Online banking wiggles out of Microsoft chokehold
By Kim Tong-hyung
Microsoft had previously dominated the Korean computing experience and this had much to do with its virtual monopoly on Internet technologies used for encrypted communication like online banking and electronic commerce.
However, with local banks starting to allow their customers to move money online on non-Microsoft Web browsers like Firefox and Chrome, the country could be witnessing the beginning of the end of the Microsoft monoculture.
Spearheading the ``open banking’’ trend was Woori Bank, which expanded its online banking service beyond Microsoft’s Internet Explorer (IE) browsers in July to support Firefox, Chrome, Safari and Opera users, who were also enabled to access the services from computers run on non-Microsoft operating systems like Linux and Apple’s Macintosh OS.
And it now appears that the Industrial Bank of Korea (IBK) is looking to tweak its online banking service to make it available on Linux and Apple computers too. IBK’s revamped Internet services will be accessible on a variety of browsers and will also support Microsoft’s latest IE 9. The bank will sign a company by October to redesign its Internet banking system.
Although IBK’s Internet services for desktop computers are designed for the Windows operating system and IE browsers, the bank has already been providing non-Microsoft online banking services on data-enabled mobile phones like the Apple iPhone.
``There have been complaints from computer users with non-IE browsers and our goal is to provide our Internet banking services to those with any browser,’’ said an IBK official.
Existing local regulations require all encrypted online communications to be based on electronic signatures that are enabled through public-key infrastructures. And since the fall of Netscape in the early 2000s, Microsoft's Active-X technology, used on its Internet Explorer (IE) Web browsers, remains the only plug-in tool used to download public-key certificates onto computers.
This prevented users of non-Microsoft browsers such as Firefox and Chrome from banking and purchasing products online. And computer security experts have also claimed that public-key certificates don't add anything to security beyond a simple password gateway, which make them worse than useless as they create the illusion of safety where there is none.
The private keys are mostly stored on unprotected memory such as hard disks or USBs, and could be duplicated easily by just copying and pasting the NPKI folder on the computers to other storage devices.
The security provided by Active-X plug-ins is only active during the banking session, which means that the computers are left vulnerable most of the time. And the mandated security requirements are rendered completely irrelevant when the user's machine has already been compromised. This had discouraged users from moving beyond the aging computing experience based on the decade-old technologies of Windows XP and IE6.
The Korean reliance on Active-X became a hot topic again last year when a massive Internet attack left more than 80,000 Korean computers crippled. It was pointed out that Active-X provided an easy route for cyber criminals spreading malware for the distributed denial of service (DDoS) attacks.
Pressured by the calls to provide more flexibility in Internet security technologies, the Korea Communication Commission (KCC) announced it would allow other verification methods besides public-key certificates for protecting encrypted communication, which motivated companies like Woori Bank to differentiate.
Woori Bank’s new Internet banking system appears to be well-received, with the bank garnering 40,000 new customers just a month into the changes. And with a variety of banks, including IBK, Shinhan, Kookmin and SC First Bank, already providing non-Microsoft online banking services for smartphones, the transition toward an open Internet banking structure appears to be gaining pace.
Of course, the independence from the Microsoft-shaped past is far from complete. Woori Bank’s Macintosh customers are still forced to install public-key certificates and keyboard encryption programs on their laptops as banks have yet to agree on how to replace their old security technologies.
Aside of the security issues, usability is also a problem for Active-X plug-ins. A computer user will need to install at least nine Active-X controls to access the online banking services of three or more banks, according to a recent report.
Even Microsoft seems ready to bail on Active-X, as it looks to phase out the technology over security concerns and compatibility issues. This leads to awkwardness whenever Microsoft introduces a new product here.
The release of Windows Vista in 2007 caused massive disruption when the Active-X programs used by banks and online retail sites didn't function properly.