mertner.com/allan

Utterly hopeless security: NemID

— Allan @ 8:30 pm

I am so happy I don’t live in Denmark any more.  If I did, I would have to use a system called NemID much more than I do – a system that is a total disgrace yet is used universally as a system intended to provide security to things like bank accounts.

For me, it fails in 4 critical ways…

WIN: 2-factor is a Good Thing

The principle is sound: To access things like banking or government services, a 2-factor authentication system that relies on more than just username and password is mandatory for security nowadays.  It’s the implementation of NemID that is so wrong it would be hard to come up with a worse system.

There are several great, simple systems out there: Google Authenticator or RSA tokens would be fine.  With those, you get an app for your phone or an electronic token that gives you a new number every minute or so, you have to have that number to log in. You can get paper-based numbers for when you don’t have your phone too.

FAIL #1: Getting the key card

NemID is based only on paper, and that is where the trouble starts: Getting hold of the paper-based key card.  It’s probably easier for people who live in Denmark, but as I live in the UK they cannot send it to my home address but can only send it to the Danish embassy in London.   Is registered mail not safe enough?

It took me two tries to finally get the key card: The card has to be confirmed within 4 weeks of ordering it or it expires, but it takes around 30 days for them to send it to the embassy so it often arrives pre-expired.  The embassy staff confirmed that this happens all the time 🙁

FAIL #2: Java.  JAVA?!?

NemID is built on Java that runs on the client.  Yes, client-side Java in a security application is something that everyone knows is Not a Good Idea, but there you have it.

One reason why it’s a bad idea is that new security issues in Java are discovered all the time, which is why there seems to be a new version clamoring to install itself almost every day.  And fixing those security holes sometimes breaks something in NemID, like it did in this version – the fix?  Either stay on an old version with major, known security holes in it, or don’t use internet banking.

Fail #3: Logging in via NemID

nemidWith the right version of Java installed, I can go to Netbank and use it, assuming I know
my username and password.  Which of course I do: I use 1Password to manage those and have of course used that to choose a super-obscure, long, unique and awkward password for my net bank.

For some reason, NemID however does not allow you to copy/paste text into the UserID or Password fields: you MUST type your password into the box provided.

I assume they think this makes it super-secure, but exactly the opposite happens: If I have to type in my password rather than copy it from my password manager, I have to have a reasonably short password that I can actually type in.

MEH #1: Two-factor

To finish the login, I need to provide a code from my key card.  It shows a 4-digit code, which I look up to find a 6-digit code I can then  type in – and that part actually works fine.

FINAL FAIL: Key codes

Every single time I perform a transaction in my banking app, it requires a two-factor code.  This gets old very quickly: I am logged in securely, why do I need to re-certify this for every transaction?  Someone, somewhere has misunderstood something.

The main drawback though is that piece of paper with the codes on it.  It has maybe 150 codes on it, and those get used up quickly.  I dread the day when I have to try to get a new key card via the embassy 🙁

My recommendation: Ditch NemID

  1. Don’t enforce the use of a proprietary system that nobody else uses on an entire country.
  2. Don’t use any client-side Java for anything.  Particularly not for running a security-related application.
  3. Do provide a way to get key codes electronically as well as by paper.  Most people have smart phones, or at least a phone that can receive an SMS-based code.
  4. Don’t implement fake security by preventing copy/paste of usernames and passwords.  It simply makes things even worse.

Who benefits?

The NemID system is just so consistently awful that I have to wonder who decided to design and implement a mandatory country-wide system in this way.  Who benefits? Does anyone know the true story of why it doesn’t get fixed?