South Korea at a crossroads with ID card, data theft losses

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cbc.ca/news/world/south-korea-at-a-crossroads-with-id-card-data-theft-losses-1.2797590?cmp=rss

After an avalanche of data breaches, South Korea's national identity card
system has been raided so thoroughly by thieves that the government says it
might have to issue new ID numbers to every citizen over 17 at a possible
cost of billions of dollars.

The admission is an embarrassment for a society that prides itself on its
high-tech skills and has some of the fastest Internet access.

The issue came to a head after 20 million people including the president,
Park Geun-hye, were victims of a data theft at three credit card companies.
Park acknowledged in January change was needed and ordered a study of
possible options. A decision is due later this year.

Rebuilding the system and tightening security could take up to a decade,
according to Kilnam Chon, a researcher known as the "Father of the Korean
Internet" for his pioneering work in online technology in the 1980s.

"The problems have grown to a point where finding a way to completely solve
them looks unlikely," said Chon.

Ahn Seong-jin, a Seoul office worker, lost $4,700 in a high-tech crime wave
after hackers posing as a friend asked for a loan in a computer message.

Details that included a national ID number stolen from the friend's social
media account made the plea look plausible. Five minutes after Ahn sent the
money by smartphone, the real friend sent a message warning him someone
might be using his name. Ahn called his bank but the money was gone.

"One of my colleagues came to me and said, 'Hey, I got robbed too, and so
did Mr. Lee," said Ahn, 37.

ID numbers and personal details of an estimated 80 per cent of South
Korea's 50 million people have been stolen from banks and other targets
since 2004, according to experts.

Those numbers stay with South Koreans for life and, instead of being picked
randomly, are based on their age, sex and other details. They are used to
confirm identity, get a job or government services and even to buy
cigarettes. A thief who gets a number and a name to match can set up phone,
email or bank accounts.

The problems stem from South Korea's enthusiasm for the Internet and
information technology, which grew faster than security measures.

Critics say ID system makes citizens more susceptible

Hoping to spur technology development, the government rolled out fast
Internet access to nearly every home and business. About 85 per cent of
South Korea's people are online and the country has 40 million smartphones.

But critics say that instead of protecting users, the online identity
system mandated by Seoul makes them more vulnerable to theft.

Everyone is tied to identity numbers created by a dictatorship in the 1960s
to control the public, with no thought to privacy. The first few digits are
the user's birth date, followed by a "1" for male or "2" for female and
then other details.

"Resident registration numbers' usage across different sectors made them
'master keys' for hackers to open every door and steal whole packages of
personal information from unassuming victims," said researcher Geum
Chang-ho at the state-run Korea Research Institute for Local
Administration. The agency carried out the study of possible new models for
personal codes.

"Even if their numbers are leaked, people are unable to change them, so
hackers are constantly trying to obtain these numbers and are managing it
easily," said Geum.

The government required Web surfers who wanted to deal with banks or shop
online to use ActiveX, a Microsoft Corp. product that provides a digital
signature.

Critics say the ActiveX signature was no more than a simple password and
could easily be duplicated. They said another weakness is that the program
runs only on Microsoft's operating system and browser and requires full
access to the computer's operating system. Thieves who learned to hack that
system could steal from any computer.

In Ahn's case, police said hackers working from an Internet address in
China stole his friend's details from one of South Korea's biggest social
media sites. They used them to write a plausible message saying his friend,
an entrepreneur, needed money in hours to avoid a business crisis. Ahn sent
five million won ($4,700 US) without hesitation.

"I have a lot of friends who run their own business and they often run into
situations where they need to borrow money quickly," Ahn said.

Police told Ahn there was no way to chase the criminals. He was shown video
of a man in a baseball cap withdrawing the money from an automatic teller.

"Everything happened within seven or eight minutes," said Ahn. "The man in
the baseball cap probably was waiting near the cash machine with his phone."

At a recent public hearing, officials of the Ministry of Security and
Public Administration said possible changes include issuing random numbers
as identity codes. That would require approval from lawmakers.

"There is no doubt that we are talking about massive changes," said Kim
Ki-su, a director at Seoul's Ministry of Security and Public Administration.

It was Park's late father, then-dictator Park Chung-hee, who ordered
identity cards created in 1968 in a security crackdown after he survived an
assassination attempt by North Korean commandos.

Records of identity numbers are held by employers, retailers and others,
some with little security.

Auction, a consumer-to-consumer e-commerce platform, weathered class-action
lawsuits after China-based hackers stole ID numbers and other information
of 11 million users in 2008. Nexon, South Korea's largest video game
company, lost personal details of 13 million customers in 2011.

Information stolen from the Kookmin Card, Lotte Card and NH Nonghyup Card
this year included names, ID and phone numbers, credit card numbers and
personal credit ratings.

ID numbers are so easy to obtain that they should be considered "public
domain," said Oh Byeong-il, an activist with the group Korean Progressive
Network.

Stolen numbers are so plentiful that six men arrested in the city of Muan
in August on charges of trading details of some 27 million people told
police they were able to get just one won (under one-tenth of one U.S.
cent) for each name and ID number combination.

A new ID system would cost at least 700 billion won (about $650 million) to
overhaul government computers and issue cards, according to Kim, the
official of the public administration ministry.

Costs to companies such as financial firms to redesign services could reach
several trillion won (several billion dollars).

Oh argued that just issuing new numbers won't solve the problem if they
still are used universally to verify identities. He said thieves will just
steal the new numbers.

"We need different numbers for different social purposes," he said at the
government hearing. "And private companies should be restricted from
keeping and using the data."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!