Preventing Phishing Attacks Through BankID Secure Start

Everyone using the Internet has an online account of some kind. In order to access those accounts, we often have to digitally verify our identity.

Digital fraud is a growing issue in Sweden, with people becoming victims to fraudulent attacks everyday. One common technique used to steal sensitive information and manipulate victims is a phishing attack.

The growing issue of phishing attacks

Phishing involves criminals sending messages out to people while posing as a legitimate business or organization to obtain sensitive information like bank login credentials.

Such deceptive messages are often sent via email or text (also known as “Smishing” for “SMS phishing”). They often contain urgent requests or alarming scenarios to stress victims into clicking on malicious links or providing confidential data. In many cases, scammers take advantage of current events to increase the likelihood of people falling into the trap.

One such example that increased the amount of phishing cases was the Covid-19 pandemic. According to EY, the pandemic instilled fear and curiosity in people, making them more likely to be taken advantage of by scammers. However, phishing attacks were a problem even before the pandemic, with a third of the Swedish population having received phishing emails as early as 2019.

In 2023, 25% of companies within the financial services and insurance sector experienced fraudulent attacks, with phishing attacks being the most common. Across all industries, 28% have experienced phishing attacks at some point.

eIDs and the threat of phishing attacks

Countries that have adopted electronic identities (eIDs) often see phishing attacks attempting to steal eID login credentials. This is because eIDs are used to access important portals such as bank accounts and government services.

The primary eID in Sweden is called BankID. Despite being regarded as one of the most secure methods of digital authentication, it is still a target of phishing attacks.

To mitigate this problem, BankID has developed a new technical requirement that enhances security.

How BankID Secure start protects against phishing attacks

Secure start is a new technical requirement by BankID that aims to combat the increasing issue of phishing attacks.

Secure start introduces two mandatory changes to the BankID user experience:

  • Autostart on the same device: When initiating the verification, a user will be automatically redirected to the BankID app on the same device.
  • Animated QR code on another device: Users will no longer be able to start BankID by entering their social security number. Instead, they will have to scan a QR code to initiate the process.

Autostart on the same device ensures that the person who initiates the BankID process on their phone is also the one who completes it. When starting BankID, the user is instantly redirected to the BankID app, which eliminates any middle steps.

The QR code prevents scammers from starting another person’s BankID from a different location through SSN input. To start the BankID process, users must scan the QR code with their app and therefore be physically present in front of the screen.

How can BankID Secure start improve the user experience

Autostart simplifies the BankID verification process by eliminating the need for users to manually locate the app on their phones. This speeds up the authentication journey.

While the Animated QR code offers simplicity, it will take a bit of getting used to for some people. Nevertheless, businesses have been implementing QR code login with BankID since 2018, so it’s not a novelty. BankID users have had some time to familiarize themselves with this method of authentication.

Secure start compared to eIDs in Denmark and Norway

Danish and Norwegian eIDs are referred to as MitID and BankID, respectively.

Danish MitID

MitID introduced QR into the user experience in 2023 and made it mandatory for all businesses using MitID.

In contrast to the Animated QR code, it still requires users to type in their MitID username to initiate the process. Once they start the verification, they’ll see a QR code on the screen that they must scan to complete the process.

As with BankID in Sweden, this helps mitigate the risk of phishing attacks.

Norwegian BankID

In 2023, BankID went through a significant change: Old Mobile BankID was phased out with the introduction of the BankID app with biometrics. Adding biometrics has significantly improved the user experience, letting users verify their identity in a matter of seconds.

However, BankID has not yet implemented a QR code in the user journey. Integrating a QR code would enhance security.

In the meantime, users of Norwegian BankID face a higher risk of phishing attacks compared to those using MitID and Swedish BankID users.

Learn more about how Norwegian BankID works to prevent fraud >

Summary

Phishing attacks have long posed a threat to Swedish society. Secure start represents a significant step toward a safer and more user-friendly authentication experience with BankID.

Hopefully, we will see a decrease in successful phishing attacks following the mandatory implementation of Secure start on May 1, 2024.

If you’re interested in more news about BankID, security, and eIDs, sign up to our newsletter further down.

Author
Our blog

Latest blog posts

The latest industry news, interviews, technologies, and resources.

An Introduction to Client Initiated Backchannel...

Traditional OpenID Connect authentication flows in web and mobile applications rely on browser redirects. Users typically start the authentication...

Passkeys: an Overview

Passkeys are a new kind of login credentials that entirely replace passwords.

Online Alcohol Sales in Finland: How to Ensure Age...

In Finland, there's a proposal to enable consumers to purchase alcohol online.

One crucial requirement for allowing the delivery of alcoholic...

View all posts

Sign up for our blog

Stay up to date on industry news and insights