Disclaimer. I am Korean and currently live in Korea. Online banking in Korea is very poor, so even though I code on Linux and macOS, I use Windows for internet banking.
As in many other countries, banking in Korea is a state-regulated industry. However, Korea's regulatory system rule downs to the smallest detail.
For example, in the Digital Signature Act(전자서명법), a content that allows only digital certificates in the form of files called authorized certificates(공인인증서) to be used for certification was added in 1999. (The contents were revised only in 2020.) As a result, most banking was accessible only using IE and Active-X. Now that Active-X cannot be used, various software is installed using separate installation files.
Korea's financial regulators are strict, but Korean politicians and media are paternalistic, so if there's a problem with finance, most of them try to side with financial consumers. For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem. For this reason, banking websites require all kinds of security software, such as keylogger checking programs and firewalls. (This problem is gradually being mitigated.)
The problem with Korean security software is that the buyer of the security software (in this case, the bank) only requires that it meet the requirements of laws and regulatory authorities, so there is little room for improvement. Security software can be delivered only after CC certification (CC 인증) issued by the National Intelligence Service(국가정보원). By the way, the NIS is interested in which encryption algorithm is used (whether Korean algorithms such as SEED, ARIA, LEA, etc.), but it is not interested in whether Visual Studio Runtime is 2008 or 2019.
Also, financial institutions do not take cybersecurity issues seriously. For example, when I was in the security industry, a financial company asked for security software for ATMs running Windows XP SP2. Even at that time, Windows XP was EOL, and our security software was only supporting Windows XP SP3 or later. Significantly, the company suffered a cyber attack a few years ago that paralyzed its entire financial services for several days.
Most of the things I mentioned here refer to Korean-language materials, so giving references is somewhat limited.
this is a cautionary tale for people who hope that government regulation will solve the current computer security disaster outside korea
you cannot solve problems by giving authority to people who are motivated to solve them, but do not understand what the problem is, so that they can tell the people who do understand the problem what to do
anyone who has dealt with pci-dss presumably knows this but that is a much smaller group than all south koreans
think of that the next time someone contrasts bitcoin with the heavily regulated conventional banking system
Isn’t this an issue of mandating the means and not the ends?
If the regulations said banks had to be secure by ‘taking all due care’ and follow ‘best practices’ and such, this wouldn’t be such an issue. That gives room for improvements and for problematic standards to be weeded out over time.
It sounds like the government instead said banks had to be secure by using (for example) SSL 1.0 with a 64-bit key. Because the specified the exact how, that’s what banks did. And when that how was broken the law wasn’t changed, so banks still do the old thing.
And when the old thing (Active-X) stopped working they invented new ways to do the old thing with local proxies. Because the law says they must and are safe if they do.
This is the danger of legislating an exact how. It may be the right thing sometimes, but it can also go sideways.
> This is the danger of legislating an exact how. It may be the right thing sometimes, but it can also go sideways.
> If the regulations said banks had to be secure by ‘taking all due care’ and follow ‘best practices’ and such, this wouldn’t be such an issue.
Legislating the outcome is even worse than legislating the means.
American medical care is regulated in the exact manner you describe - a doctor is required to follow the local standard of care, whatever that may be.
This means that every time anyone takes a precaution, it becomes part of the standard of care and must be taken in every case from now until the end of time. If you stop doing it, perhaps because on a cost-benefit analysis it has wildly negative benefits, you're not following the local standard of care and you're wide open to a malpractice suit.
Your preferred legal phrasing is a ratchet; the only outcome it can ever have is insanity.
that just leaves the courts to decide what the best practices are, and what due care is or isn't, which i think is actually what happened in south korea
that would be great if judges were hackers and legislators weren't, but that isn't the current situation
That is also how the legislative process works, and is likely how the Koreans got in to this mess in the first place. Experts at the time identified IE6 and ActiveX as dominating the market and standardised on them^. If the web had converged on IE and ActiveX it wouldn't look as stupid as it does now. Back at the time it was arguably clever, it only looked ill-advised if you were a free-market thinker.
^ The cynic in me cheerfully suggests the experts were probably endorsed by Microsoft, at the time a colossus on the net and world's most successful web browser purveyor. Hard to get better pedigree experts. All recommending that people commit hard to Microsoft technologies.
it would not be especially difficult to find a professor from a reputable university who would explain that using dynamically typed languages was malpractice, or that using the waterfall model was, or that using threads was, or that running the servers on microsoft windows was just fine, or that running virus scanners was useless, or that running virus scanners was essential and therefore it's malpractice to not run on an os that can run them, or that using crypto that had lost a nist competition was malpractice, or that unauthenticated rce security holes were unavoidable and the best you can do is to patch them quickly, or that you need to prove all your security-relevant code correct with coq or something before you ship it and therefore any security hole is malpractice, etc.
Your reasoning is extremely reductive – I can't tell if you're just trying to win an argument here. You could say people will be misleading about anything. Your doctor, the police, the DMV clerk. At some point, you have to recognize you live in a society, and society is built on some level of trust and fairness.
Neither, this should not be an example/a cautionary tale against government regulation. This is an example of wrong/invalid kind of regulation which other countries should not follow. We, SK, could not fixed this problem because the private sector (companies who pursuit their private interest and against public interest) depending on the wrong/invalid regulation has lobbied and prevented several attempts to fix the regulation. So, this is not a problem of regulation or motivation or even knowledge; this is more of the problem of capitalism.
So the US isn't doing capitalism anymore? If your system is based on the idea that "those with more money have more power", then those people using that power to stop competitors sounds like an entirely logical outcome to me.
"Doing capitalism" means running your company with profit as your goal, and if the best way to profit is lying, bribing, preventing competition, exploiting workers and destroying the environment, that's what a capitalist will do.
That's not to say that capitalism can't be, to some extent, prevented from doing those harms by strong regulation. But as long as those writing the regulation live in and benefit from that same system, that regulation will never be particularly strong - and that's by design.
nobody has ever done pure capitalism; social systems are always a messy mix of modalities
but some societies are more capitalist than others, like those where markets rather than regulators make collective choices, and those tend to be the more prosperous and competent societies
'running your company with profit as your goal' predates capitalism by several millennia, and for that reason among others it is totally inadequate as a definition of capitalism
quoting wikipedia:
Capitalism is an economic system based on the private ownership of the means of production and their operation for profit.[1][2][3][4] Central characteristics of capitalism include capital accumulation, competitive markets, price system, private property, property rights recognition, voluntary exchange, and wage labor.[5][6] In a market economy, decision-making and investments are determined by owners of wealth, property, or ability to maneuver capital or production ability in capital and financial markets—whereas prices and the distribution of goods and services are mainly determined by competition in goods and services markets.
market competition is fundamental to capitalism.
calling a competition-prohibiting government decree like this 'capitalist' because private companies presumably lobbied for it last millennium is like calling iran or venezuela today 'democratic' because their dictatorships were voted in by their citizens many years ago
you say, 'capitalism [can] be, to some extent, prevented from doing those harms by strong regulation' but in fact in this case the strong regulation is what is doing the harm, not whatever vestiges of capitalism remain after the regulators removed competitive markets, voluntary exchange, price signals, and private-sector decision-making
> think of that the next time someone contrasts bitcoin with the heavily regulated conventional banking system
Just watching the largest fraud trial in history unfold over at FTX.
Bitcoin deals with any and all questions of fraud by dumping them on the victim. No help and no recourse. Very libertarian, but of course routinely results in people losing life changing amounts of money.
there have been plenty of larger frauds and outright thefts in history (i'd point at our own sovereign default and mass confiscation of dollar bank accounts, respectively, in 02001), but the culprits were never brought to trial because they were the government
It is worth mentioning that to make a bank transfer in Korea (used to[1]) require 3 factor authentication: the user's website password, the user's PIN, the user's encryption certificate signature/공인인증서, and two randomly selected codes from a paper numbers card (보안카드: https://file2.nocutnews.co.kr/newsroom/image/2013/07/02/2013...), which users are instructed to never copy or digitize.
Of all these solutions, the numbers card gives me the most peace of mind: even if my machine is fully compromised and all my passwords and certificates stolen, the attacker would likely need very long-term access (or access to the bank's server) to get all 35 numbers from the card. (If the attacker compromises the card by attacking the bank, I trust attackers will reveal themselves going after larger accounts). As long as I keep this piece of laminated plastic private and visit a bank branch to replace it every 17 to 35 transactions, I can have some peace of mind, at least regarding my bank account.
[1] There have since been efforts to streamline mobile payments, which I avoid because it leaves the phone as a single point for compromise.
>Of all these solutions, the numbers card gives me the most peace of mind: even if my machine is fully compromised and all my passwords and certificates stolen, the attacker would likely need very long-term access (or access to the bank's server) to get all 35 numbers from the card
I think you're overestimating how much security this provides and missing a very simple workaround: the attacker can simply wait until you preform a transfer, and then replace the intended recipient detail with theirs. For instance, if alice was sending funds to bob, and the attacker controls the machine, they can simply replace the recipient to malory, while still displaying bob to the user.
You're right. The machine remains a big single vulnerability. However, there is a process to catch this: one (used to?) have the option to get a text by SMS following the transfer. This (used to) list the recipient. For whatever reason I haven't gotten a text like this in a few years. Probably my bank disabled it to push people to their mobile app.
btw, this paper card approach was replaced by physical hardware OTP tokens (lasting multiple years until they have to be replaced), it’s as secure as the supply chain (which is also a factor for paper cards), so I’m not sure why Korea still clings to this as tokens are obviously a net gain in ops cost
I dunno where you got the idea that South Korea still clings to paper-based number cards, but OTP tokens have been in use for the better part of a decade here. Nowadays you don't even need hardware tokens, since it's considered OK to replace them with mobile apps that use TPM to manage keys.
Sorry about that. My bank still provides me with cards. I never asked about a OTP dongle and I don't want to enable mobile banking, so cards it is. But almost everyone in Korea (who isn't paranoid about a single compromised device) is now on mobile banking, rather than website banking.
The Canada Revenue Agency does something similar, where instead of TOTP they ask you to print a grid of alphanums and they ask you for combinations.
The only problem is I think they're only good for a couple months at which point you need to do verification by mailed token which is a royal pain in the ass
As pointed out, legislation detailing the exact measures needed to be done. I guess they copied over the idea of European TANs but they never found out about hardware OTPs.
In the UK, the bank is also usually responsible for any unauthorised transfer, yet our banks are generally quite digitally enabled.
Some banks solve the transfer authorization issue using an external bit of hardware that you type the transaction details into and it gives you a signature OTP.
I honestly dont know much much longer the banks can continue to refund people for fraud. The scale of it is enormous - £600m last year (which is likely to be the floor of it as I imagine it doesn't all get reported correctly).
If it continues growing (~40% y/y) at this kind of rate then it will soon outstrip any profits from retail banking (which is pretty low margin as it is compared to banks investment and commercial arms).
I wouldn't be surprised if we see UK banks exiting retail banking because of this.
I’m not sure how to understand that £600m in the grand scheme of things. If they are making billions of pounds in profit for example, maybe it is just the cost of doing business.
Of course, exponentials being exponentials, if they continue along long enough they always eat the universe.
The banks will be made to keep reimbursing people. They are, after all, in control of the system and the people with most information about what might be fraudulent.
I work in Hong Kong, in the securities industry. We interact a lot with Korean laws, and all of APAC, and Korea is special in that they enjoy nonsensical rules that provide no protection to anyone except the politicians who came up with them and can argue they did do "something".
It's, I think, even worse than China's philosophy, because China is young and pretentious in capitalism, while Korea seems more dishonest and cowardly.
>Korea's financial regulators are strict, but Korean politicians and media are paternalistic, so if there's a problem with finance, most of them try to side with financial consumers. For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem.
Isn't this also the case in the US? You're generally not liable for fraudulent transactions, as long as you took "reasonable" measures to prevent the fraud from happening. Given the technical ineptitude of the average person, banks/regulators will rarely blame the consumer.
Woah, I thought Indian banks blocking right clicks on their website as "security" measure was obsurd.
You mentioned about PC environments, What's up with mobile? Specifically with Android & iOS; Do you have to install rootkits there too for online financial transaction?
For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem.
In other words, they're authoritarians at heart. They want complete control over the environment and don't want users to have any personal responsibility.
And not really anyone else either. You'd lose more wealth in a financial crisis than you would from the government printing money to refill the FDIC fund.
The FDIC is funded by insurance premiums that banks pay that are then invested an generate returns.
Thus it comes out of the returns the bank generates using your money to invest, and then also from the returns the FDIC generates investing the premiums.
In the case of a black swan event, the US Gov might have to step in to increase funding, but that is not how the FDIC normally operates.
> In non-authoritarian countries like the US, the users are responsible for all of the bank's losses.
What? You can almost always get a refund even when someone gets access to your account. That's true for debit, and even more so for credit. Some types of transferts might be irreversible after a certain delay, but again, for customer facing retail banking, those are generally not widespread anyways
> This prompted South Korea to develop their own cryptographic solutions.
I've had an opportunity to interact directly with Korean security culture in my time working for Samsung.
I am sure there exists more secure examples out there, but I saw some extremely bad practices like trivially-reversible password shuffling used throughout the entire org. Anyone with access to a certain manufacturing database and knowledge of a particular stored procedure could immediately reverse all passwords and typically use them to go sideways into other engineering/facility systems.
They always seemed substantially more interested in the theatrical aspects of security than focusing on any first principles. Lots of time was spent talking about reactionary crap like a fleet of hardware ARP sniffers installed throughout the network. Not a lot of time was spent talking about PBKDFs, system boundaries and determinism.
I was working at Mozilla in 2007 when I first brought this issue to the wider (i.e. beyond S. Korea) Internet. My post from then was widely covered by Slashdot and Boing Boing and other tech sites. S. Korea clearly doesn't care to 'fix' this because they've had more than enough time to do so.
- That page intentionally disables right-click! Just by putting `oncontextmenu="return false"` on the <body> tag. This gives me flashbacks to the late 90s when this technique was used to make it harder for users to copy images or inspect HTML source. Browsers all have built in developer tools so pretty silly seeing it now.
- The JS included on that page is a mix of heavily obfuscated code[0] and completely unminified code with all the internal comments left in[1].
- I was impressed that the required software seems to support Fedora and Ubuntu/Debian as well as macOS and Windows.
- One of the installations is checked by making a JSON-P call (another old tech flashback!) to `https://lx.astxsvc.com:55921/ASTX2/hello?...`. This works because lx.astxsvc.com resolves to 127.0.0.1 so you're just hitting your localhost. Presumably the installed software checks the referer header to ensure only citibank is making these requests.
I didn't! The download URLs on that page all seemed to be HTTPS for me, though my browser might be forcing the HTTPS connection or something. Or it's just the macOS versions. I'd 100% believe there's plain HTTP requests in there somewhere. I was trying to get the JS to serve me the software for other OSes but was struggling since it seems to do more than just a User-Agent check. Fortunately that JS is the totally unobfuscated kind.
btw, love your article! Such an interesting obscure little corner of the world of technology. Hope to read more.
Very interesting read. I'm looking forward to the details in the followups (1/9, 1/23, 3/6). However, I'm surprised that there are no KR banks who build their reputation on their technical acuity and who have eliminated (or avoided) reliance on these types of applications. The markets I'm familiar with tend to have a few banks who have a reputation for good websites, good apps, etc. Or perhaps that bit of context was omitted, and these types of banks do exist in KR?
Note for the author: small typo at "requires outmost care".
I think that this issue is really universal across all banks in Korea. I was told (but couldn’t confirm) that this is a liability question. Supposedly, there was a court ruling that held a bank liable for a customer’s losses due to lack of security precautions. So now all of them implement “security precautions” to avoid liability.
Thank you for the hint, I fixed the typo. Not being a native speaker, I had to ask a search engine what I did wrong in this sentence. :-)
> Supposedly, there was a court ruling that held a bank liable for a customer’s losses due to lack of security precautions.
You already wrote as much in the article, but (AFAIK) the reality is even worse: there were court rulings that exonerated banks, as long as they followed the standard "security practices." Some hacker from China could access the bank's website from a suspicious IP, drain all the money from a poor guy's account, but the bank has zero obligation to do anything as long as it mandated that all users install half a dozen security plugins all the time.
Do you think getting out of this mess could be as simple as government regulationL: banking (and government and other necessary websites) are not allowed to require installation of plugins or other software to log in.
That’s in fact what I suggest in my blog post. But I am pretty certain that it is far from simple. I’m told that the previous Korean government already tried to tackle this issue and failed. It’s a huge and complicated mess.
My information here may be outdated, but when I was in Seoul for awhile, it wasn't limited to just banking apps, many services had similar requirements for specific plugins, even requiring Internet Explorer 11 and a bunch of plugins for that.
I remember trying to get tickets for an event, and it was not possible within MacOS at the time due to the various Windows only requirements. I remember even having to re-download another version of Windows 7 as Tiny7 had various Windows Services removed that for some reason the plugins/apps relied on.
My cynical guess is that the plugins/apps include user data/telemetry that the companies get a cut for, but of course this is just supposition. It's entirely possible it's just some liability thing that has become entrenched in Korean IT, who knows.
Yes, I’ve seen references to online gaming that also required these “security applications.” In this case it was likely to aid tracking users and to prevent cheating.
Schwab has hardware security tokens for the asking. I have one. Similar to the six digit rsa tokens I used at work (but without the rsa token bug from some years ago). It is my understanding they also support software tokens. I'm a happy customer.
The credit union I use does have SMS 2FA as an option, but has other options via Entrust. Specifically there's a "soft token" that's a phone app which implements their own brand of not-TOTP, and a "hard token" that's a fob that generates their own brand of not-TOTPs.
What operations does it require the OTPs for? Generally anyone can do an ACH withdrawal from your account and the bank won’t ask you about it until afterwards. This is dealt with by other legal frameworks but you could certainly call it insecure even if they need 4 factors to let you see your account balance.
I live in Korea. In my experience pretty much everyone I know uses banking apps which you can do everything through, not online banking through a browser.
You would hope that these would be somewhat more secure as this may have required a 're-write' as the article suggested.
Though even with mobile apps you sometimes have to install some 3rd party 'anti-virus' software that probably amounts to spyware. But hey you can either lump it or leave it.
They do at least try to make you feel like it's secure. To set up mobile banking you need at least 3 different passwords and need to perform 2fa 3 times as well.
They have 'front end' security too, such as each time you enter a pass code the keyboard is in a different arrangement.
I live in Korea and run the latest GrapheneOS on Pixel 6. I have 6 different banking apps (Citi, IBK, Woori, etc.) installed and all of them work flawlessly. I also have a few government apps running and they work as well. There are definitely some apps that don't run on it (Donbaekjeon, Busan's local payment app being one) but overall they work.
fyi, yes, samsung monoculture is very strong. No foreign phone brands, especially Chinese, have gained significant market share (except apple ofc). Samsung with their 70% market share has been the undisputed champion in S. Korea for probably the whole post-iPhone era, even in the budget segment. Romming community does exist here and quite vibrant for its size but Samsung pumping out literal truckload of phone models (not to mention their carrier-locked variants which are more common like in the US), Knox (ew) and general public sentiment against modifying their devices means it's not really visible.
It's great to hear that the compatibility situation isn't that bad in Korea. Have you considered submitting the apps to https://privsec.dev/posts/android/banking-applications-compa...? Otherwise people might make the same mistake as me (look at the list and assume it's impossible to use an alternate OS)
See, usually when I run into claims about rooted Android being less secure, I point out that they have no problem with regular laptops that the user has root/admin on, but in this case I suspect they try to DRM control of that, too...
I don't think korean banks run safetynet. They roll their own checks with varying levels of strictness. Most of them were fooled by Magisk Hide, but not all.
Could be, but why? Pixels aren't officially available in Korea, but that banking app compatibility list has user reports from 19 other unofficial countries.
For threat actors that target Korean users their favorite software to exploit for initial access is HWP (Hangul Word Processor). It's MS Word for Korean users. If you are being sent official docs of any kind, chances are it is a .hwp file that needs the program. Banking and internet access affects consumers but HWP is used by more interesting espionage/sabotage targets.
I just looked up CVEs for it. I only see 2 in 2017. This is not a good thing, a complex word processor, even if it was rewritten in a memory safe language would have at least some low level non-memory vulns in 6 years!
This mirrors the situation in China, likely for similar reasons.
To this day, I can only do online banking with Internet Explorer 11. When logging in, of course the password field doesn't permit pasting. I have a couple ActiveX controls and certs installed, but I've forgotten which ones so I'll just have to keep that old laptop around. The one bright spot is that large transactions do require a USB dongle.
At least one other website I've used (perhaps Alipay?) required you to install a browser plugin simply to be able to "securely" enter your PIN.
Rewinding back to 2014, the brand new government website for buying train tickets[0] didn't have an SSL cert signed by any of the trusted authorities. If you wanted to buy tickets securely, you needed to download a zip file (over http) that contained 1) a self-signed root cert, and 2) a Microsoft Word document explaining how to add this to your OS's trusted root cert store and how this is totally legit and secure.
Maybe 5 years ago, but now nobody uses web-based online banking any more in China. Most banks have decent mobile apps now, which have much better usability than the web-based ones. The IE situation is irrelevant now.
> It has been established that large private enterprises in [COUNTRY] have connections with the [POLITICAL SYSTEM] of [COUNTRY], aka the government.
Not disagreeing with you and I know that people should be aware of this, but I don't get why this fact is always quoted as if that's a special situation in China. I mean, take the US as an example, you can't tell me that large private enterprises have connections with the government. Same for 99% of the countries, no?
I'd say the same for my european country and all of my neighboring countries. Sure, it does depend who or what the government is.
There's a difference between "Has to follow the US and it's laws", "Has strong connections via technology forums and the revolving door of lobbying" and "Has government-mandated official positions that report to the party"
It's actually pretty low in direct effect - if the government wants the corporation's secrets, or even for a coporation to take actions on it's behalf, there are plenty of both public and private agents within the company that they can use to act or steal or whatever. What's important about it is the act of subservience. The latter is a direct admission that "The corporation serves the state's interests", whereas in the US and other free countries the state serves the people's interests, and the corporation is a group of people with common interest.
This is why Citizen's United is so important a ruling and under constant attack - Because it asserts the primacy of the people to make their interests heard, in opposition to the model where people serve the state.
> in the US and other free countries the state serves the people's interests, and the corporation is a group of people with common interest.
Does it? I'd argue that in a lot of free, western countries the state does serve the people, but more so the ruling class and those in power. Which can happen to align with the peoples interests, but often does not, in my opinion. Lobbying, advertising and the available funds for campaigns tips the scale heavily to one side. And those in power in the west are? Exactly, the rich people from the private sector.
Citizen's United seems okay, but you can't tell me that what this tries to prevent happens constantly behind closed doors. Of course that doesn't make it less important.
10 years ago for work we assessed a similar client side software solution (a "secure browsing" pile of ActiveX and C++) for protecting banking sites users.
Absolute steaming garbage.
Its "anti keylogging" functionality could be bypassed trivially, as could its various screen hijacking tricks designed to defeat some methods used by the banking trojans that were common at the time.
I see that snake oil industry lives on in Korea :/
Very excited to see the results of OP's work (the disclosures).
Writing the critical parts of a OS kernel in C is sensible. Browser extensions, not so much.
As the author notes, they're not just being snobby about languages, the main issue with C from a security POV is the total lack of memory safety and the consequent vulnerability to buffer overflows.
Not really. With C++, you don’t have to use manual memory management. In the typical scenario, C++ objects take care of memory without the developer having to think about it. And you have all kinds of smart pointers for the more complicated scenarios.
That doesn’t mean of course that there are no buffer overflows in C++, or use-after-free bugs. There is still plenty of room for mistakes. But C++ code following best practices tends to have far fewer vulnerabilities than comparable C code.
We have... very different ideas about how capable random devs on a government contract are. Or how feasible it is to prevent the worst possible behavior in a large codebase. That is to say, I tend to assume code managed by a large team on a government project (or a project in any sufficiently large organization) will be the worst possible code that language can produce. And C++ can produce worse code than C (all of the danger of C, but happening implicitly instead of explicitly).
You seem to be taking the best possible code as the default. I will admit that the best possible C++ code is better than the best possible C code.
At least c++ has unique_ptr and friends. Standard containers like string, vector and map also reduce the amount of manual fiddling with fundamentals you need to do yourself, greatly reducing the mistake-surface.
But yeah, in the end both of them are very dangerous tools, compared to other alternatives.
Yes, but, compared to higher level languages, idiomatic C++ is significantly unsafe and the difference b/w C and C++ gets scaled down to the point where it rounds to zero.
Large banks in the UK used to promote an application called Trusteer Rapport that secured the connection between the bank's server and the user's computer. It was not mandatory like the Korean apps, just strongly suggested. I can see that some banks still offer it.
This always bothered the hell out of me when interacting with Korean websites, especially online banking. I believe in addition to the factors that the article listed, there are several laws in place that mandate this chicanery, at least for banking.
I was just there for two weeks, and while I used my card a lot, I don't think there's anything I couldn't have done with cash. For that matter, I had no problem using my American bank, though obviously if I were being paid in Won that would be less of an option.
A lot of countries seemingly did not have access to American encryption technologies or did not trust them — arguably for good reasons[0] — which has lead to this hodge-podge of homegrown security.
Yeah I found his problem in the first line of the article
> KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI).
The FSB is not equivalent to the FBI, it's the successor to the KGB. If it's equivalent to any other country's org, look to the Gestapo.
They're problems with cryptography insofar as they are problems that can be traced back to a distrust of Western cryptography and a desire to create domestic security products.
Nitpick for OP (@palant): on mobile Safari (haven't checked any desktop browsers), the images embedded into the post appear stretched out vertically (i.e., too "slim"). It is still technically readable, but very noticeable and jarring. This only applies to the images when embedded, opening direct image URLs in a dedicated browser tab renders them properly without any stretching. I suggest checking CSS, but that's just my first guess and could be entirely wrong.
I think just keeping the same horizontal size of images, but reducing the vertical size, would make it much more aesthetically pleasing + readable.
I see two candidate alternatives to your "Getting out of the dead end":
1. Give SK a few months/years until it realizes it is losing billions revenue nationally due to hacking by foreign entities and it will naturally invest in its application security landscape.
2. Reconsider your position on SK's current situation by factoring actual risk in the equation (likelihood of threat, in particular). What you seem to have discovered are client-side vulnerabilities that would require direct network access to the client machines to be exploited (i.e., no firewall, no NAT, no etc.). First, these limitations greatly reduce the attack surface and second, they may actually cost the attacker more to exploit than simply sending a well-crafted message with an attachment to click on.
I would be much more convinced by your conclusions if you added elements that would support the hypothesis that the situation is similar (or worse) server-side.
Where did you get the idea that direct network access is required? To quote the article: “large applications interacting with websites in complicated ways.”
Most attacks can be launched by an arbitrary website. And given the number of people affected, this is way worse than any individual server being vulnerable. Besides, I’m definitely not going to look for server-side vulnerabilities without permission.
Indeed - this was my first concern. How many of these local web servers are properly implementing CSP and the myriad of other protections you need to (securely) run a local web server that isn't vulnerable to CSRF from other origins etc?
Regarding 1 - SK has apparently been doing this since the 1990s. If it was just a matter of time before they realize this is a bad idea, I think they've had enough time to figure it out.
> What you seem to have discovered are client-side vulnerabilities that would require direct network access to the client machines to be exploited
We don't know what a user has installed on their local machine, so a bank mandating that users install an application with known vulnerabilities has reduced its security posture to whatever client-side chicanery is happening on a given computer. This may shift liability (i.e., it's not the bank's fault if malware intercepts traffic sent to a localhost web server) but does not improve security.
As a user, you might be able to use software with known client-side vulnerabilities safely by constructing isolated sandbox environments for each permutation of required client-side "security" software, but it's unrealistic to expect everyday users to do so.
As in many other countries, banking in Korea is a state-regulated industry. However, Korea's regulatory system rule downs to the smallest detail.
For example, in the Digital Signature Act(전자서명법), a content that allows only digital certificates in the form of files called authorized certificates(공인인증서) to be used for certification was added in 1999. (The contents were revised only in 2020.) As a result, most banking was accessible only using IE and Active-X. Now that Active-X cannot be used, various software is installed using separate installation files.
Korea's financial regulators are strict, but Korean politicians and media are paternalistic, so if there's a problem with finance, most of them try to side with financial consumers. For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem. For this reason, banking websites require all kinds of security software, such as keylogger checking programs and firewalls. (This problem is gradually being mitigated.)
The problem with Korean security software is that the buyer of the security software (in this case, the bank) only requires that it meet the requirements of laws and regulatory authorities, so there is little room for improvement. Security software can be delivered only after CC certification (CC 인증) issued by the National Intelligence Service(국가정보원). By the way, the NIS is interested in which encryption algorithm is used (whether Korean algorithms such as SEED, ARIA, LEA, etc.), but it is not interested in whether Visual Studio Runtime is 2008 or 2019.
Also, financial institutions do not take cybersecurity issues seriously. For example, when I was in the security industry, a financial company asked for security software for ATMs running Windows XP SP2. Even at that time, Windows XP was EOL, and our security software was only supporting Windows XP SP3 or later. Significantly, the company suffered a cyber attack a few years ago that paralyzed its entire financial services for several days.
Most of the things I mentioned here refer to Korean-language materials, so giving references is somewhat limited.