When using a Korean shopping site, a customer will have to install about seven Active-X programs to make a single purchase. / Korea Times photo by Kim Joo-sung
Despite political bluster, Korea's dreadful computing experience unlikely to improve quickly
By Kim Tong-hyung
Korea's 21st century personal computer (PC) experience has been a spectacle of awful that keeps getting more bizarre.
The security problems and inconvenience in electronic commerce and finance are so dramatic that President Park Geun-hye had to use a live television appearance last week to issue an assurance that something will be done. But even she has to know the country is way past the point of finding a quick way out of this mess.
In her multi-hour talk with policymakers on reducing unnecessary regulations, which was broadcast to the comfort of journalists but probably no one else, Park mentioned the popular SBS TV drama ''My Love From the Star'' to criticize the country's computer security requirements.
The appearance brought into focus Korea's unique system for encrypted online communications, such as financial transactions and e-government services.
By law, Koreans are required to use a "public key" when making online transactions such as banking or making large purchases. Each key is bound to an individual and used to produce digital signatures for executing transactions.
Such obligation, which resulted in a Microsoft mono-culture in operating systems and Web browsers, has been blamed for locking Koreans to outdated technologies, increasingly bad services and larger security risks.
''I heard that one of our recent TV dramas gained huge popularity in China. I also heard that a large number of Chinese viewers visited Korean shopping websites to buy the clothes and accessories worn by the characters in the drama, but were unable to do so because the sites required public key certificates for purchasing,'' Park said.
''The Korea-only requirement that is the public key certificate is preventing Korean shopping malls from becoming international businesses.''
Park has a habit of getting cute with pop culture references. This often fails as an effective form of speech because policymakers, whose instinct is to over-attack symptoms but avoid the disease, will choose to interpret Park's words only in the most literal sense.
Yes, Park's comments did force the Ministry of Strategy and Finance, Financial Services Commission and the Ministry of Science, ICT (information and communication technology) and Future Planning to discuss enabling online purchases without public key certificates.
However, the government departments also make it clear that the newfound freedom will apply only to foreigners. Public key certificates are a target of reform only because the Chinese find it difficult to order Jun Ji-hyun's coat, not because of the burden it puts on Korean lives and companies.
The cost of being Korean will continue to include downloading a slew of shaky security plug-ins until the computer gives in.
"The direction of the discussions is to employ the changes differently between Koreans and foreigners,'' said an official from the Korea Internet Security Agency (KISA), which is a sub-organization of the ICT Ministry.
"Currently, purchases under 300,000 won are allowed to be done without public keys. There have been discussions about elevating the limit but nothing is conclusive yet. It would be the wrong move to lift the current requirements on Korean consumers when we have yet to find alternative methods to replace public key certificates and Active-X plug-ins.''
But that would unequivocally be the right move, computer security experts argue. They point out that public key certificates do not add anything to security beyond a simple password gateway, which makes them worse than useless as they create an illusion of safety where there is none. This is precisely the vulnerability that has left Korea's computer security more porous than Swiss cheese.
Usability is another issue. Since the fall of Netscape in the early 2000s, Microsoft's Active-X technology, which functions only on its Internet Explorer browsers, has been the only plug-in tool used to download public key certificates. When using a Korean shopping site, a customer will have to install about seven Active-X programs to make the simplest of purchases.
This is as dangerous a requirement as it is an inconvenient one. Instead of providing a security-based model, Active-X relies on simple ''yes'' or ''no'' confirmations by the user over downloading programs and controls. This is extremely risky because Active-X tools require full access to the operating system and the programs are often abused by hackers to intercept the user's control of a computer.
Such problems were highlighted in March last year when North Korea initiated the series of cyber attacks that crippled the networks of South Korean television stations and financial companies.
Officials found that the malicious software used by the North penetrated the computers through XecureWeb, an Active-X program developed by Seoul-based security software maker Soft Forum and commonly used in online banking transactions.
To put it simply, the Korean computer security system is like a door guarded by many locks, but all paper ones. To get into the house, the owner has to go through the trouble of opening each of them. Intruders, however, prefer to rip right through.
"The problem with the Korean security system is that it is designed to put the chief responsibility on individuals, not the companies. Public key certificates and security programs are downloaded in individual companies. This leaves companies less motivation to invest and make their servers more secure,'' said an official from an anti-virus firm.
In calling for changes, Park showed a firm grasp of the obvious. But she will likely find that words come easier than action. The Korean security system did not survive the past 15 years because it was effective; it did because of the murky and profound union between policymakers, finance companies and security software makers, which have profited by extending the country's computer problems instead of solving them.
The private institutions that issue public key certificates, including the Korea Financial Telecommunications and Cleaning Institute (KFTC), share a market that is over $50 million annually. While customers do not pay directly for these certificates, their banks do and will reflect that cost somewhere in services.
KFTC has been providing lucrative jobs to public servants retiring from the finance ministry, the Bank of Korea and other central government offices, paying them hundreds of millions of won a year to be executives or "auditors." The Financial Service Commission, which is supposed to audit KFTC every two years, last did it in 2010.
Financial firms obviously prefer heavy-handed restrictions as well. With the current law mandating specific technologies, these companies know they will be all right as long as they do everything the law says. There is little motivation for them to figure out ways to make transactions more secure.
Auction, the Korean branch of eBay, and SK Communications, a major social media company, have averted heavy penalties despite failing to protect the personal data of their tens of millions of customers from hackers in recent years.
Criminals breached the customer data of credit card firms such as Nonghyup, Kookmin and Lotte earlier this year. They were able to walk away with three-month business suspensions and a fine of 6 million won each.
"The transaction services provided by Amazon and Paypal are quick, easy and secure. They handle the security process in servers. They invest a lot in their services because these are their profit, and security problems would be their loss,'' said the official from the anti-virus firm.
''In comparison, Korean companies know that if they only follow the specific protocol set by the government, they will not be held responsible for bad results.''