Is AhnLab to blame for online banking mess?
By Kim Tong-hyung
The need for Internet security continues to grow, and this has anti-virus software makers touting themselves as the guardians of the networked world.
However, in Korea, often described as the planet's broadband capital, computer security firms appear to be developing a dual reputation, with critics debating whether they are moving efforts for a safer Internet forward or derailing them.
It all starts with the Microsoft monoculture in computer operating systems and Web browsers here, which is blamed for limiting Korean computer users, leaving them stuck with outdated technology and exposed to larger security risks.
The Korean law mandates all encrypted online communications to be based on electronic signatures that are enabled through a public-key infrastructure.
Since the fall of Netscape in the early 2000s, Microsoft's Active-X, used on its Internet Explorer (IE) Web browsers, remains the only plug-in tool used to download public-key certificates to computers. This prevents users of non-Microsoft browsers such as Firefox, Chrome and Opera from banking and buying products online and forced Mac users to buy Windows CDs to prevent their computers being reduced to fashion items.
The Korean dependence on Active-X is unique, as security concerns have limited the deployment of the technology elsewhere. Instead of a security-based model, Active-X relies on simple ``yes or no'' signatures to allow users to judge whether to download a control. This is a risky arrangement, since Active-X controls require full access to the Windows operating system, and could be abused by cyber criminals to compromise the user's control of the computer.
The Korean reliance on Active-X became a hot topic again last summer when a massive Internet attack left more than 80,000 Korean computers crippled. It was pointed out that Active-X provided an easy route for cyber criminals spreading malware for the distributed denial of service (DDoS) attacks.
There have been increasing calls for the improvement of the Korean Internet banking environment and the target of criticism has usually been financial authorities like the Financial Supervisory Service (FSS) and the Ministry of Public Administration and Security, which controls e-government sites.
However, there is an increasing number of observers who claim that security software makers, including industry leader AhnLab, should be held accountable for deteriorating the Korean computing experience just as much as the hapless policymakers. AhnLab has been a major provider of the mandatory security programs for IE browsers along with Soft Forum and Initech.
Saviors or opportunists?
One would have to admit there is an irony in that these anti-virus firms, supposedly the torchbearers of the safe Internet, insist on using the risky Active-X plug-ins to provide their products to users, instead of through file downloads.
It certainly takes some courage to call out a company like AhnLab, which was lauded by the media last year after playing a central role in the country's defense against the DDoS attacks. And the company's founder, doctor-turned-techie Ahn Cheol-soo, is considered more than just a successful businessman, but a role model for social responsibility, a cross between Steve Jobs and the Pope perhaps.
Nevertheless, Kim Kee-chang, a Korea University law professor who had led a series of unsuccessful lawsuits against the government over the overwhelming Active-X use, is absolutely merciless when describing the role of AhnLab and other anti-virus firms in the whole mess.
``Anti-virus firms are the only ones who are benefiting from the current Internet banking structure, which itself happens to be the biggest fraud of all. This system is all about creating an illusion of security that essentially does nothing other than allowing these software makers to make easy money off aging technology,'' Kim said in a recent interview with The Korea Times.
``It's depressing to see these so-called Internet technology experts sinking so low, sacrificing their morality to the last ounce in pursuit of profit. They have government officials in their pockets, as nobody ever accuses bureaucrats of having a bright understanding of technology,'' he said, emphasizing that it was the anti-virus firms that chose plug-ins as the method to provide the required security programs to banks and computer users.
Obliging users to install the security applications as plug-ins has obviously been a lucrative business decision for the software makers, who were provided an easy way to bundle their anti-virus vaccines, keyboard encryption programs and firewalls to clients.
The losers, Kim says, are computer users, who end up with vulnerable machines worn down by a thick web of Active-X controls, while being discouraged from moving beyond the aging computing experience based on Windows XP and IE6.
``The advancement in computer operating systems and Web browsers are providing an enhanced level of security than before, and would do a better job in securing the safety of transactions than any combination of Active-X controls. But it has been in the interest of anti-virus companies to hinder the acceptance of advanced technologies and keep alive the old regime that has been bringing them money,'' Kim said.
Naturally, the anti-virus companies balk at the suggestions that they became part of the disease they were meant to cure, although their response to the criticism sounds something more like a confession than complaint.
Hwang Mi-kyeong, an AhnLab spokeswoman, said that the anti-virus companies weren't given a wide range of choices, with banks reluctant to shoulder more responsibilities for damages in Internet banking fraud and Korean computer users preferring a Microsoft-centered solution.
AhnLab already has the capabilities to provide security programs to enable Internet banking and e-commerce on non-Microsoft browsers, Hwang said, but is finding little demand for them.
``We are the 'eul' (secondary player) in this relationship, as we can only provide the technology the financial sector is asking from us. We have worked with banks to develop a solution that would be most effective and comforting to Korean users and their browser of choice, which was predominantly Internet Explorer,'' she said.
Hwang also said that the Korean Internet banking system, relying on private keys and a wealth of proprietary software, provides more security than the simpler systems used in other countries.
Indeed, the Korean losses from Internet banking fraud in past years are still microscopic compared to damages reported in countries such as the United States or Britain. However, some experts believe this has more to do with the hurdle provided by the Korean language than the effectiveness of the country's online security mechanism.
``Active-X is not a problem when computer users use it smartly and we are already providing a depth of programs to prevent fraud and repair damages. To blame the whole Internet security problems on Active-X and anti-virus firms is oversimplifying things,'' Hwang said.
Illusion of security
The biggest criticism of Korea's public-key infrastructure is that the programs aren't providing much security beyond simple passwords. The private keys are mostly stored on unprotected memory such as hard disks or USBs, and could be duplicated easily by just copying and pasting the NPKI folder on the computers to other storage devices.
The security provided by Active-X plug-ins is only active during the banking session, which means that the computers are left vulnerable most of the time. And the mandated security requirements are rendered completely irrelevant when the user's machine has been compromised already.
Aside of the security issues, usability is also a problem for Active-X plug-ins. A computer user will need to install at least nine Active-X controls to access the online banking services of three or more banks, according to a recent report.
Even Microsoft seems ready to bail on Active-X, as it looks to phase out the technology over security concerns and compatibility issues. This leads to awkwardness whenever Microsoft introduces a new product here.
The release of Windows Vista in 2007 caused massive disruption when the Active-X programs used by banks and online retail sites didn't function properly.
Bruce Schneier, chief security technology officer for British Telecom (BT), who says the government should first establish legal liabilities for damage resulting from security flaws and then get out of the way. He stresses that the government should be commanding ``results,'' rather than technologies, from banks and credit-card companies in their efforts to provide better user protection.
``There is danger in relying on technology too much, and specific technology in that,'' Schneier said at the sidelines of a seminar in Seoul last week that was themed ``Security Issues of Online Banking & Payment in Korea.''
``Once a law mandates specific technologies such as protocol, applications or software, innovation stops. Companies know they will be okay as long as they do everything that the law says, and they will not figure out ways to make things more secure,'' he said.