By Kim Tong-hyung
Staff reporter
It's becoming obvious that Korea doesn't have a computer security defense, but the government insists that a new, homegrown online verification system will provide the keys for cleaning up the mess.
Critics, however, are skeptical whether creating new rules will make the situation any better when the government's heavy-handed Web regulations are blamed for triggering the problem in the first place.
The Korea Communications Commission (KCC), the country's converged regulator for broadcasting and telecommunications, is accelerating its attempts to promote the use of "I-Pin," developed here as an identity code for online users.
I-Pin, created in 2006, was conceived as an alternative to resident registration numbers, Korea's equivalent to social security codes, which Korean Internet users are required to submit when registering on websites.
From next year, virtually all Korean websites will be required to accept I-Pin codes for verification of users, while a new version of the codes, dubbed as I-Pin 2.0, will replace resident registration numbers completely by 2015, according to the KCC.
The country's vulnerable security environment has meant that resident registration numbers ― a 13-digit code that indicates birth date, sex and registration site ― no longer remain as private information the moment they put it onto the Internet.
Korea has been hit by a slew of privacy infringement cases in recent years, including a case in March that involved the stealing of personal data of more than 20 million people subscribed to the online services of department stores and online social communities.
Auction (www.auction.co.kr), eBay's Korean unit and the country's largest online retailer, also failed to protect the data of its 10.8 million customers from Chinese hackers in 2008.
The exposure of Korean resident registration numbers has become so frequent that a recent police report said that Chinese hackers are trading the codes for just 1 won each, as it doesn't take much sophistication to locate a resident registration number on Google.
Policymakers have claimed that the random nature of the I-Pin codes, based on a complicated structure of issuance, makes them more difficult for cyber criminals to breach. The codes are provided by five different organizations ― the Seoul Credit Rating and Information Service, Sign Gate, the Korea Information Service, National Information and Credit Evaluation Service and the Ministry of Public Administration and Security.
To receive an I-Pin number, Internet users must first verify their identities through public key certificates, credit card numbers, mobile-phone accounts or personally visiting one of the organizations and submitting their resident registration card or driver's license. The user is then provided with a code and password.
However, a series of incidents in recent months have exposed I-Pins as having massive security flaws. The National Police Agency's cyber crimes unit is currently investigating a case where cyber criminals successfully created nearly 13,000 fake I-Pin codes using prepaid "gift" cards and mobile-phone verification.
And the government is troubled to come up with a solution for preventing the creation of I-Pin codes using the resident registration numbers of deceased persons.
Critics question that the Herculean efforts to make I-Pin conventional won't help improve the security situations when the government continues to require websites to collect an increasing amount of personal information from users.
The country's law on encrypted online transactions mandates Internet companies to keep the resident registration numbers of users, a requirement that involved most major Web portals such as Naver (www.naver.com), Daum (www.daum.net) and Nate (www.nate.com), which all provide paid content and online shopping services.
Despite growing concerns over the excessive amount of personal information collected by online service providers, the government has been moving to squeeze more data out of computer users as it looks to impose more rules on the Internet.
Since last year, the government has been requiring Internet users to make verifiable real-name registrations to post comments on websites with more than 100,000 daily users, which it claimed was inevitable to curb cyber bullying and libelous online claims.
"The essence of the problem with resident registration numbers is that they have taken up a much larger role than what was defined by their original administrative purpose, with private companies being liberal in using them for business purposes. This naturally led to the problem with data breaches, and even after their codes are exposed, people have no way to receive a new number," said an Internet company official.
"Without restricting the amount of information gathered online, I-Pins would eventually become the next resident registration numbers."