Estonia’s digital identity system, once hailed as a model of efficiency, has been plagued by errors and security vulnerabilities that enable cybercriminals to steal information and perpetrate financial fraud, it has emerged.

The digital ID system used by 1.4million people in the Baltic state country is said to be the blueprint for Keir Starmer’s so-called Brit Card. 

For over two decades, digital ID cards in the former Soviet nation have displayed a resident’s photo, name, unique ID number, and date of birth while a microchip stores additional personal data.

Estonian citizens can integrate these cards into mobile e-wallets, enabling them to perform activities such as voting, managing banking affairs, electronically signing contracts, submitting tax declarations, claiming social benefits, scheduling medical check-ups, accessing personal health records, shopping online, and even earning supermarket loyalty rewards.

Despite its acclaim, Estonia’s system has encountered security breaches that allowed perpetrators to circumvent encryption safeguards, draining people’s savings and exposing citizen data, including names and photos.

The Daily Mail reports users have frequently fallen prey to phishing schemes involving emails and calls, coaxing them into divulging their card PINs, thereby facilitating unauthorized withdrawals from their bank accounts—a potential caution for the UK.

According to official statistics, the inhabitants of ‘E-Stonia’ reported losses exceeding 7 million euros due to fraud last year, with 837 major incidents, up from 546 in 2023. However, the actual number is believed to be significantly higher as many cases remain unreported.

Reports suggest that the amount lost to fraud in Estonia has soared since last year with a total of 7.5million euros lost in the first six months this year.

A large number of the cases reported by Estonia’s Police and Border Guard are thought to involve personal information from ID cards being stolen due to people being tricked into revealing PIN codes.

Scammers operate in a similar way to those in the UK, often sending out false alerts about banking issues or parcel deliveries and directing people to spoof websites imitating those of banks where personal details, passwords or PINs have to be entered.

There have been reports of fraudsters becoming more sophisticated in recent months with phishing emails being written without spelling mistakes and bogus callers often being convincing Estonians rather than foreigners pretending to be state or bank employees.

Earlier this month, police revealed how a 73-year-old woman living in Põlva County received a call from a fake Estonian official promised to come and change her electricity meter.

She was conned into giving out her ID-card PIN number to confirm the order, and then received another bogus call purporting to be from her bank about a supposed suspicious transaction.

The fraudster sent an image of a blurry employment certificate to build her trust and convince her they were a genuine member of her bank’s staff. This was followed by an order to log into her bank through an application where she had to enter her PIN codes.

When the victim later became worried that she had been targeted in a scam, she found that 30,000 euros had disappeared from her account.

Two residents of Estonia’s capital, Tallinn, also lost large sums of money this month after a fraudulent call. 

A 58-year-old was conned into confirming her PIN numbers after a fake call from someone claiming to be from Estonia’s Health Insurance Fund.

She was persuaded to drop off her bank card at an Omniva parcel terminal, where it was picked up by fraudsters who transferred money from her bank, withdrew cash and took out a loan in her name. Police said she was ripped off to the tune of 12,600 euros.

On the same day, a man received an email with a fake banking link, allegedly from his bank Swedbank, asking him to update his information.

A report of the scam said: ‘The man logged into the bank using the provided link, confirmed his PIN codes, and the transfers were made from his account’. The man lost 3,000 euros.

In a separate case in August, a 59-year-old woman from Ida-Viru County received a call purportedly from Estonia’s Rescue Board, claiming her smoke alarm needed replacing.

She then received a fake call from her bank’s security department, claiming the earlier call was from the scammers. 

The woman repeatedly disclosed her PINs to supposedly safeguard her account in a series of calls over 24 hours before she was made to drop off her bank card at a parcel terminal.

The woman later found the scammers had taken out a 6,000 euro loan in her name and withdrawn cash from her account. Prosecutors said at the time that it was unlikely she would get her money back.

While most victims in ID-card based scams are middle aged or elderly, younger people in Estonia have also been successfully targeted after letting their guards down.

Fraud is still more prevalent in the UK with £1.17billion stolen by criminals last year which is more than 190 times the figure for Estonia, even though the population of Britian is only 50 times higher, according to UK Finance figures.

But there are concerns that any vast official database of information about UK citizens will be a magnet for international hackers, with the potential that some might seek to blackmail the UK Government for billions of pounds.

It follows reports of more than a quarter of British companies being subject to cyberattacks in the last year.

High-profile victims in the UK include Marks & Spencer, which was forced to halt orders on its website for nearly seven weeks, and luxury store Harrods, which revealed last Friday that it had 430,000 customer records stolen in an IT breach.

Estonia became the most digitalised society in Europe when it introduced its electronic ID cards in 2002 to save on government administration costs and offer efficient paperless services.

But the authorities in Estonia have never tried to claim that the system is aimed at deterring illegal immigrants by requiring employers to check a worker’s digital ID, in contrast to Sir Keir Starmer, who has suggested it is a key reason to bring cards into the UK.

The chips in each Estonian ID-card can be read by computers and scanners if people enter a personal five-digit PIN number in the same way as they do to withdraw cash or buy goods on a personal bank card.

They can also convert their mobile phones or tablets into e-cards by signing up for a Smart-ID system or a Mobile-ID, which involves installing a new SIM card while retaining their old number or using an Eesti.ee app.

But the crucial difference to a normal bank card is that the cards have two PIN codes, with one being used to sign into e-services and a second used for confirming actions or authenticating documents as a digital signature.

A third code, known as a PUK, can be entered to reset PIN codes if they are compromised, with users being encouraged to choose their own numbers, which they find easier to remember.

Users get furious about mismatched updates, which are vital for security, but have an unerring habit of locking people out of banking, e-services, or authentication – just when they are needed.

Daki – a communications specialist and podcaster – complained last June that ‘Smart-ID doesn’t allow voting’ due to ‘authentication failures’, which amounts to a denial of democratic rights.

In a prophetic warning to Britain, unclassified documents show Estonian ID-card system has suffered issues, often caused by the outside companies manufacturing cards, and not always shared with the public at the time.

A programming error was found in December 2011 in the software for around 120,000 cards issued during the year, meaning they could be used for functions without PIN codes being entered.

There was a serious problem in October 2017 when it was revealed that around 760,000 ID-cards issued in the previous three years had faulty software in their chips.

A further issue in July 2021 involved a hacker from Tallin obtaining 286,438 personal identity photographs, along with their names and personal ID codes by using a malware network to target individual IP addresses.

But on the cobbled streets of Talin’s historic Old Town, the Daily Mail found no shortage of enthusiasm for digital ID-cards with many young people having been brought up with them and knowing of no other way to access Government services.

Tour guides escorting diverse groups from countries including India and Taiwan were even heard devoting some of their talks to praising the virtues and efficiency of their country’s digital ID system.

Eleora Shcweberin, 25, a receptionist at the 15th-century Olde Hansa restaurant, said: ‘The system is no problem for me. It is actually quite safe. A lot of the systems that you access also require fingerprint or Face ID on your phone, so they are really secure.

‘You identify yourself through two PIN numbers and you can choose them yourself. It helps you get into your banking system so you can see all payments going in and out, and what you have left. I can also look up my tax to see how much I have paid.

‘It is true that some old people have problems, but if they go into a bank, the tellers are very helpful and tell them what to do. They will even write down instructions for them. There are scamming cases, but that would be the same with every system, and I think we have less of them now.’

A waiter called Artom, 28, who works at the nearby Mama Mia restaurant, said: ‘For me it is very easy. 

‘I have the Smart-ID, so when I shop online, it automatically puts in all my personal details, including my address. You just need one PIN number to make it work.

‘There is dual identification, so I use my fingerprint, and sometimes you get an email confirming everything.

‘I work in the restaurant, and see a lot of older people making payments on their phones without any problem. 

‘People can adapt and learn how to use new things. I don’t think England has anything to worry about. It will be a good thing for you.’

Matti Forsberg, 69, who runs a consultancy for non-profit organisations and is a Finnish national living mainly in Tallin, said: ‘I use my ID-card for customer loyalty schemes with different shops.

‘Instead of getting an individual loyalty card from each store, I let the staff load their own cards on my chip, so everything I buy gets recorded, and I am allowed to get discounts.

‘I must have about 20 loyalty cards on my chip. It is very simple and is much easier than me carrying round 20 loyalty cards in my wallet. I can also access all my medical records on a website, and it shows me prescriptions I need.

‘I can even vote with my card in local elections. There is a period when I can cast votes, and if I change my mind after voting, I can go online and vote again with my old vote being cancelled out.

‘The whole system is very efficient and safe. I just have to remember one PIN number and not tell anybody what it is. People in England should be looking forward to getting cards like this. They absolutely work.’

Bank worker Liisbeth Kink, 27, who was relaxing with a friend in the Old Town’s main square, said: ‘I have Smart-ID and it is really easy to access everything. You can check your bank account or make medical appointments through the app. It could not be easier.

‘It has always here for me, so the younger generation of people do not know anything else. Older people are the ones who have had to learn how to use something new, but they are generally fine with it.

‘Of course, elderly people can be scammed into giving out their PIN numbers. We tell older relatives to always be careful and watch out for people trying to trick them, particularly on Facebook.’