Government Officials Struggle to Set Rules for Mobile Wallet
By Kim Tong-hyung
Staff Reporter
Government officials are struggling to rewrite Internet rules for the smartphone era, and every step forward seems to be a painful leap from a shot in the foot.
The Ministry of Public Administration and Security insists that all financial transactions on smartphones and other data-enabled mobile devices should be subject to the same security requirements that control online transactions by computers, a position backed by the Financial Supervisory Service (FSS).
However, the Korea Communications Commission (KCC), the country's converged regulator for broadcasting and telecommunications, is concerned over the approach when the existing Internet rules are blamed for Korean computer users stuck with outdated technology and security vulnerabilities.
The Public Administration Ministry, in collaboration with the Korea Internet and Security Agency (KISA), has completed the development of state-imposed standard software to enable required security measures, such as public-key certificates, on smartphones for mobile banking services.
The software, to be used by local banks starting next month, was created after the FSS declared in January that public-key certificates will be required for all transactions on smartphones.
The current law states that all encrypted online communications on computers require the use of electronic signatures based on public-key certificates, and since smartphones work more like handheld computers than conventional phones, the FSS claims they should be applied with the same security requirements.
However, critics claim that picking a specific technology to control transactions over different mobile platforms would be an ill-advised move, as it may expose mobile users to a similar, shaky security environment experienced by computer users in the Microsoft-dominated desktop world.
There have been calls for enabling the use of new verification methods, such as security socket layer (SSL) encryption, one-time-passwords (OTPs), which are passwords that are only valid for a single log-in or transaction, and even text-message verifications. And it seems that the voices are reaching the KCC, which has been questioning the decision by the public administration ministry and FSS to let public-key certificates be the dictating technology for online transactions.
``The public administration ministry controls the laws over electronic signatures, so standardizing the software for public-key certificates is somewhat of an advancement. However, the public administration ministry, the FSS and KCC are all involved in the talks in setting the legal framework for mobile transactions, and it would be wrong for the public administration ministry to come out and say that SSLs and OTPs shouldn't be considered as verification methods,'' said a KCC official.
There are worries that picking a single software standard to enable financial transactions on smartphones would only expose mobile users to larger security risks, as it could easily be used as a blueprint for cyber criminals to disguise their malicious software, just as they exploit Active-X plug-ins in the desktop computing world.
Users of the iPhone would be less vulnerable, as Apple strictly monitors and controls the programs available on its App Store online applications store. However, smartphones powered by more open mobile platforms, such as the Android, might be exposed to tech theft.
The requirement for public-key certificates was precisely what allowed Microsoft to establish a virtual monopoly in computer operating systems and Web browsers here, which is now blamed for having Korean computer users stuck with outdated technology and exposed to larger security risks.
Since the fall of Netscape in the early 2000s, Microsoft's Active-X, used on its Internet Explorer (IE) Web browsers, remains the only plug-in tool to download public-key certificates to computers.
This has prevented users of non-Microsoft browsers such as Firefox, Chrome and Opera from banking and buying products online. With the possibility of many verification methods for smartphones, more companies may contend in the area, compared to Microsoft's dominance in the desktop realm.
``Public-key certificates don't add another layer of protection beyond simple passwords, and they could be duplicated endlessly by just copying and pasting the NPKI folder from the hard disk drives to USBs and other storage devices,'' said Kim Kee-chang, a Korea University law professor who has led a series of legal actions against the government over the overwhelming Active-X use.
``Another problem is that public-key certificates could be renewed easily on the Internet without face-to-face verification, which makes it further irrelevant as a protection method. There should be verification methods beyond the Internet channel to secure the safety of transactions, with mobile-phone text messages or the security code cards of banks already providing this.''