British Telecom CTO
By Kim Tong-hyung
Internet banking fraud continues to be an increasing problem in South Korea, despite the government's heavy-handed measures to monitor online transactions. Now, technology experts are debating whether an overbearing government is actually at the core of the problem, rather than part of the solution.
Korean authorities have been displaying an oppressive, rule-making persona in imposing computer security requirements in past years, including mandating all encrypted online communications to be based on electronic signatures, which are enabled through public-key certificates.
However, the requirement of public-key certificates was precisely what allowed Microsoft to establish a virtual monopoly on computer operating systems and Web browsers here, which is now blamed for limiting Korean computer users stuck with outdated technology and exposed to larger security risks.
As a result, government officials are collaborating with financial services firms and security software makers as they scramble to identify better technologies for transferring money online.
But this is the wrong move, according to Bruce Schneier, chief security technology officer of British Telecom (BT), who says the government should first establish legal liabilities for damage resulting from security flaws and then get out of the way.
Schneier was participating in a seminar titled ``Security Issues of Online Banking & Payment in Korea,'' organized by the Office of Small and Medium Business Ombudsman at COEX in southern Seoul.
``There is danger in relying on technology too much, and specific technology in that,'' Schneier said, stressing that the government should be commanding ``results,'' rather than technologies, from banks and credit-card companies in their efforts to provide better user protection.
``Once a law mandates specific technologies such as protocol, applications or software, innovation stops. Companies know they will be okay as long as they do everything that the law says, and they will not figure out ways to make things more secure.
``Once visiting Canada, my credit card number was stolen and criminals had attempted to withdraw money from it. It took Visa just half an hour to cancel my cards, as they have their own system to look for signs of fraud, authenticating transactions rather than just the user of the card, and I was impressed.
``Force the credit-card companies to be liable for fraud, tell them `you can use any technology you want because fundamentally this is your profit and this is your loss.' Korea seems to have it the other way around.''
Since the fall of Netscape in the early 2000s, Microsoft's Active-X, used on its Internet Explorer (IE) Web browsers, remains the only plug-in tool that can download public-key certificates to computers.
This has prevented users of non-Microsoft browsers such as Firefox, Chrome and Opera from banking and buying products online.
The country had nearly 22 million issued public-key certificates at the end of last year. The debate over security technologies is now being extended to wireless devices as the Internet increasingly goes mobile.
The plans by the Financial Supervisory Service (FSS) and the Ministry of Public Administration and Security to require standard software to download public-key certificates on smartphones have met with fierce resistance here and there seems to be differing opinions between government agencies as well.
The Korea Communications Commission (KCC) sides with the claims of critics that a specific technology for mobile transactions would expose wireless users to a similar, shaky security environment experienced by computer users in the Microsoft-dominated desktop world and promises more flexibility in verification methods.
The backers of the Active-X-based security mechanism claim that the system has worked better than given credit for, as they point out that the Korean losses from Internet banking fraud remain microscopic compared to the damages reported in countries such as the United States or Britain.
However, this may have more to do with the hurdle of the Korean language itself rather than the solidness of the Microsoft Web tool ― it's hard to imagine scammers from Eastern Europe or sub-Saharan Africa learning Hangul to develop ``phishing'' sites targeting Korean bankers.
``The Korean losses from online banking fraud are about 109 times less than the United Kingdom's, but this has much to do with the small sample sizes. Since the number of attacks is very small, losses can change greatly if there is one serious attack ― nearly 90 percent of the Korean losses between 2008 and 2009 were incurred by only one attack method,'' said Kim Hyoung-shick, a computer scientist from Cambridge University.
``I own both a PlayStation Portable (PSP) and another handheld game console from Korea's Game Park (GP). PSP is hacked more frequently compared to the much-lesser-known GP, but does this prove GP is more secure than PSP? Besides, there is a possibility that Korean Internet banking fraud could increase significantly once hackers from China and elsewhere attain better language capability.''
Critics stress that public-key certificates don't offer greater security beyond the simple passwords. One of the problems is that private keys are mostly stored on unprotected memory such as hard disks or USBs, and could be duplicated easily by just copying and pasting the NPKI folder on the computers to other storage devices.
The security provided by the Active-X plug-ins is only active during the banking session and rendered irrelevant when the user's machine has been compromised already.
Usability is another issue, as an Internet user logging in for the services of three banks would need to install at least nine Active-X plug-ins, Oxford University's Huh Jun-ho said. And to use multiple machines, the user needs to copy the private keys and install the plug-ins again and again.
Lucas Adamski, who heads the software security team at Mozilla, which backs the Firefox Web browser, said online banking and e-commerce providers should consider redesigning their Web pages to support HTTPS, or HTTP Secure.
``Supporting HTTPS comes with many benefits. The server is authenticated to ensure the user is talking to the server they think are talking to, before any content is sent or received,'' Adamski said.
``The browser will not normally send or receive any content from a Web site with an invalid or expired certificate or if the certificate does not match the server name. This means that there is no opportunity for a man-in-the-middle (MITM) injection attack to happen in the first place.''