Calls mount for overhaul of Internet security system

Data breach at SK Communications may double as death penalty for real-name registration rules By Kim Tong-hyung The major data leak at Korea’s biggest social networking site and its sister services has sent policymakers scrambling to shore up the country’s computer security defense, which appears to have more holes in it than Swiss cheese. But despite their concentrated efforts to look busy, government officials are struggling to convince anyone, a typical response when the creators of a problem start speechifying about solving it. In requiring users to register under their real names, allowing Internet companies to work from a mountainous stack of sensitive information, the country’s communications regulators couldn’t have attracted hackers any better if they were wearing short skirts and raccoon makeup. SK Communications, operator of social media giant Cyworld and the Nate search and instant messaging services, issued an alert last week after criminals raided its network and stole the personal information of more than 35 million users. The number of potential identity-theft victims is mindboggling for a country of about 50 million people and an economically-active population of 25 million. The hacking of SK Communications’ network serves as the worst-ever security breach in a country that has seen plenty of them. Auction, the Korean unit of electronic commerce giant eBay, was battered with a slew of class-action lawsuits after Chinese hackers stole the data of 11 million users in 2008. Three people were arrested last year for selling the personal information of nearly 20 million subscribers to Shinsegae Department Store’s online service and social networking site I Love School, information which also had been accessed by Chinese hackers. The country also came under a massive distributed denial of service (DDoS) attacks in 2009 that crippled over 100,000 computers in government organizations, private companies and homes. The government manual for dealing with massive data losses seems to read like this: hold emergency meetings, let telecommunications firm talk about stronger monitoring, start another public campaign for computer software upgrades and, if possible, pin the blame on China or North Korea. Observers accuse government officials of applying a Band-Aid to a gaping wound. The country’s deep-seated computer security problems can’t be effectively dealt with through anything less than a surgical removal of national identification numbers from Internet systems, they say. For identity verification, virtually all Korean Web sites require users to submit their resident registration numbers, the country’s equivalent of social security codes, not only for encrypted communications like e-commerce and online banking, but also for casual tasks like e-mail, blogging and using message boards. In the hands of hackers, the codes can become the master key that opens every door and allows them to steal identities based on a lifetime of Internet use by their unassuming victim. The compromising of personal data is also blamed for fraudsters running wild. “Phishing’’ is becoming an increasing problem. These scams use phones, e-mail and instant messaging services to lure people into revealing personal details such as bank account numbers and passwords, or even into wiring money. It doesn’t help that resident registration numbers are fundamentally flawed when viewed from a security perspective. The 13-digit code exposes a person’s sex, date of birth and site of registration, unlike comparable systems in the United States and Japan, which are based on random numbering. Not that these countries have ever asked their Internet users to submit their social security codes to get an e-mail account. “The lack of a fundamental approach shows that the government has been dwelling on symptoms just to avoid dealing with the disease. If the incident at SK Communications isn’t enough to convince them that the real-name registration system should be scrapped, then I don’t know what is,’’ said Jang Yeo-gyeong, a computer security expert who works for the activist group Jinbo Net. “Requiring all Internet users to submit their resident registration numbers has to be one of the most glaring examples of bureaucratic stupidity,” she said. “When a country puts in that much effort to ensure that online and real-life identities match perfectly, you are just begging for hackers to come in and rob you. “A person’s name, address, phone numbers, credit card records and medical history are kept with his resident registration code as well as his every Internet comment. Obviously, there is demand for this information.” “No country in its right mind would require people to submit their personal identification codes to use Internet services, and it’s hard to find examples of this outside of Korea,” she continued. “When you think about it, it’s astonishing that the government is comfortable about allowing such critical information to be kept and used by private firms in the Internet, retail and financial industries.” Despite its scale and severity, the data breach at SK Communications hasn’t quite triggered the alarming public response that followed the Auction incident three years ago. With security failures becoming more common, it seems that people are simply giving up and accepting that their information was no longer personal the moment it touched the Internet. Besides, SK Communications customers would be kidding themselves if they thought their resident registrations numbers were sealed airtight before last week. SK Communications’ security capabilities have been in question as far back as in 2008, when Nate instant-messaging users experienced a dramatic leap in phishing attempts, although the company never provided a firm answer on whether its database was hacked. To critics, it’s obvious that scrapping the real-name registrations and minimizing user information collected by Web sites would represent a more meaningful effort at defusing the threat of identity theft than huffing and puffing on invisible hackers. The government, however, has moved in the opposite direction in recent years, expanding real-name verification requirements for more Web sites and chat rooms in a crusade to curb cyber bullying. However, these rules are being rendered irrelevant as authorities have no control over foreign Internet services from the likes of Google, Facebook and Twitter, which have become immensely popular here. And no, they don’t have a prayer when it comes to influencing user behavior on mobile Internet devices like smartphones and touch-screen tablets. Still, authorities seem to be hanging desperately onto the illusion of control. Their latest controversial plan is introducing new, chip-embedded resident registration cards that contain a much larger amount of personal information than existing cards. The new cards would include medical data such as blood type, which government officials claimed would be useful in hospital emergency rooms. This drew an angry response from doctors, who were horrified at the suggestion that on-site blood tests could be skipped before blood transfusion and surgeries. As always in privacy-related issues, Korean policymakers appear at a loss and any step forward seems to be a leap from a painful shot in the foot. “Currently, we have commissioned a study on ways to limit the collecting of resident registration numbers at Web sites. The results of the study will be reflected in our roadmap,” said Kim Gwang-soo, an official from the Korea Communications Commission’s (KCC) information security division. Still, Kim stressed that the real-name registration requirements are here to stay. “The idea is to limit the use of personal information in areas that are unnecessary. On encrypted communications like financial transactions, we are considering replacing resident registration numbers with an I-Pin.” Government officials continue to promote the little-used I-Pin, developed in 2006 as an alternative for resident registration codes. To receive an I-Pin number, Internet users must first verify their identities through public key certificates, credit card numbers, mobile-phone accounts or by submitting their resident registration card or driver’s license to organizations that issue the codes. The user is then provided with a code and password. However, critics like security expert Jang see I-Pin simply as resident registration codes in different name and form. And it doesn’t inspire confidence that cyber criminals have been able to create fake I-Pin codes using records from prepaid cards and mobile phones.

네이트, 싸이월드 개인정보 유출사고 인터넷 실명제에 대한 사형선고되나 한국 최대의 소셜 네트워크 서비스와 자매 인터넷 서비스 고객의 개인정보가 유출되는 사고가 발생하자 정부당국자들이 분주해졌다. 그러나 공무원들이 아무리 바쁘게 움직인다 한들 스위스 치즈보다 구멍이 많은 한국의 인터넷 보안체계에 대한 불안은 쉽게 가시지 않을 듯하다. 하긴 문제의 원인을 제공한 당사자들이 해결사를 자청하고 나설 때 냉소적인 반응은 각오해야 하는 것 아닐까. 현재 인터넷 보안 체계의 근본적 불안요인은 인터넷 서비스 업체들이 과도한 개인정보를 수집할 수 있도록 허용한 인터넷 실명제에 있다. 지난주 SK커뮤니케이션즈에서 운영하는 네이트와 싸이월드 3500만 회원의 개인정보가 해킹으로 인해 유출되었음이 드러났는데 이는 한국의 인구가 5000만 명에 못 미치고 경제활동인구가 2500만에 불과함을 고려할 때 대단히 놀라운 규모의 정보 도난사고가 아닐 수 없다.

thkim@koreatimes.co.kr