South Korean ID System To Be Rebuilt From Scratch After Massive Leaks

AmiMoJo writes: South Korea's national identity card system may need a complete overhaul following huge data thefts dating back to 2004. The government is considering issuing new ID numbers to every citizen over age 17, costing billions of dollars. The ID numbers and personal details of an estimated 80% of the country's 50 million people have been stolen from banks and other targets. Some 20 million people, including President Park Geun-hye, have been victims of a data theft. Citizens are unable to change their credentials, which are used in many different sectors, making them an attractive target for hackers.

20 million out of 50 million stolen?

[Spy+Handler]

Is that really true? How can 40% of your entire country's population have their identities stolen and still have a functioning economy? Man those Koreans are really tough.

Didn't RTFA but I wonder if their reliance on IE6 and ActiveX had anything to do with this...

Re:20 million out of 50 million stolen?

[mlts]

We have the same thing here in the US, but good luck getting a new SSN if it gets compromised.

Re:20 million out of 50 million stolen?

Let South Korea be an object lesson in why we should not be using the Social Security Number as a unique ID here in the States.

As a security measure, services available via Internet in South Korea require registration using the KSSN. Naturally, they were hilariously easy to steal because of this. In fact most gamers these days who want to play in the South Korean sandbox have access to South Korean KSSN generators because the issuing algorithm was cracked almost as soon as it was created.

Re:20 million out of 50 million stolen?

[Jane+Q.+Public]

We have the same thing here in the US, but good luck getting a new SSN if it gets compromised.

That is a perfect illustration of why any kind of "National" ID system is a bad idea: it's a bill-board-sized, high-value target.

There are other reasons, too, but that one alone is sufficient.

Re:20 million out of 50 million stolen?

The KSSN's are also used in their MMORPG games... which have relatively lax data gaurds. The primary benefactors of KSSN theft are Chinese gold farmers and non-Koreans who want to play the Korean games.

Re:20 million out of 50 million stolen?

[Reason58]

National identifaction is perfectly fine. The problem is when it is also used as the national authentication.

Re:20 million out of 50 million stolen?

[Reason58]

Identification even.

Re:20 million out of 50 million stolen?

South Korea
The country that uses Internet Explorer 6 with ActiveX for all its' banking needs.

Re:20 million out of 50 million stolen?

[TubeSteak]

The hardest part of getting a new SSN is gathering up originals/certified copies of the documents you need to support your application.
http://www.consumer.ftc.gov/articles/0248-do-you-need-new-social-security-number

Applying for a New Number or Replacement Card

The SSA may assign a new Social Security number to you if you are being harassed, abused, or are in grave danger when using the original number, or if you can prove that someone has stolen your number and is using it. You must provide evidence that the number is being misused, and that the misuse is causing you significant continuing harm.

Please don't spread misinformation.

Re:20 million out of 50 million stolen?

[mlts]

Going on a limb here, why not replace the national ID system with a bunch of decentralized CAs that sign certificates with a piece of data. For example, a user would have some cryptographic token. This could be a smartphone, a card, a USB keyfob, a SIM card, or something similar.

Then, the state would add a signed entry with the person's name and photo to the key as a certificate. The actual public key is not affected. It just gets a cert attached that can be deleted by the user just like a PGP/gpg cert.

With this in place, the state can add a series of certs if they are true:

User is a citizen.
User is 18+ years of age.
User is 21+ years of age.
etc.

This way, when a cardholder goes to a bar, the bar has a reader that shows a signed picture, perhaps the name of the user, and the signed fact that the user is of legal age. No other information needs to be shared. Not citizenship, not anything... just who the user is, and that they are legal (doesn't matter what their age is as long as it is above the drinking age). No cert, no booze.

Another example is a NGO use. A university signs a certificate that the key's owner has a diploma from them. When getting vetted for a job, this means that the employer knows that the applicant has a degree, but other info isn't given.

Done this way, here is what the criminals can attack:

1: The CA. If it is a distributed service, damage done can be minimized, as opposed to having everything in one basket.

2: The actual card or token. This is a solved problem. SIM card hacking on LTE networks is minimal, satellite piracy is nonexistant, and there isn't any such thing as pirated software on the XBox One. Even things like CAC/PIV cards are very rarely broken.

3: The user (yes, xkcd.com/538 applies.) However, this can be dealt with through means in place.

4: The PKI. Using different algorithms (so a document is signed by multiple keys of RSA, ECC, and something quantum-factoring resistant, and hashed with multiple algorithms) will bring some robustness.

So, there can be a national ID system, but if it is based on a PGP-like web of trust that is decentralized, it can be quite secure, but yet extremely protecting of privacy.

Re:20 million out of 50 million stolen?

[AqD]

It's just list of ID: Name. What's secret about that? There is no harm in publishing these and anyone could have obtained yours if they actually attempt it.

You could print it on your clothes for ease of identification!

Re:20 million out of 50 million stolen?

> National identifaction is perfectly fine. The problem is when it is also used as the national authentication.

No, it isn't just a problem with authentication. A single ID becomes a handle to track people across all databases So ANY data leak becomes something that the thieves can cross-reference and use elsewhere.

Here's a really simplistic example - if you carry auto insurance the liability levels on your policy give a good indication of how much wealth you have (because liability coverage is about protecting your assets not anyone else). So if your insurance company gets hacked now the thieves have a list of high-value targets to target and because your policy info also includes your DL# it is easy to cross-reference with DMV records to find out where your house is to come rob.

Re:20 million out of 50 million stolen?

[Zontar+The+Mindless]

Let South Korea be an object lesson in why we should not make an ActiveX "security" applet a nationwide requirement for online financial transactions.

TFTFY.

Re:20 million out of 50 million stolen?

[unixisc]

So one would still have a unique ID for identification and authentication, but entities that have that same thing would only have access to particular pieces of information? How exactly would that be implemented? I thought something like a smart card with an interface to a database that has various pieces of information, of which only some are easily obtained (say age) vs having to get a warrant for some others.

Re:20 million out of 50 million stolen?

[mlts]

The certificates would be carried with the cryptographic token. If more info is needed, the old fashioned way of hitting queries is always still there.

The goal is to give people/companies just the info they need to be compliant... and nothing more.

Re:20 million out of 50 million stolen?

[arglebargle_xiv]

Here's a really simplistic example - if you carry auto insurance the liability levels on your policy give a good indication of how much wealth you have (because liability coverage is about protecting your assets not anyone else).

You don't even need to go to the insurance companies, in Russia you just buy the registration database and then target people who have Mercedes and BMWs.

(I'm not being facetious, this is how the criminals actually do it).

Never Ending Proooooject (a la laaa la-la-lalala)

Because a national ID is so valuable to thieves no amount of re-engineering is going to make it safe for long, unless you expect to keep engineering it over and over forever (just like anti fraud countermeasures in currency, which is a constantly evolving industry as we all know)

So yeah, you may save some paperwork / red tape identifying individual citizens but you ultimately create an easy way to steal that identity, that gives it value and that gives the vast army of thieves something to work hard at cracking

Good luck! In the meantime, keep coding that minivan

But the ID shouldn't have to be secret

[Lorens]

Granted it's not good if the IDs are easy to guess, nor if the list of IDs+names gets out, but as long as you're not using the ID to authenticate people, only to identify them, it shouldn't be a terrible problem. Think ID=username, not password. What they say about the credentials seems a bit more worrying, but we'd need a lot more info here . . .

Re:But the ID shouldn't have to be secret

[Koby77]

A similar thing happens in the USA. It's not especially difficult to ID someone based on their Social Security Number and home address. The problem occurs when a lender foolishly extends credit to anyone based on that criteria alone. Rarely do they recover the money (although it does create quite a headache for the actual person). Most USA lending institutions do a much more thorough ID check nowadays. I would imagine that a bank or other business in South Korea would be smart not to exclusively use a Korean ID Number as establishment of identity.

Re:But the ID shouldn't have to be secret

[rtb61]

So the real problem is not identity theft at all, the real problem is vendors failing to properly identify the person, allowing a fraudulent transaction to occur and then pursuing the wrong person.

Easy way to solve the problem, charge the vendor with fraud with they make a false claim against person when then vendor can not prove a fraudulent transaction was made against them.

It should never ever be a innocent parties fault who had not part in the transaction, they should not need to prove anything. First in the firing line should always be the vendor for making a fraudulent claim against an innocent party. You can bet it will not take long for vendors and credit providers to tighten up on identification requirement once they start facing penalties for fraudulent charges.

Re:But the ID shouldn't have to be secret

[Kjella]

Except authentication is usually not username+password or digital signature, it's identification+official paper saying you're that person. Everywhere your use your passport, driver's license or any other photo ID you're relying on three things:

1) The difficulty of acquiring the information to be on the card
2) The difficulty of forging the card
3) The difficulty of fooling the issuers into producing a fake card

The last one is often a sneaky one, enough ID info and you might trick one of them into believing you've lost your ID and issue a new one. But there's enough direct fakes too, if they have the necessary information that's half the way.

Re:But the ID shouldn't have to be secret

[dgatwood]

So the real problem is not identity theft at all, the real problem is vendors failing to properly identify the person, allowing a fraudulent transaction to occur and then pursuing the wrong person.

Exactly what I've been saying for years. There's no such thing as identity theft. You can't steal an identity, by definition, because an identity is who you are, not some arbitrary piece of information used to represent you. An SSN is an identifier, not an identity. (This is not precisely correct in the cryptographic sense of the term, but neither is an SSN in any way cryptographic, so that distinction is largely moot.)

With that said, identity fraud isn't entirely the fault of vendors. Much of the fault lies with the credit bureaus. Their business involves making claims about a person based on insufficient authentication, then charging money to consumers for "protection" against them making false claims when they fail to do their jobs correctly. Credit bureaus are the very definition of a protection racket (minus the physical violence).

The easy way to solve the problem is that when someone makes a false claim about you, sue the credit bureaus. Because you have no ongoing contractual relationship with them, they cannot compel you to binding arbitration, and because they are making false claims about you in writing, they are guilty of libel. It would only take a few thousand people doing this to force the credit bureaus to take authentication more seriously, such as providing call-back authentication at no cost to consumers—something that they should have been doing all along.

The US needs to replace the Social Security system

Our numbers of stolen identity and sensitive information is far worse, but big banks or the gov are never held accountable so the only choice we have left is to overhaul the system.

AnusPooPoo

[Hognoxious]

The ID details of an average Korean: $25
The ID details of a high ranking politician: $17,000

BritHatingShitcock linking to the BBC: Priceless.

Identification != Authentication

In Switzerland the equivalent of a Social Security Number (AHV-Nummer) is pretty much public knowledge.
E.g mine is 114.77.233.114, and I'm posting as AC!! There is even an online tool to calculate the number from birthday, name and gender.
And we don't have more problems with identity theft than the rest of the world.
The difference is for authentication for important stuff we have to show up in person with an ID and a real human checks the identity.

Re: Identification != Authentication

Another fun fact: Donald Rumsfeld (Yes the real one) gets from Switzerland 5000CHF/year social security, becaus he worked for ABB in Switzerland. And his AHV-Number is most probably: 770.32.309.000

Re:Identification != Authentication

[sconeu]

If it's derived from name/birthdate/gender, what happens if you have two men named "Johann Schmidt" who were born on the same date?

Re:Identification != Authentication

Showing up in person? How inconvenient. One should be able to get multiple lines of credit over the phone just by knowing a few names and a couple numbers.

Re:Identification != Authentication

If it's derived from name/birthdate/gender, what happens if you have two men named "Johann Schmidt" who were born on the same date?

There's a two digit counter for that case. But with 100 births per day the counter is most likely 0.

Re:Identification != Authentication

[IamTheRealMike]

The difference is for authentication for important stuff we have to show up in person with an ID and a real human checks the identity.

For some things you can also use a SuisseID which is just a regular PKI smartcard USB dongle thingy. I have one. After installing the software, you can log in to some Swiss websites by just clicking the login button in the web page. You might have to enter a password and the dongle then signs the SSL session. It's all standards based and the certificate in the hardware is based on your legally verified identity, i.e. you show a passport at the post office and get your personalised stick through the mail a few days later.

Re:Identification != Authentication

In time, a PKI solution will replace SSN (and SSN will become certificate's checksum). In Germany for example, there is already a system for eID cards based on PKI.
http://www.personalausweisportal.de/EN/Citizens/Electronic-Identification/Electronic-Identification_node.html

Re:Identification != Authentication

I believe in the Netherlands it used to be that they indeed track names when you are born and your parents will have to think of a new name. But we only have a population of 14 M. They probably don't do this anymore since with computers it is simple to generate a new number for everyone.

Besides I changed my last name to my mother's last name; this caused indeed a name/birthday collision with someone with a bad credit rating which is annoying.
Companies, including credit rating agencies, are not allowed to use the social security number, nor are they allowed to use anything other than the name and birthday to uniquely identify a person. In the end the credit agency is able to add two records with the same primary key (yea, not unique) and add in a note that there are two unique persons with the same name, so that they do manual checking when a request is made.

Re:Identification != Authentication

[ColaMan]

It's pretty simple. One of them has to find and kill the other.

There can be only one.

Re:Identification != Authentication

[Zontar+The+Mindless]

Yes, it's the same here in Sweden.

No, I'm not going to post mine. :)

Re:Identification != Authentication

In Switzerland the equivalent of a Social Security Number (AHV-Nummer) is pretty much public knowledge.
E.g mine is 114.77.233.114,

Hey, that's my IP address!! How cool is that?

Anonymity ftw

Yeah, it's a great idea to entrust banks with databases of people. Can I now please keep my anonymous currencies, like cash and Bitcoin?

South Korea is stuck with Internet Explorer

www.washingtonpost.com/world/asia_pacific/due-to-security-law-south-korea-is-stuck-with-internet-explorer-for-online-shopping/2013/11/03/ffd2528a-3eff-11e3-b028-de922d7a3f47_story.html

Back into the tarpit

[david_thornley]

Okay, so South Korea's going to issue new ID numbers to people. What is that going to accomplish? The current ones appear to do plenty well for identification; it's only a problem if they're going to use a number that people can't change and which they have to share with a lot of other people as authentication. In other words, if they're not plain stupid about it. It's like my Social Security number: I got it as a child, and I can't change it, and at the very minimum every employer and financial institution I deal with needs to get and keep a copy. I have to give out the last four digits even more often, yet if somebody knows when and where I got my SSN they can make very good guesses at the first five. (It's worse now than when I was young, since newborns get numbers now, so they can be claimed as dependents. When I was young, I had to get one but not in such a restricted time interval.) Yet, if somebody gets my number, they can cause me a great many problems, and I can't track back to see which incompetent institution leaked it and get restitution from them.

What's going to happen, after the Koreans spend all that money, is that the fraud conveniently (for financial institutions) labeled "identity theft" is going to go way down, and then the bad guys will start getting IDs again from various sources, and then we're going to see this whole thing all over again. As long as somebody can pretend to be Park Geun-hye by knowing her ID number, nothing's going to improve.

Re:The US needs to replace the Social Security sys

My college used SSN as student ID number. Printed on my godforsaken ID card, it was. Which was handed to god knows how many people, because we were forced to use it as a sort of pre-loaded debit card (is Freshmen not eating that big of a problem?).

To this day, it astounds me that a campus ending with 'Institute of Technology' could be so daft.

Banks are a symptom. Not the problem. Government, though? Whoever's letting privately held organizations utilize SSN as a primary key needs to be taken out and beaten through the streets, preferably by a team of crazed DBAs who lift weights on the weekends.

Rethink this ID process

[sithkhan]

The South Koreans need to learn that requiring individuals in society to proved identification to verify their identity is as racist as a Texan GOPer.

Did they..

build it using a relabeled Chinese design?

Bad verification system....

[mythosaz]

The system was easily breached.

To reset your password, you had to correctly answer your security question: "What is your last/family name?" You did only get three guesses though before being locked out though.

Re:Bad verification system....

Ah the fifth factor in:
1. Who you are.
2. What you know.
3. What you have.
4. Where you are (banks for example use this to check if you pay in Amsterdam and in the next hour in New York).
5. What everyone know about you ("security" questions).

Make SSN a national ID card

[unixisc]

Just add your photo to your SSN card, put it on a credit card like plastic with either a magnetic strip, a QR code or smart card interface, and viola! You have yourself a national ID card. This can even substitute a passport, with entries made every time you leave or enter the country.

Re:Make SSN a national ID card

[Zontar+The+Mindless]

This sounds a lot like my national ID card as well as my permanent resident visa card.

The latter constitutes proof that I'm a legal resident of the EU and is all I need to travel to most if not all EU/Schengen countries (maybe not the UK, I've not bothered to check). Forgot my passport when going on a trip to Budapest for a holiday this summer, and the security and airline folks where perfectly happy to let me fly in both directions without it, since I had the ID and visa cards. I no longer bother taking my passport on trips to the other 3 Nordic countries (I live in Stockholm).

I *do* take my passport when travelling to Germany because they tend to be dicks about it there if you're not actually an EU citizen.

I sort of hope the passport itself doesn't get replaced, though--you can't see the visa stamps on a chip or mag stripe.

Re:Make SSN a national ID card

[Jane+Q.+Public]

Just add your photo to your SSN card, put it on a credit card like plastic with either a magnetic strip, a QR code or smart card interface, and viola! You have yourself a national ID card. This can even substitute a passport, with entries made every time you leave or enter the country.

Just no.

When Social Security was being debated, and presented to the American public, they were promised -- PROMISED -- that it would never be used as a national ID card.

Because the people back then understood what a bad idea national ID cards are in the United States.

Many years later, they made an exception. For what? Finance companies.

You might be interested to know that other than for credit, it is still illegal for companies to use your SSN as identification in your files, if you ask them not to.

Re:Make SSN a national ID card

[Jane+Q.+Public]

This sounds a lot like my national ID card as well as my permanent resident visa card.

The EU is not the United States.

Re:Make SSN a national ID card

[unixisc]

What's even worse is the idea of using Driver Licenses - that's why you have the problem in some border states of proposals of wanting to issue DLs to illegals so that they don't compound the crime of being here illegally with doing hit and runs, since any discovery would require their instant deportation. But I digress.

Right now, that ship has sailed - social security is already used as identification, but since it doesn't have a photograph, one is required to show a passport or a driving license in addition to the social security card (which is still required if you're say, applying for a job, which will need it sooner or later for doing your I9 forms.) This is annoying. Just make the changes I suggested above - nobody's asking the US to be EU - and use only the social security card for official ID purposes. Get rid of the practice of requiring DLs for that, and even for passports, have them electronically linked so that one's whereabouts, if one is travelling abroad, is known. (Yeah, yeah, I hear all the screams of 'Snowden, NSA, privacy, blah blah blah, but like it or not, as Scott McNealy once noted, privacy is dead)

Conservatives don't like national ID cards because of a mistrust of big government. Liberals don't like them for similar reasons. However, fact remains that in today's world, like it or not, they are needed. Put it all in ONE place, and let other things be restricted to their domains - like one's driving record tied only to one's DL (unless any manslaughter cases are involved).

Re:Make SSN a national ID card

[unixisc]

I sort of hope the passport itself doesn't get replaced, though--you can't see the visa stamps on a chip or mag stripe.

Part of what I suggested above is that they scan the card, which would give them your name, ID number (SSN# for the US), and then you'd by scanning the tickets enter the date they're leaving/entering the continent/country and their source/destinations. All that goes into an online record, which any police official in any country can run up if that person goes on to later blow up a dock in Oakland, or lands up in Syria in ISIS rags and is shown on TV beheading some Infidels.

Re: Make SSN a national ID card

Obviously not. However, the rights of EU citizens in regards to the other states of the Unions resemble 99% the rights of US citizens in relative to any US state. A EU citizen can reside, be employed, start a business, buy land and property, invest, travel, conduct business, run in elections, vote (locally or at Union level), study, marry, get a driver license, and so forth without a passport(*) in any other EU state, just like US citizens can do the same things in any other US state.

(*) Except for the nationals of few EU states which do not have National ID cards; they can enjoy the same freedoms but with a passport

Re:The US needs to replace the Social Security sys

Absolutely, but part of the disinfecting process has to be getting rid of the usefulness of the SSN.

The SSS should issue a new SSI that has letters. People should also have a separate ID for medical, driving license, tax, criminal, education, credit, etc. And there should be no way to derive one ID from another. It should be illegal to have any ID of someone else unless that someone specifically gave it to you and you should only have it as long as it is needed. ie once a credit check is done you delete the credit ID and credit check.

Ok so Who made it?

[Stan92057]

Ok so Who made it? No I didn't read the article my eyes hurt.

Medicare needs a separate number.

[Ungrounded+Lightning]

We have the same thing here in the US, but good luck getting a new SSN if it gets compromised.

What bugs me is I've been refusing to give out my SS# to any operation that didn't have a federal mandate to get it for decades - since at LEAST the '80s.

Then I aged into eligibility for medicare - and other health insurers insist that, since I'm eligible, they'll only pay the difference between my coverage with them and what Medicare pays (which is most of the bill), even if I don't collect from Medicare. Not collecting from Medicare would be a financial disaster.

But Medicare's I.D. is the social security number with a single letter appended to it. Every clerk at every doctor's office, clinic, hospital, pharmacy, etc. that I interact with gets my SS#. Ever such operation's database has my SS#. I went to Costco for a flu shot, so now Costco has my SS#. Every store's database is a chance for a cracker to collect it. Every clerk is a chance for some crook to tempt them and buy it.

There was recently an article wringing its hands over the discovery that people over 65 have a higher incidence of identity theft. Well DUH!

The solution would be fore Medicare to assign a separate medicare number for making claims and otherwise interacting with them - something randomly picked (not algorithmically generated from the SS#, which would return to the current case as soon as the algorithm leaked), and only paired with the SS# (if at all) in a database in the relevant government department.

North Korea moves South

[ITRambo]

5 million more stolen ID's and the entire population of North Korea can apply for South Korean benefits.

We Should Never Use Biometrics for the Same Reason

Citizens are unable to change their credentials...

This is the very reason we should never require or accept biometric information for security or authentication purposes. You cannot change your "credentials" once they're stolen. We must have credit card numbers, account numbers, etc, as an abstraction layer that separates us from our credentials so the credentials can be replaced if they are ever compromised.

Just copy the Belgian one

[houghi]

The Belgium part is free (as in both speech and beer). It is a chip that is on the ID that everyybody has to have (when older than 12 years).
Sources are available for developers for Windows, Mac and Linux.

Readers can be bought easily. Store or bank needs your ID? They just read the card. No mistyping it anymore.
The content on it is:
Name, Given name, Plave and date of birth, Gender, National Number, Nationality, Titel, Special status, Address.
Card number issue place, chip number,m valid from-until
It has a pin number, so you can use it to sign over the Internet.

The only downside, I think, is that not more online companies in Belgium use it. This is because now the burden is with the customer.
They need to type things in.

I will NOT prevent abuse. It will make things just a lot easier for all. And with verification online it will be cheked if the card is stolen and if it was not tamperd with.

And again, this stuff is open source.

What Platform ..

[lippydude]

What Operating System Platform did this id-system run on?