Arnis Paršovs, a cybersecurity researcher at the University of Tartu, has pointed out that while fraud victims are often blamed for their carelessness, the real problem is the design of the banks and the Smart-ID system, writes ERR News.
Large-scale fraud cases using phishing appeared in Estonia in 2019, when banks abandoned code cards and began using Smart-ID. Impressed by the encryption capabilities of Smart-ID, banks underestimated the fact that this system provides weaker protection than code cards. In an article published on an Estonian public media website, the researcher explained why banks should be held responsible for the financial losses of Estonian customers.
Code cards also had weaknesses, but fraudsters had to directly ask victims for passwords, which aroused suspicion even in less cautious people. When it comes to Smart-ID, the fraudster only needs to get the victim to confirm the request on their smart device – this is exactly how the system is designed to work. Payments confirmed with code cards had a daily limit of a few hundred euros, but Smart-ID, despite the known security flaws in the system, has not implemented a payment limit.
Such fraud cases create an additional burden on law enforcement agencies, which have to deal with the consequences of the banking system’s shortcomings.
The main drawback of Smart-ID, as Paršovs writes in an article published by ERR News, is that
security depends entirely on the user’s ability to recognize fraudulent sites or the ability to recognize the caller.
Long-term, experience-based studies show that a simple user’s ability to recognize fraudulent sites is close to random guesses, and even technically experienced users are not always able to recognize fraudulent websites. At the same time, when talking about the security of Smart-ID, this nuance is largely ignored.
Banks are urging customers not to confirm Smart-ID requests during suspicious phone calls, but bank customer service departments are also using this solution, Paršovs emphasizes. From a user’s point of view, it is unexpected that the solution, which is presented as the most secure, requires the user to assess the identity and reliability of the requester. Placing such a burden on the user contradicts the expectations of what a secure authentication method should provide.
The developer of the tool, SK ID Solutions (SK), insists that Smart-ID is secure, and the problem lies with users who are using it incorrectly. However, as Paršovs writes, if most people are unable to use the tool correctly, the fault lies with the tool, not the user. The human error factor must be taken into account, and security must be built into the tool. “We don’t give children sharp knives to then blame them for cutting themselves. The same should apply to the digital environment,” the cybersecurity expert writes.
In their communications with the public,
banks classify phishing as a type of fraud that is not related to technology vulnerabilities,
such as investment fraud or cases of money being swindled in romantic correspondence. The position of financial institutions is that they can do nothing more than express regret and advise to be more careful, but this is not the case at all.
The indifferent position of banks does not take into account the fact that every Estonian resident has an ID card, the authentication process of which cannot be used for phishing. Unlike Smart-ID, authentication of a person’s ID card on a phishing website cannot be used to subsequently access bank data. At the same time, no bank offers to use a person’s ID card to log in, as this would mean acknowledging the problems of Smart-ID. The largest banks in Estonia – Swedbank and SEB – are among the owners of SK, which, as Paršovs points out, makes them interested in promoting the use of Smart-ID and creates a situation where security risks are insufficiently assessed.
Banks could do much more to proactively detect and prevent fraud. They have access to a large amount of user data that can be used to detect suspicious activity – logins from new devices or unusual locations, changes in payment limits, unusual transfers, logins with a device located in a different country than the device from which the Smart-ID confirmation was received, and the like. However, there is no publicly available evidence that banks are trying to use these techniques wisely.
From a legal point of view, banks are not obliged to return fraudulent transfers if they used the authentication method that the customer agreed to with the bank. However,
it is the bank’s responsibility not to accept insecure authentication methods.
Only the bank, not its customers, fully understands the risks of different authentication methods and can implement security measures that would protect customers from fraud, the researcher emphasizes.
In June 2025, the SK introduced the Smart-ID+ security feature, which requires the user to initiate the action themselves by scanning a square code. This feature makes phone fraud much more difficult. Moreover, if the Smart-ID+ authentication actions are initiated from the same device on which Smart-ID is installed, the level of security is the same as using a personal ID card for authentication. Despite this, banks are in no hurry to implement Smart-ID+.
Paršovs points out that the question may arise as to why the SK allows banks to use Smart-ID without a more stringent security system. The answer is simple – the SK is paid for by banks and other service providers, not users. This creates a situation where convenience comes first, not protection. This means that the rapid success of Smart-ID to some extent rests on the shoulders of phishing victims, who pay for putting convenience first at the expense of security. Convenient payment methods are certainly needed, but it is the responsibility of banks to take into account the relevant security risks and implement additional measures, as is the case with contactless payments, which have a limit of 50 euros at a time.
When discussing liability,
banks emphasize that victims must take full responsibility for approving fraudulent payments by entering the PIN-2 code.
However, this ignores the fact that the security breach occurs earlier, at the moment when the bank allows the fraudster to access the victim’s online banking. It is this approach that allows the fraudster to create a request for entering the PIN-2. From the customer’s point of view, approving the request is understandable, because only they assume that only they themselves or a bank representative with appropriate access can initiate a payment request. Pashkov emphasizes that customers have every right to believe that bank security systems are strong enough to prevent third parties from accessing their accounts.
The problem is not only a lack of resilience against phishing. Fraudsters in Estonia have started exploiting weaknesses in the Smart-ID issuance process, and the developer is responsible for ensuring that the electronic identification tool reaches only the legitimate owner.
Banks, in turn, should recognize that authentication tools that are issued without physical identity confirmation are inherently less secure, and this should be included in the banks’ risk assessment. Given that bank customers cannot influence the choice of their security system or authentication tools, victims of Smart-ID phishing should not blame themselves only, but instead demand compensation from the banks. The bank’s liability may include not only illegal actions, but also failure to fulfill its obligation to provide a safe and reliable service.
The solution to the problem is to recognize that successful phishing cases are not the responsibility of users, but of insecure technology, and to take responsibility. Banks are very effective at managing the risks for which they are responsible, and since they are in a position to mitigate technological risks, it is entirely reasonable to demand responsibility for authentication methods as well. This can be achieved by clearly specifying liability in the law or by ensuring in legal proceedings that banks take responsibility for the security of the technological solutions used and compensate for losses caused by phishing using Smart-ID.
Read also: Fraud cases on the rise in Estonia; 23 million euros swindled this year