Law in the Internet Society

Internet Banking Security and Autonomy Issue in Korea

-- By WookJinRha

I. Intro - Internet and Internet Banking

    In February 2009, Forbes reported 30 innovations that have changed life most dramatically during the past 30 years, and over half of them were internet and IT related. Especially the internet--combined with broadband, browsers and HTML--was ranked first in a list dominated by technological and medical advancements. See http://www.forbes.com/2009/02/19/innovation-internet-health-entrepreneurs-technology_wharton.html. It seems clear that the internet is changing the fundamentals of our living environment and paradigm. In the days before the internet banking became operational, going to the bank was a great bother for many people. The internet banking made people's lives convenient by enabling people to receive bank services just by connecting to the internet, yet raised other issues such as security and autonomy.
    Below, I first plan to explain the current internet banking security situation in S. Korea, mainly focusing on the user authentication and validation system, and comparing it to the US. Then I will raise the autonomy issue related to the internet banking security programs in Korea.

II. Internet Banking User Authentication System

1. Internet Banking Usage

    In Korea, currently 57.29 million users are registered for the internet banking and 14.87 million people which are 60.3% of the economically active population have been issued a "digital certificate" for the use of internet banking. The number of daily transactions average 29.03 million, which amounts to 30.17 trillion Korean Won (approx. 26.11 billion USD). See Bank of Korea, Usage of Domestic Internet Banking Service, 3rd Quarter 2009.

2. Digital Certificate

    In order to make electronic transactions in the virtual space of internet, a medium which has the capacity to validate the parties, provide authentication and create legal effect is necessary. In Korea, "digital certificate" acts as the medium that provides certain security and authentication which can be applied in various fields of internet transaction, and it's mandatorily used in the internet banking. Digital certificates have "digital signature" function which validates the authenticity of the user and has certain legal effects endowed by the relevant law.

3. User Authentication System in Korea and US

    To login to internet banking website, a digital certificate issued by the certificate authority of financial institutions must be used. When making wire transfers, pre-designated personal wire transfer password has to be entered along with a security password based on security card. This security card is a plastic issued by the bank which has 30 numbers from 1 to 30 each corresponding to 4 digit numbers.
    In 2007, Korean banks have adopted new OTP (One Time Password) security card system, to be used in the place of pre-existing plastic security card. OTP security card is a digital device which looks similar to a pager and it randomly generates 6 digit security password numbers upon usage. From April 2008 the usage of OTP became mandatory for all business banking customers regardless of the amount of transaction, and for personal banking customers performing single transaction over 100 million Korean Won (approx. 86,580 USD) or daily transactions over 500 million Korean Won (approx. 432,900 USD).
    The internet banking user authentication system in the US surprises me by the fact that to login to the bank account, all you have to do is to enter user ID and password. Many people tend to use identical ID and password for all websites. Online survey by Sophos report that 33% of people use the same password for multiple websites all the time. See http://www.sophos.com/blogs/gc/g/2009/03/10/password-website/. Another research shows that 46% of all UK adults use the same password to login to their banking, shopping and social networking sites. See http://www.infosecurity-magazine.com/view/3779/many-people-use-same-password-on-all-websites-says-cpp/. This could make the internet banking user authentication in the US quite vulnerable, such as in a case where user IDs and passwords are illegally gathered or obtained from other low secured websites for internet banking fraud purposes.

III. Internet Banking Security Programs and Autonomy

    To access internet banking websites in Korea, security programs have to be installed which is provided exclusively by the respective banks. The problem here is that the users cannot determine the types of security program they will be using, and also most of the security programs lack compatibility. Most of the security programs require MS Windows as an OS and they are installed using MS Internet Explorer (IE)'s ActiveX controls. This could impose restriction and limitation on the people who use OS other than MS Windows, as well people who do not use MS IE. There is only 1 bank that supports Linux, and 2 banks that support Mac OS besides MS Windows. The situation will add to the general internet environment in Korea which causes usage rate of Non-MS Windows OS and Non-MS IE browser virtually impossible to increase. Reports show that in Korea during the period between 1st Jan 2009 and 22nd Nov 2009, usage rate of MS Windows was 99.55% and MS IE was 98.52%. See real-time internet statistic data provided by InternetTrend Korea http://trend.logger.co.kr.
    This undoubtedly undermines the autonomy of the user in the internet society. Personally I feel that it would be better for the Korean banks to give up on exclusively distributing their designated security programs, and instead rely on users' own security programs (whether it's commercial or free software). The banks could just verify whether the user's working environment meets their desired security level and criteria. By this, I think the autonomy problem raised above could be unraveled in some way. On the other hand, the possible cost of obtaining commercial security software which was previously paid and distributed by the bank, and the legal question of liability when there is a security breach needs to be further discussed.

The idea of using IE and ActiveX to achieve any secure purpose is just as absurd as using basic Uid/passwd authorization for banking. Both systems have security holes too large to believe sitting in the middle of them. But at least if the uid/passwd system is intelligently operated by the user he can minimize the security issues, whereas a technical monoculture dependent on an insecure browser and an insecure programming toolkit had better be using one-time pads, because every transaction could well be compromising the system, no matter how carefully the user follows instructions.

In fact, electronic banking is insecure. Pre-electronic banking was insecure too, and money was stolen all the time. Losses, of course, were insurable, and the borrowers of money ultimately paid the costs of the credit system, We have reduced losses of every kind in the banking system, but it is active security, not the banking software platform, that reduces security issues further. Still, if one could have one basic way of improving security, it would be the way taken by the Australian banks, who gave everyone a free software liveCD to boot into when they wanted to do their banking, thus providing a secure write-protected software stack on which to run their interactions.

Professor, thank you for your comments. I read articles on LiveCD you mentioned, and I am also convinced that this is a simple way of improving security.


Navigation

Webs Webs

r5 - 07 Sep 2011 - 00:44:13 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM