Smartphones, such as the newly released Motorola Motoroi, are gaining popularity in Korea, but consumers are growing frustrated about the government rules controlling financial services on mobile devices.
/ Korea Times
By Kim Tong-hyung
Intelligent smartphones may end up rendered retarded by Korea's crusty Internet regime.
Once a hard sell here, smartphones are now flying off shelves, thanks to the emergence of intriguing devices such as the Apple iPhone and Samsung Electronics' Omnia II.
As the high-end handsets work more like handheld computers than phones, supporting Web browsing, e-mail, video, music and games as well as voice, their rising popularity has been generating excitement for a long-awaited mobile Internet explosion here.
And among the inspired were banks, credit card companies and online retailers, as they drooled over the idea of mobile users having their handsets masquerading as banknotes and credit cards.
However, it appears that aspirations for a mobile wallet should be put on hold for now. In setting the safety guidelines for financial services provided on smartphones, the Financial Supervisory Service (FSS) has said that all financial transactions on these advanced handsets should be subject to the same security requirements that control online transactions by computers.
The problem with this arrangement is that the existing legal framework was precisely what allowed Microsoft to establish a virtual monopoly in computer operating systems and Web browsers here, which is now blamed for having Korean computer users stuck with outdated technology and exposed to larger security risks.
Allowing a similar monoculture to take hold in smartphones may result in even greater awkwardness, especially when the U.S. software giant doesn't seem to have a prayer of matching its desktop dominance in the mobile world.
In essence, the current law states that all encrypted online communications on computers require the use of electronic signatures based on public-key certificates. And since the fall of Netscape in the early 2000s, Microsoft's Active-X controls on its Internet Explorer (IE) Web browsers remain as the only plug-in tool to download public-key certificates to computers.
This has prevented the users of non-Microsoft browsers such as Firefox, Chrome and Opera from banking and buying products online, and forced Mac users to buy Windows CDs to keep their devices from being reduced to fashion items.
"The FSS made a shockingly unwise move, considering that the measures won't add anything in improving the security of transactions on mobile devices," said Kim Kee-chang, a Korea University law professor who has led a series of legal actions against the financial authorities for their insistence on overwhelming Active-X use. He claims the country's computing experience is being held hostage by "tech-ignorant" government officials and opportunistic security software makers.
"Every problem will disappear once the mandate for public-key certificates is lifted, which will make every transaction on computers, smartphones and other data-enabled devices easier and safer. This is a rule that has worsened the country's Internet environment for over a decade, caused an immense amount of inconvenience, and retarded the advancement of local Web technology."
The FSS rules are already proving to be a massive letdown for consumers. Online book retailers Aladdin (www.aladdin.co.kr) and Yes 24 (www.yes24.com) had unveiled mobile payment programs for smartphone users earlier this year, but were forced to yank them off after credit card companies refused to accept them.
Major online retailers, such as the eBay-owned Auction (www.auction.co.kr) and Gmarket (www.gmarket.com), have yet to allow smartphone users to order products from their handsets.
Hana Bank was the first among Korean banks to introduce a mobile banking service for iPhone users earlier this year, but is now likely to be forced to rip apart and rewrite its programs to follow the FSS guidelines.
The FSS decision to mandate public-key certificates for financial services on smartphones is rather curious, considering that the existing mobile banking services enabled on simpler features phones aren't affected by the same requirements.
This is because the law on online transactions provide an "exception" clause that allows other verification methods to be used when public-key certificates aren't available, which had allowed banks and credit card companies the freedom to design their own mobile services.
"We have never once required anybody to rely on a certain technology by a certain company," said Choi Jae-hwan, who heads the information-technology team of FSS supervisory service bureau.
"We are having input in the discussions between the Ministry of Public Administration and Security and the Korea Internet and Security Agency (KISA) to establish the standard specification for technologies to download public-key certificates on mobile devices, so smartphone users won't have to wait for too much longer."
In requiring public-key certificates on smartphones, government officials claim that the iPhones and BlackBerries of the world are more computers than they are phones.
However, critics question why the FSS insists on so much complication when there are much simpler methods, such as text-message verifications, that are more effective for ensuring safe transactions than electronic signings.
Requiring users to download certain types of applications to enable financial services on their smartphones may also expose them to larger security risks, as it could provide a juicy blueprint for cyber criminals to disguise their malicious software, just as they exploit Active-X plug-ins in the desktop computing world.
Users of the iPhone would be less vulnerable, as Apple strictly monitors and controls the programs available on its App Store online applications store. However, smartphones powered by more open mobile platforms, such as the Google-backed Android, could fall fair game for tech theft should the country insist on a monoculture of mobile security technologies.
"Public-key certificates don't add another layer of protection beyond simple passwords, and they could be duplicated endlessly by just copying and pasting the NPKI folder from the hard disk drives to USBs and other storage devices," said Kim.
"Another problem is that public-key certificates could be renewed easily on the Internet without face-to-face verification, which makes it further irrelevant as a protection method. There should be verification methods beyond the Internet channel to secure the safety of transactions, and mobile-phone text messages or the security code cards of banks are already providing this."