08-03-2011 15:50
’Time to hit reset button on ID system’

By Kim Tong-hyung

The national identity system appears to be adrift in existential danger after sensitive personal information of tens of millions of Internet users were stolen.

In Korea’s biggest-ever case of data theft the recent hacking attack at SK Communications, which runs top social networking service Cyworld and search site Nate, breached 35 million accounts, a mind-boggling total for a country that has about 50 million people and an economically-active population of 25 million.

The compromised information includes names, passwords, phone numbers, e-mail addresses, and most alarmingly, resident registration numbers, the country’s equivalent to social security numbers.

Government officials insist that the country’s computer security defense is still salvageable as they scramble to apply the patchwork. But critics, unconvinced, claim it’s officially time to blow up the national ID system and start over.

``The resident registration number of virtually every Korean is out there ― the information is so easily available that police announced a while ago that hackers are barely getting 1 won for each code. And we have heard rumors that criminals are passing these numbers around in (Microsoft) Excel files,’’ said Jang Yeo-gyeong, a computer security expert at activist group Jinbo Net.

``Although it would be a very costly and difficult process, there’s no going around that the government needs to hit the reset button on the national ID system now, prepare to discard the old numbers and create new ones, if not for every Korean, at least for those who ask. People still need these numbers for government services, banking and electronic commerce, and it would be risky to continue using them as the core of our administrative system when they are no longer confidential.’’

From a security standpoint, resident registration numbers are flawed from the start. The 13-digit code reveals the birth date, sex and registration site of a person, unlike comparable systems in the United States and Japan based on random numbering.

People here submit their national ID numbers to Korean Web sites due to local laws requiring them to make verifiable real-name registrations for virtually every type of Internet activity, not only for encrypted communications like e-commerce, online banking and e-government services but also casual tasks like e-mail and blogging.

This also enabled Internet companies to work from a mountain of personal information and reap huge profits from individually-targeted business products.

Simultaneously this makes them delicious prey for hackers, as SK Communications can painfully attest.

In the hands of criminals, resident registration numbers could become master keys that open every door, allowing them to construct an entire identity based on the quality and breadth of data involved.

A shakeout of the national ID system would help defuse this threat, Jang says, although it would be crucial that the new codes are kept and used for administrative purposes only and sealed away from private firms.

While government officials admit there is a need to significantly reduce the amount of personal information collected and used by Web sites, they balk at the idea of renewing ID numbers for the entire population. Their suggestion is to simply replace resident registration codes with little-used I-Pin codes, a scheme developed in 2006 for online identity verification.

This would mean Internet companies get to keep extracting as much personal information from users as they previously did, just that the data would be tagged with different serial numbers. Attempting to curb cyber bullying, the government has been strengthening real-name registrations on Web sites in recent years and has no intentions to permit online anonymity just yet.

``There is a need to make a clearer distinction on Internet services that would require real-name verification and those that do not. Then we can readjust regulations to minimize the use of resident registration numbers online and promote the use of I-Pins or one-time-passwords (OTPs) as alternative verification tools,’’ said an official from the personal information protection division of the public administration and security ministry.

I-Pin codes are provided by five different organizations ― the Seoul Credit Rating and Information Service, Sign Gate, the Korea Information Service, National Information and Credit Evaluation Service and the public administration ministry.

To receive an I-Pin number, Internet users must first verify their identities through public key certificates, credit card numbers, mobile phone accounts or by submitting their resident registration card or driver’s license number to one of the five organizations. The user is then provided with a code and password.

Critics claim that I-Pin codes could eventually become as vulnerable as resident registration numbers. A group of hackers managed to create more than 15,000 fake I-Pin codes using records from prepaid cards and mobile phones, and sold them to Chinese criminals last year, according to Seoul police.

``Should I-Pin emerge as the main online verification tool, the five organizations that issue them could then become targets of hackers. There is no reason to think that the I-Pin codes would be better protected than current national ID numbers, but you have to wonder if the government officials might be interested in creating business opportunities for the four private organizations involved in issuing them’’ said Jang.

주민번호시스템 이제 리셋버튼 누를 때 됐나

사상 최악의 개인정보 유출 사고가 주민등록번호 시스템의 존폐 위기로 이어질지 두고 볼일이다.

국내 최대의 소셜네트워크 사이트와 인기 포털인 네이트를 운영하는 SK커뮤니케이션스에서 해킹공격으로 무려 3,500만명의 아이디와 이름, 비밀번호, 전화번호, 이메일 주소, 주민등록번호 등이 유출되었다. 이는 한국인구가 5000만이고 경제활동인구가 2500만인 것을 감안할때 엄청난 숫자가 아닐 수 없다.

정부 당국자들은 아직 한국의 컴퓨터 보안 환경의 개선 여지가 충분하다는 입장이다. 그러나 현 주민등록번호 시스템을 과감하게 폐기하고 처음부터 새롭게 시작하자는 목소리가 나오고 있다.