you have a foreign card, I mean a card from Belgium or Estonia or other countries, which can log on to the Swedish page. So the Swedish authorities are required to have this page, which you can log on with the other country’s identities, but they’re not required to have any services behind at the moment, probably come in the next level of eIDAS regulation.

So, EU is starting to move in the direction of safe electronic identities for all countries. Take, for example, Sweden has been, well, sitting here and doing integration with all authorities and so on – getting service, but we have not looked what the rest of Europe is doing. So, Belgium and Estonia, especially has, well, has services which don’t have in Sweden. And we have a giant problem in Sweden, because in rest of Europe, they talk about qualified certificates. That means the issuer has a legal right if you have malfunction electronic ID or something like the issuing party doesn’t fulfil their expectations, there is a legal requirement for them to pay the third party.

For example, you and I make a transaction, and a third party, for example, my mother and because this transaction was faulty, because of the electronic identities used, and my mother is suffering from it, she has the legal rights to have compensation. This is the basic of qualified certificates. Plus, you have qualified – the standards for it is higher than the current in Sweden. And Sweden has not taken on the qualifying certificates, which the rest of Europe is a basic level, basically. So, we have in Sweden a challenge, we could say.

Oscar: OK, in terms of signatures. And which countries you feel that are leading the development of these eIDs in Europe?

Roberth: Yeah, I mean, both Belgium and Estonia has, for example, electronic identities on smart cards for population. And Sweden, well, we have a mobile bank ID but it’s banks. The national ID card we have, yeah, it’s an ID card, but you don’t have any certificates on it. So, you can’t use it on an electronic ID. I don’t know what police is doing, but – or the government.

But then you have to use this Tax Department’s card, which is approximately the same as a national ID except you don’t get the guarantee that which country you come from which you get from the national ID card. Basically, or else they are the same card, basically, because early versions of the national ID card have the chip. So, it’s very easy to put the chip on it. But for some reason police doesn’t want to do that.

Oscar: Well, interesting to know those details. Of course, as you said, every country is making progress by different speeds, different – yeah, making different decisions, of course. Yeah, thank you for shedding light on the eIDs across Europe. So, I would like to ask you one final question, Roberth. For all business leaders, listening to us now, what is the one actionable idea that they should write on their agendas today?

Roberth: They need a strategy for electronic ID. And they need to stop using ID and passwords. You need to have some kind of handling on how you will use your electronic: that means how you identify the users, how you provision the electronic IDs, and what trust level you need to have on your electronic IDs.

Take for example very, very many companies in Sweden use AD from Microsoft, Active Directory from Microsoft. What they require is MFA or two-factors application basically, they need some kind of extra, you can get that for example as well. So, they’re moving in the right direction, but they haven’t really started to ask themselves basic handling of the electronic ID. And they definitely need this strategy because all these internet activities, cyber warfare and all these internet trolls, but especially the state-sponsored hacking groups, it’s not going to get better, it’s going to get worse. So, the ones who don’t have a strategy and know what they’re doing is going to be harshly punished. That’s my message, basically.

Oscar: Yeah, I agree. Well, thanks a lot. Thanks a lot, again, Roberth. Super interesting conversation and giving a lot of details on the smart cards that we haven’t discussed before in this podcast, super secure, super interesting and sounds that it’s going to be with us for a long time still securing our identifications.

Roberth, please, if some people would like to follow you or get in touch with you, what are the best ways?

Roberth: You can use my email address for now it’s [email protected]. It’s probably the best way of getting in touch with me.

Oscar: Thanks a lot again, Roberth, and all the best.

Roberth: Thank you.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up-to-date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.