Slashdot Mirror

← Back to Stories (view on slashdot.org)

Korean Banks Forced to Compensate Hacking Victims

Posted by ScuttleMonkey on from the capitalism-at-lawpoint dept.

An anonymous reader writes "A brief story over on Finextra reveals that the Korean government is introducing new legislation that will force banks to compensate customers who have been victimized by identity theft even if the banks are not directly responsible. This action obviously will not stem identity theft but the hope is that this will push banks into security improvements that will make identity theft much harder."

7 of 154 comments (clear)

  1. All too brief... by TripMaster+Monkey · · Score: 4, Informative

    From TFS:
    A brief story over on Finextra...
    'Brief' is right...'skimpy' is the adjective that comes to my mind.

    A much more detailed report on this story can be found at The Korea Times.

    Reading through the above referenced story, two things pop out at me:
    • The investment to build a safe e-banking environment may result in astronomical increases in systems costs given the insecure nature of the electronic commerce infrastructure.
    • The biggest challenge to the banking sector would be how to make home PCs secure. Hackers are increasingly preying on the home PCs, the most susceptible online link of all. Many bank customers tap in from home, often on a computer with little or no security software.

    Given these two paragraphs, this looks like I'm going to be paying higher systems costs because others can't be bothered to practice responsible computing (when this initiative moves out of Korea into the rest of the world, that is...).
    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:All too brief... by inoffensif · · Score: 4, Informative

      To the parent, thanks for the Herald link.

      There are many factors which are prompting this in SK. I am not a native but I have been residing in South Korea for 2 years.

      -This place is the mecca of broadband internet access. I mean anywhere and everywhere in the country, everyone is connected at speeds that would humble first world nations. Not that SK isn't first world, economically they are, socially it's another story...
      -Everyone and their mother, uncle, step-sister uses IE explorer. Most Korean sites are designed for IE and don't work with any other browser.
      -The networks are dirty, before I had a physical firewall, ZoneAlarm was registering 1000+ intrusion attempts a day on my system.

      Put your average mom and pop who don't know any better, in an online banking situation in this environment, and you are asking for disaster.

      It will probably set a precedent for many online banking SOPs in the west.

      For those idiot western media brainwashed idiots who don't know a thing about Korea, get a clue, nobody gives a damn about eating dogs or even hears about North Korea more than once a month here, just listen to your dear leader dog tell you who to attack next.

      --
      - you are sofa king weed todd did
  2. Schneier likes it by Anonymous Coward · · Score: 5, Informative

    This is exactly what Bruce Schneier has been advocating for a while...here's his take on this story.

  3. Bruce Schneier by diakka · · Score: 2, Informative

    Looks like the government is taking a cue from Bruce Schneier Glad to see that someone is listening.

    --
    -- Knowledge shared is power lost. -- Aleister Crowley
  4. Thats what SSL ceriticates are for by brunes69 · · Score: 3, Informative

    If the SSL ceritifcate does not match the IP address of the host you are connecting to, it should raise big red flags in your head.

    Sometimes, there are legitimate reasons for this (such as a bank moving servers and not having time to get a new cert), but they are usually very temporary, so to be safe you can just not do any banking during that period.

    Sure, you can still bypass this via a man in the middle attack using ARP poisioning - but in order to do that the hacker has to be on your local subnet if you have a home router, or else working at your ISP if you are directly connected.

    Either case is highly unlikely, and **any** way you look at it, even if your original DNS thing was an actual issue, online banking is much more secure thank banking at an ATM or via debit payment, and I bet you do that every day.

    All I need to steal your money at an ATM is to install a hidden swipe reader inside the ATM/debit machine and a hidden camera to capture your PIN number. This happens *all the time*, far more than publicized. It is very easy to do, and a smart crook who just leaves the setup installed for a few hours then takes it down is rarely caught either

    Even easier is to just capture the cazd swipe, us eit to make a fake identical copy of your own card, and going into the bank and convince the teller to let you change the PIN on the card cause "you forgot it". Also simple to do. Much simpler than hacking itno the DNS servers of your ISP, that's for sure.

  5. Re:Banks will require Trusted Computing by grimJester · · Score: 2, Informative

    Some info on Linux and Trusted Computing.

  6. Re:Thats what SSL ceriticates are for by Russ+Steffen · · Score: 3, Informative

    SSL certifcates are almost never issued to IP addresses, only to fqdn hostnames. In fact I've never seen a certificate with an IP address in the CN field, and I'm not even sure how a browser would handle it. In fact, issing a certificate to an IP address would make things even less secure. With a hostname, the broswer can check against a forward and reverse looklup, theoretically maximizing the number of machines that would have to be compromised to hijack the connection. It also subverts the only real check most certificate authorities do - verifing that the cert request is coming from the domain owner on record.