the Security of Internet Banking in South Korea in 2010

For those of you who have followed my blog, you know that it has been 3 years since I first reported on the fact that Korea does not use SSL for secure transactions over the Interent but instead a PKI mechanism that limits users to the Windows OS and Internet Explorer as a browser. Nothing fundamentally has changed but there are new pressures on the status quo that may break open South Korean for competition in the browser market in the future.

In fact, one of the new pressures on the status quo has been the popularity of the iPhone in South Korea, which wasn’t available officially until late 2009 due to a different Korean software middle-ware requirement, WIPI, which has since been deprecated. With WIPI dead and buried, Apple released the iPhone to great fanfare in the Korean market and Blackberry has also launched in the Korean market.

Another pressure on the status quo was a recent report out from 3 researchers (Hyoungshick Kim, Jun Ho Huh and Ross Anderson) from the University of Oxford’s Computing Laboratory, “On the Security of Internet Banking in South Korea.

South Korean Internet banking systems have a unique way of enforcing security controls. Users are obliged to install proprietary security software – typically an ActiveX plugin that implements a bundle of protection mechanisms in the user’s browser. The banks and their software suppliers claim that this provides trustworthy user platforms. One side-effect is that almost everyone in Korea uses IE rather than other browsers.

We conducted a survey of bank customers who use both Korean and other banking services, and found that the Korean banks’ proprietary mechanisms impose significant usability penalties. Usability here is strongly correlated with compatability: Korean users have become stuck in an isolated backwater, and have not benefited from all the advances in mainstream browser and security technology. The proprietary mechanisms fail to provide a trustworthy platform; what’s more, alternative strategies based on trustworthy computing techniques are quite likely to suffer from the same usability problems. We conclude that transaction authentication may be the least bad of the available options.

The popularity of the iPhone (the press claims 500,000 units sold in the few months since it was released) resurfaced the issue that only Windows and IE can be used to make secure transactions with Korean Internet services. iPhone/Blackberry/Android users in Korea (not to mention Firefox/Opera/Safari/Chrome users) cannot bank online or purchase items online or do any secure transaction with the smartphone browser because Korean services only support the PKI mechanism that only works with Active-X in IE and Windows.

Dr. Keechang Kim of Korea University has been working tirelessly for many years to try to change the status quo in Korea around browsers and the reliance on a PKI mechanism that is tied to one platform. With concern being raised by different parts of the Korean government, including the Korean Communications Commission as well as the Office of the President of Korea, Keechang has gathered a very interesting panel of presentations for April 29th in Seoul.  The panelists will be addressing the (Korean) Financial Supervisory Service (FSS) which is the regulatory body in Korea that is currently mandating the PKI mechanism that is in place today (which requires Active-X, etc.)  Unless the FSS relaxes or changes their regulations, Korean banks cannot offer other mechanisms for Korean users to bank online, etc.  In short, unless the FSS changes their stance, nothing will change in Korea.

Security Issues of Online Banking & Payment in Korea” is an open public meeting (registration recommended) starting at 10 AM on April 29th at COEX Conference Hall E1 and will feature:

  • Bruce Schneier (Chief Security Technology Officer, BT) on “Security: What Works, What Doesn’t, and Why”
  • Hyoungshick Kim, Jun Ho Huh (Univ. of Oxford) “What’s the danger of mandating proprietary security solutions?”
  • Lucas Adamski (Dir. Security Engineering, Mozilla) on “Securing Browser Interactions”

Again this meeting is open to the public. Anyone is welcome to attend.

While I have no illusions that one meeting will get the key Korean government entities to do a 180 from their current stance, I do think this will be an important opportunity to bring external, Korean and non-Korean security expertise to Korea to discuss the current state of affairs and show that a PKI-based security architecture is only as secure as the computers that those certificates are used on.  If the computers are compromised, and at least one security services provider, Network Box, claims that S. Korea is the largest source for malware in the world, (Korea reigns as king of malware threats) then there is no way to be sure that the person in control of those personal certificates is the legitimate owner.

The deletion of the requirement for WIPI in Korean mobile phones opened the Korean market to the iPhone and the Blackberry and Android phones from outside of Korea.  Korean users of these new smartphones realized that they could not bank online, buy online, etc. and are now pressuring the Korean government to change the current laws which mandate a PKI-based mechanism that has been implemented with Active-X.  As the popularity of smartphones that cannot make use of the current PKI-based architecture for encryption/authentication grows in Korea, the pressure for the government to change their regulations will only mount.  The key question for Mozilla is whether the Korean government will open up to a point where Firefox and Fennec can be used in the future for secure transactions in Korea.

Thank you to Keechang and everyone in the OpenWeb.or.kr community for your tireless efforts to try to break open the Korean market. Thank you also to Channy Yun who has put aside his own schedule in order to participate and guide Lucas in Seoul.  There is still a long road to walk to an open, competitive market in S. Korea for browsers, but I am starting to see the light at the end of the tunnel.

6 Responses to the Security of Internet Banking in South Korea in 2010

  1. About South Korea being “the largest source of malware in the world”: that does not surprise me. I get a lot of spam that originates in Korea (often at open relays in Korea, and usually somewhere at kornet.net), and AFAIK there’s no specific reason why I (living in Belgium i.e. almost at the other end of the world, and not knowing Korean) should be particularly targeted. In spamfighting circles, many people are setting their mailers to reject unread any mail with a Korean IP in its Received headers; the reason I don’t is that in one “family” of mailing lists to which I subscribe (about the Vim text editor) there are many legitimate posts originating in, among others, Korea. (The “On , wrote” header may be in hangul and/or in hanja but the rest of the posts is in English.)

    IMHO any move away from the present MSIE monopoly in Korea and toward “more easily auditable” security practices (which, IMHO, means open source in preference to proprietary software — the /keys and passwords/, of course, should remain secret) is a move in the right direction and should be helped any way we can. Not that I personally could do anything much :-/.

  2. almost the same situation here in China.

  3. In the long run Korea will have to capitulate to global interests and demands or else be excluded from the progressive loop. They’ll be even more of a backwater than they are now. You could get away with that (as a government) before there was the internet but in the information age, when comparisons can be freely and easily made, you can’t any more.
    It’s only a matter of time, some of it bloody maybe, till they come around.

    BB

  4. Thank you for explaing the situation in Korea.
    I hope the Korean government changes their mind..

  5. I think in some countrys you can see the same sitaution, it is really “uncool”.

  6. It is worrying that most banks today still rely only on using SSL, Digital Certificates, OTPs and HTTPS for providing (supposedly) ‘secure’ access to their Internet banking customers!

    While SSL might provide an encrypted channel between the customer’s browser and the bank’s server, it does NOT authenticate the website that the customer is going to. The browser only validates whether the SSL certificate is valid or not – it does not authenticate whether the certificate indeed belongs to the Bank (except in the case of EV-SSL). Hence, the customer might see the “lock” icon in his/her browser and still may be connected to a malicious website that can steal their credentials.

    Even the One-Time Password (OTP) Tokens, that generate a single-use password which the customer has to enter in addition to the regular Internet banking password, are prone to man-in-the-middle attacks. Regardless of how the OTP is generated (hardware device / software program / mobile SMS), its limitation is that the customer still enters this OTP on an unauthenticated page and over an insecure channel. Plus, it is cost-prohibitive to deploy, maintain & renew the hardware tokens.

    It’s time we moved beyond such redundant measures and stopped fooling ourselves into a fake/induced sense of so-called ‘security’. We need to significantly upgrade our technology and protect customers from not only Man-in-the-Middle, Man-in-the-Browser and Phishing attacks, but also key-loggers, trojans, screen-scrapers, and all known kinds of spyware and malware (resident on the desktops, in browsers and on the internet).

    This might surprise you but two of India’s largest PSU banks (Bank of India & State Bank of India) are already in the process of implementing this cutting-edge technology called REL-ID that does all of the above & more!