A Risk Assessment of the Hungarian Eid Card

Nyári, Norbert; Kerti, András

doi:10.2478/bsaft-2024-0010

Abstract

The aim of the present study is to provide an insight to a comprehensive risk assessment of the Hungarian eID card utilizing the ISO/IEC 27005:2022 standard. Unfortunately, the functions of the eID are nowhere near widespread among the Hungarian population. That is why it is time to carry out a risk assessment, which can help to introduce the functions efficiently, and improve the overall security of the eID card. Using the concepts and steps of the international standard ISO/IEC 27005:2022, the external and internal context of the Hungarian eID was determined, and after the asset-based risk identification, the risks that arose were evaluated. A comprehensive risk analysis can greatly help the effective introduction and operation of eGovernment services. The risks identified during the risk assessment, based on the ISO/IEC 27005:2022, performed on the Hungarian eID card can serve as a basis for the planning and development of appropriate IT security best practices and training materials. Previously, no risk analysis of the Hungarian eID was published based on the ISO/IEC 27005:2022. The results can contribute to making existing use cases safer, but it can also be used to create new use cases keeping IT security in mind.

References

Act CLXVI of 2012 on the identification, designation and protection of essential systems and facilities. (2012). Hungary Legislation.
Search in Google Scholar Back to article
European Economic and Social Committee. (2020). The digital single market - trends and opportunities for SMEs (own-initiative opinion). Available at: https://www.eesc.europa.eu/en/our-work/opinions-information-reports/opinions/digital-single-market-trends-and-opportunities-smes-own-initiative-opinion, accessed on December 12, 2023.
Search in Google Scholar Back to article
Farkas, T. (2023). A kommunikációs és információs rendszerek értelmezése napjainkban: Követelmények és kihívások. In Tóth, András (Ed) Új típusú kihívások az infokommunikációban (pp. 11-30). Budapest, Magyarország: Ludovika Egyetemi Kiadó.
Search in Google Scholar Back to article
Government decree no. 414/2015. (XII. 23.) on the rules for the issuance of personal identification cards (01 01, 2022). Available at: https://njt.hu/jogszabaly/2015-414-20-22, accessed on December 12, 2023.
Search in Google Scholar Back to article
Hungarian IT Security Framework (MIBIK). In Hungarian (2008).
Search in Google Scholar Back to article
Hungarian Ministry of Interior. (2023, 01 01). Role-Based Certification Central Platform Service. In Hungarian. Available at: https://szeusz.gov.hu/szeusz/SZTSZ, accessed on December 11, 2023.
Search in Google Scholar Back to article
Hungarian Ministry of Interior. (n.d.). eSzemélyi - Services. Available at: https://eszemelyi.hu/en/services/, accessed on December 14, 2023.
Search in Google Scholar Back to article
Hungarian Ministry of Interior. (n.d.). eSzemélyi - WHY IS AN eID CARD USEFUL? Available at: https://eszemelyi.hu/en/the-eid-card/#why-is-an-eid-card-useful, accessed on December 12, 2023.
Search in Google Scholar Back to article
Idomsoft Zrt. (n.d.). Electronic Identification Document (eszemélyi). In Hungarian. Available at: https://idomsoft.hu/rolunk/termekeink/eszemelyi/, accessed on December 12, 2023.
Search in Google Scholar Back to article
ISO. (n.d.). iso.org. Available at: www.iso.org, accessed on January 02, 2023.
Search in Google Scholar Back to article
ISO/IEC 27001:2022 (2022).
Search in Google Scholar Back to article
ISO/IEC 27005:2022 (2022).
Search in Google Scholar Back to article
Jide Edu, M.H. (2023). Exploring the Risks and Challenges of National Electronic Identity (NeID) System. International Conference on AI and the Digital Economy (CADE 2023), 118-123.
Search in Google Scholar Back to article
Koller, M. (2023). Smart Devices as Security Aspects of Personal Authentication Interface Technology. In Hungarian. Hadmérnök, Vol. 18, Issue 1, 109-124.
Search in Google Scholar Back to article
KSH. (2023, 12 21). The average gross salary was HUF 564,400 in October 2023, 14.0% higher than a year earlier. In Hungarian. Available at: https://www.ksh.hu/gyorstajekoztatok/ker/ker2310.html accessed on January 02, 2024.
Search in Google Scholar Back to article
Leitner, A., & Schaumüller-Bichl, I. (2009). ARiMA - a new approach to implement ISO/IEC 27005. 2nd International Symposium on Logistics and Industrial Informatics, 1-6.
Search in Google Scholar Back to article
Lentner, G., & Parycek, P. (2016). Electronic identity (eID) and electronic signature (eSig) for eGovernment services – a comparative legal study. Transforming Government People Process and Policy.
Search in Google Scholar Back to article
Mateus, G.B. (2016, 11). A Reference Risk Register for Information Security According to ISO/IEC 27005. Available at: https://fenix.tecnico.ulisboa.pt/downloadFile/1689244997256215/68217-Thesis.pdf, accesses on December 11, 2023.
Search in Google Scholar Back to article
Megyeri, L., & Farkas, T. (2017). Risk management, science or swindle? In Hungarian. Hadmérnök, Vol. 12. Issue 3, 198-209.
Search in Google Scholar Back to article
Mojica Sánchez, I.F., Leal Valero, S.A., & Bareño Gutiérrez, R. (2019). Risks Found in Electronic Payment Cards on Integrated Public Transport System Applying the ISO 27005 Standard. Case Study Sitp D.C Colombia. Congreso Internacional de Innovación y Tendencias en Ingenieria (CONIITI ), 1-6.
Search in Google Scholar Back to article
NISZ Zrt. (n.d.). Services. In Hungarian. Available at: https://nisz.hu/szolgaltatasaink, accessed on December 12, 2023.
Search in Google Scholar Back to article
Nyári, N. (2022). The Current State and Possibilities of eSzemélyi and Electronic Signature Technology in Hungary. In Hungarian. Biztonságtudományi Szemle, Vol. 4, Issue 2, 61-73.
Search in Google Scholar Back to article
OWASP. (n.d.). OWASP Risk Rating Methodology. Available at: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology, accessed on December 11, 2023.
Search in Google Scholar Back to article
Paráda, I., & Farkas, T. (2020). Reconnaissance and Analysis in the Penetration Test 1 Information Gathering Techniques. Hadmérnök, Vol. 15, Issue 1, 159-182.
Search in Google Scholar Back to article
Patiño, S., Solís, F., Yoo, S.G., & Arroyo, R. (2018). ICT Risk Management Methodology Proposal for Governmental Entities Based on ISO/IEC 27005. International Conference on eDemocracy & eGovernment (ICEDEG), 75-82.
Search in Google Scholar Back to article
Pernpruner, M., Carbone, R., Silvio, R., & Sciarretta, G. (2020). The Good, the Bad and the (Not So) Ugly of Out-Of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis. Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy (CODASPY ’20). doi:https://doi.org/10.1145/3374664.3375727.
Search in Google Scholar Back to article
REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (07 23, 2014).
Search in Google Scholar Back to article
Schwalm, S., & Alamillo-Domingo, I. (2021). Self-Sovereign-Identity & eIDAS: a Contradiction? Challenges and Chances of eIDAS 2.0. European Review of Digital Administration & Law - Erdal, Vol. 2, Issue 2, 89-108.
Search in Google Scholar Back to article
scrive. (n.d.). eIDAS and the Digital Single Market. Available at: https://www.scrive.com/trust-center/eidas-summary/, accessed on January 02, 2024.
Search in Google Scholar Back to article
Somogyi, T., & Nagy, R. (2022). Cyber Threats and Security Challenges in the Hungarian Financial Sector. Contemporary Military Challenges, Vol. 24, Issue 3, 15-29. Available at: https://doi.org/10.33179/BSV.99.SVI.11.CMC.24.3.1. SP 800-30 revision 1 (2012).
Search in Google Scholar Back to article
Zwingelberg, H., & Hansen, M. (2011). Privacy Protection Goals and Their Implications for eID Systems. 7th PrimeLife International Summer School (PRIMELIFE), 245-260.
Search in Google Scholar Back to article

A Risk Assessment of the Hungarian Eid Card

Abstract

Paradigm

My account