Authorities Slammed for ‘Myopic’ Approach to Wireless Banking Security

By Kim Tong-hyung
Staff Reporter

Mobile banking is growing fast in Korea, and the rising popularity of smartphones, which work more like handheld computers than conventional phones, was supposed to take the market even further.

However, critics say a letdown is due, with government authorities all but assuring that a limited number of technologies will dictate the Internet banking experience on portable devices, similar with the situation with desktop computers here.

At the center of the controversy is the Financial Supervisory Service's (FSS) guidelines on the safety of financial services provided on smartphones, which were finalized and announced last week.

The new rules can be summarized simply ― all financial transactions on these advanced handsets will be subject to the same security requirements that control online transactions on personal computers.

The problem with this, according to critics, is that the existing legal framework was precisely what allowed Microsoft to establish a virtual monopoly in computer operating systems and Web browsers here, which is now blamed for having computer users stuck with outdated technologies and exposed to larger security risks.

FSS officials claim that strengthening the verification process for mobile financial services is critical, when local technology experts predict smartphones will become a frequent target of Internet attacks and security breaches from now on.

However, it's debatable whether less diversity in mobile software should inspire any long-term confidence for secure transactions in the future, and that is if it doesn't cripple the nascent market first.

``This is certainly a turn for the worse. It seems that all the debate in the past years have resulted in nothing productive,'' said Channy Yun, the local leader of the Mozilla foundation, a non-profit organization promoting the Firefox Web browser.

The current law states that all encrypted online communications on computers require the use of electronic signatures based on public-key certificates. And since the fall of Netscape in the early 2000s, Microsoft's Active-X controls on its Internet Explorer (IE) Web browsers remain as the only plug-in tool to download the public-key certificates on computers.

This has prevented the users of non-Microsoft browsers such as Firefox, Chrome and Opera from banking and purchasing products online, and forced Mac users to buy Windows CDs to keep their devices from being reduced to fashion items.

Allowing a similar monoculture to take hold on smartphones may result in even greater awkwardness, especially when the U.S. software giant doesn't appear to have a prayer for matching its desktop dominance in the mobile world.

Microsoft's Windows Mobile operating system is just one of the technologies that are competing for supremacy on the mobile platform, with other contenders including the Google-backed Android and Symbian. The Apple iPhone and Research In Motion (RIM)'s BlackBerry, the two hottest smartphone brands on the planet, are each powered by their own operating system as well.

The FSS decision to mandate public-key certificates for smartphone-based financial services is rather curious, considering that the existing mobile banking services enabled on simpler feature phones aren't governed by the same requirements.

The current law on online transactions provides an ``exception'' clause that allows other verification methods to be used when public-key certificates aren't available, and this had allowed banks and credit card companies the freedom to design their own mobile services.

However, government officials insist that smartphones are more computers than they are phones.

``Smartphones are much more advanced than conventional feature phones that handle data, and they require a different approach to mobile banking. The idea is to provide the same amount of protection for encrypted communications on smartphones as we do on computers,'' said an FSS official.

``We are not promoting a certain technology developed by a certain company of any kind.''

Smartphones Taking Off

Smartphones, which had been a hard sell in previous years due to their high prices, are now flying off the shelves. Local mobile operator KT has sold more than 200,000 iPhones since releasing the handset at the end of November, and other intriguing devices, such as Samsung Electronics' T-Omnia II, are gaining popularity as well.

The recent trend has financial service providers competing to expand their mobile wallets to smartphones. Hana Bank introduced a mobile banking service for iPhone users last month, but may now be forced to tweak its offerings to meet the FSS requirements.

``It's regrettable that government officials continue to think that plug-in programs such as Active-X are needed to secure safe transactions, when Web-based applications can do the same job, and perhaps execute it more efficiently. Local banks and credit card companies have already proved this with their existing mobile financial services,'' said an official from a local software developer, who didn't want to be named.

It is estimated that around 99 percent of Korean computers run on Microsoft's Windows operating system, and a similar rate of Internet users rely on the company's IE.

The country's dependence on Active-X is unique, as security concerns have limited the deployment of the tool elsewhere. Instead of a security-based model, Active-X relies on signatures to allow users to judge whether to download an Active-X control. This is a risky arrangement, since Active-X controls require full access to the Windows operating system, meaning it is often abused by cyber criminals to compromise the user's control of the computer.

The Korean reliance on Active-X became a hot topic again last summer when a massive Internet attack left more than 80,000 Korean computers crippled. It was pointed out that Active-X provided an easy route for cyber criminals spreading malware for the distributed denial of service (DDoS) attacks.

Even Microsoft seems ready to bail on Active-X, looking to phase out the program over security concerns and compatibility issues.

This leads to awkwardness whenever Microsoft introduces a new product here. The release of Windows Vista in 2007 caused massive disruption here when Active-X programs used by banks and online shopping sites didn't function properly.

thkim@koreatimes.co.kr