Slashdot Mirror

← Back to Stories (view on slashdot.org)

South Korean ID System To Be Rebuilt From Scratch After Massive Leaks

Posted by Soulskill on from the maybe-think-it-through-this-time dept.

AmiMoJo writes: South Korea's national identity card system may need a complete overhaul following huge data thefts dating back to 2004. The government is considering issuing new ID numbers to every citizen over age 17, costing billions of dollars. The ID numbers and personal details of an estimated 80% of the country's 50 million people have been stolen from banks and other targets. Some 20 million people, including President Park Geun-hye, have been victims of a data theft. Citizens are unable to change their credentials, which are used in many different sectors, making them an attractive target for hackers.

38 of 59 comments (clear)

  1. 20 million out of 50 million stolen? by Spy+Handler · · Score: 1

    Is that really true? How can 40% of your entire country's population have their identities stolen and still have a functioning economy? Man those Koreans are really tough.

    Didn't RTFA but I wonder if their reliance on IE6 and ActiveX had anything to do with this...

    1. Re:20 million out of 50 million stolen? by mlts · · Score: 3, Insightful

      We have the same thing here in the US, but good luck getting a new SSN if it gets compromised.

    2. Re:20 million out of 50 million stolen? by Anonymous Coward · · Score: 3, Informative

      Let South Korea be an object lesson in why we should not be using the Social Security Number as a unique ID here in the States.

      As a security measure, services available via Internet in South Korea require registration using the KSSN. Naturally, they were hilariously easy to steal because of this. In fact most gamers these days who want to play in the South Korean sandbox have access to South Korean KSSN generators because the issuing algorithm was cracked almost as soon as it was created.

    3. Re:20 million out of 50 million stolen? by Jane+Q.+Public · · Score: 2

      We have the same thing here in the US, but good luck getting a new SSN if it gets compromised.

      That is a perfect illustration of why any kind of "National" ID system is a bad idea: it's a bill-board-sized, high-value target.

      There are other reasons, too, but that one alone is sufficient.

    4. Re:20 million out of 50 million stolen? by Reason58 · · Score: 4, Insightful

      National identifaction is perfectly fine. The problem is when it is also used as the national authentication.

    5. Re:20 million out of 50 million stolen? by Reason58 · · Score: 3

      Identification even.

    6. Re:20 million out of 50 million stolen? by TubeSteak · · Score: 3, Informative

      The hardest part of getting a new SSN is gathering up originals/certified copies of the documents you need to support your application.
      http://www.consumer.ftc.gov/articles/0248-do-you-need-new-social-security-number

      Applying for a New Number or Replacement Card

      The SSA may assign a new Social Security number to you if you are being harassed, abused, or are in grave danger when using the original number, or if you can prove that someone has stolen your number and is using it. You must provide evidence that the number is being misused, and that the misuse is causing you significant continuing harm.

      Please don't spread misinformation.

      --
      [Fuck Beta]
      o0t!
    7. Re:20 million out of 50 million stolen? by mlts · · Score: 2

      Going on a limb here, why not replace the national ID system with a bunch of decentralized CAs that sign certificates with a piece of data. For example, a user would have some cryptographic token. This could be a smartphone, a card, a USB keyfob, a SIM card, or something similar.

      Then, the state would add a signed entry with the person's name and photo to the key as a certificate. The actual public key is not affected. It just gets a cert attached that can be deleted by the user just like a PGP/gpg cert.

      With this in place, the state can add a series of certs if they are true:

      User is a citizen.
      User is 18+ years of age.
      User is 21+ years of age.
      etc.

      This way, when a cardholder goes to a bar, the bar has a reader that shows a signed picture, perhaps the name of the user, and the signed fact that the user is of legal age. No other information needs to be shared. Not citizenship, not anything... just who the user is, and that they are legal (doesn't matter what their age is as long as it is above the drinking age). No cert, no booze.

      Another example is a NGO use. A university signs a certificate that the key's owner has a diploma from them. When getting vetted for a job, this means that the employer knows that the applicant has a degree, but other info isn't given.

      Done this way, here is what the criminals can attack:

      1: The CA. If it is a distributed service, damage done can be minimized, as opposed to having everything in one basket.

      2: The actual card or token. This is a solved problem. SIM card hacking on LTE networks is minimal, satellite piracy is nonexistant, and there isn't any such thing as pirated software on the XBox One. Even things like CAC/PIV cards are very rarely broken.

      3: The user (yes, xkcd.com/538 applies.) However, this can be dealt with through means in place.

      4: The PKI. Using different algorithms (so a document is signed by multiple keys of RSA, ECC, and something quantum-factoring resistant, and hashed with multiple algorithms) will bring some robustness.

      So, there can be a national ID system, but if it is based on a PGP-like web of trust that is decentralized, it can be quite secure, but yet extremely protecting of privacy.

    8. Re:20 million out of 50 million stolen? by AqD · · Score: 1

      It's just list of ID: Name. What's secret about that? There is no harm in publishing these and anyone could have obtained yours if they actually attempt it.

      You could print it on your clothes for ease of identification!

    9. Re:20 million out of 50 million stolen? by Anonymous Coward · · Score: 1

      > National identifaction is perfectly fine. The problem is when it is also used as the national authentication.

      No, it isn't just a problem with authentication. A single ID becomes a handle to track people across all databases So ANY data leak becomes something that the thieves can cross-reference and use elsewhere.

      Here's a really simplistic example - if you carry auto insurance the liability levels on your policy give a good indication of how much wealth you have (because liability coverage is about protecting your assets not anyone else). So if your insurance company gets hacked now the thieves have a list of high-value targets to target and because your policy info also includes your DL# it is easy to cross-reference with DMV records to find out where your house is to come rob.

    10. Re:20 million out of 50 million stolen? by Zontar+The+Mindless · · Score: 1

      Let South Korea be an object lesson in why we should not make an ActiveX "security" applet a nationwide requirement for online financial transactions.

      TFTFY.

      --
      Il n'y a pas de Planet B.
    11. Re:20 million out of 50 million stolen? by unixisc · · Score: 1

      So one would still have a unique ID for identification and authentication, but entities that have that same thing would only have access to particular pieces of information? How exactly would that be implemented? I thought something like a smart card with an interface to a database that has various pieces of information, of which only some are easily obtained (say age) vs having to get a warrant for some others.

    12. Re:20 million out of 50 million stolen? by mlts · · Score: 1

      The certificates would be carried with the cryptographic token. If more info is needed, the old fashioned way of hitting queries is always still there.

      The goal is to give people/companies just the info they need to be compliant... and nothing more.

    13. Re:20 million out of 50 million stolen? by arglebargle_xiv · · Score: 1

      Here's a really simplistic example - if you carry auto insurance the liability levels on your policy give a good indication of how much wealth you have (because liability coverage is about protecting your assets not anyone else).

      You don't even need to go to the insurance companies, in Russia you just buy the registration database and then target people who have Mercedes and BMWs.

      (I'm not being facetious, this is how the criminals actually do it).

  2. But the ID shouldn't have to be secret by Lorens · · Score: 3, Insightful

    Granted it's not good if the IDs are easy to guess, nor if the list of IDs+names gets out, but as long as you're not using the ID to authenticate people, only to identify them, it shouldn't be a terrible problem. Think ID=username, not password. What they say about the credentials seems a bit more worrying, but we'd need a lot more info here . . .

    1. Re:But the ID shouldn't have to be secret by Koby77 · · Score: 1

      A similar thing happens in the USA. It's not especially difficult to ID someone based on their Social Security Number and home address. The problem occurs when a lender foolishly extends credit to anyone based on that criteria alone. Rarely do they recover the money (although it does create quite a headache for the actual person). Most USA lending institutions do a much more thorough ID check nowadays. I would imagine that a bank or other business in South Korea would be smart not to exclusively use a Korean ID Number as establishment of identity.

    2. Re:But the ID shouldn't have to be secret by rtb61 · · Score: 2

      So the real problem is not identity theft at all, the real problem is vendors failing to properly identify the person, allowing a fraudulent transaction to occur and then pursuing the wrong person.

      Easy way to solve the problem, charge the vendor with fraud with they make a false claim against person when then vendor can not prove a fraudulent transaction was made against them.

      It should never ever be a innocent parties fault who had not part in the transaction, they should not need to prove anything. First in the firing line should always be the vendor for making a fraudulent claim against an innocent party. You can bet it will not take long for vendors and credit providers to tighten up on identification requirement once they start facing penalties for fraudulent charges.

      --
      Chaos - everything, everywhere, everywhen
    3. Re:But the ID shouldn't have to be secret by Kjella · · Score: 1

      Except authentication is usually not username+password or digital signature, it's identification+official paper saying you're that person. Everywhere your use your passport, driver's license or any other photo ID you're relying on three things:

      1) The difficulty of acquiring the information to be on the card
      2) The difficulty of forging the card
      3) The difficulty of fooling the issuers into producing a fake card

      The last one is often a sneaky one, enough ID info and you might trick one of them into believing you've lost your ID and issue a new one. But there's enough direct fakes too, if they have the necessary information that's half the way.

      --
      Live today, because you never know what tomorrow brings
    4. Re:But the ID shouldn't have to be secret by dgatwood · · Score: 2

      So the real problem is not identity theft at all, the real problem is vendors failing to properly identify the person, allowing a fraudulent transaction to occur and then pursuing the wrong person.

      Exactly what I've been saying for years. There's no such thing as identity theft. You can't steal an identity, by definition, because an identity is who you are, not some arbitrary piece of information used to represent you. An SSN is an identifier, not an identity. (This is not precisely correct in the cryptographic sense of the term, but neither is an SSN in any way cryptographic, so that distinction is largely moot.)

      With that said, identity fraud isn't entirely the fault of vendors. Much of the fault lies with the credit bureaus. Their business involves making claims about a person based on insufficient authentication, then charging money to consumers for "protection" against them making false claims when they fail to do their jobs correctly. Credit bureaus are the very definition of a protection racket (minus the physical violence).

      The easy way to solve the problem is that when someone makes a false claim about you, sue the credit bureaus. Because you have no ongoing contractual relationship with them, they cannot compel you to binding arbitration, and because they are making false claims about you in writing, they are guilty of libel. It would only take a few thousand people doing this to force the credit bureaus to take authentication more seriously, such as providing call-back authentication at no cost to consumers—something that they should have been doing all along.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. Identification != Authentication by Anonymous Coward · · Score: 5, Interesting

    In Switzerland the equivalent of a Social Security Number (AHV-Nummer) is pretty much public knowledge.
    E.g mine is 114.77.233.114, and I'm posting as AC!! There is even an online tool to calculate the number from birthday, name and gender.
    And we don't have more problems with identity theft than the rest of the world.
    The difference is for authentication for important stuff we have to show up in person with an ID and a real human checks the identity.

    1. Re:Identification != Authentication by sconeu · · Score: 1

      If it's derived from name/birthdate/gender, what happens if you have two men named "Johann Schmidt" who were born on the same date?

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    2. Re:Identification != Authentication by Anonymous Coward · · Score: 1

      Showing up in person? How inconvenient. One should be able to get multiple lines of credit over the phone just by knowing a few names and a couple numbers.

    3. Re:Identification != Authentication by IamTheRealMike · · Score: 3

      The difference is for authentication for important stuff we have to show up in person with an ID and a real human checks the identity.

      For some things you can also use a SuisseID which is just a regular PKI smartcard USB dongle thingy. I have one. After installing the software, you can log in to some Swiss websites by just clicking the login button in the web page. You might have to enter a password and the dongle then signs the SSL session. It's all standards based and the certificate in the hardware is based on your legally verified identity, i.e. you show a passport at the post office and get your personalised stick through the mail a few days later.

    4. Re:Identification != Authentication by ColaMan · · Score: 1

      It's pretty simple. One of them has to find and kill the other.

      There can be only one.

      --

      You are in a twisty maze of processor lines, all alike.
      There is a lot of hype here.
    5. Re:Identification != Authentication by Zontar+The+Mindless · · Score: 1

      Yes, it's the same here in Sweden.

      No, I'm not going to post mine. :)

      --
      Il n'y a pas de Planet B.
  4. Back into the tarpit by david_thornley · · Score: 1

    Okay, so South Korea's going to issue new ID numbers to people. What is that going to accomplish? The current ones appear to do plenty well for identification; it's only a problem if they're going to use a number that people can't change and which they have to share with a lot of other people as authentication. In other words, if they're not plain stupid about it. It's like my Social Security number: I got it as a child, and I can't change it, and at the very minimum every employer and financial institution I deal with needs to get and keep a copy. I have to give out the last four digits even more often, yet if somebody knows when and where I got my SSN they can make very good guesses at the first five. (It's worse now than when I was young, since newborns get numbers now, so they can be claimed as dependents. When I was young, I had to get one but not in such a restricted time interval.) Yet, if somebody gets my number, they can cause me a great many problems, and I can't track back to see which incompetent institution leaked it and get restitution from them.

    What's going to happen, after the Koreans spend all that money, is that the fraud conveniently (for financial institutions) labeled "identity theft" is going to go way down, and then the bad guys will start getting IDs again from various sources, and then we're going to see this whole thing all over again. As long as somebody can pretend to be Park Geun-hye by knowing her ID number, nothing's going to improve.

    --
    "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  5. Bad verification system.... by mythosaz · · Score: 1

    The system was easily breached.

    To reset your password, you had to correctly answer your security question: "What is your last/family name?" You did only get three guesses though before being locked out though.

  6. Make SSN a national ID card by unixisc · · Score: 1

    Just add your photo to your SSN card, put it on a credit card like plastic with either a magnetic strip, a QR code or smart card interface, and viola! You have yourself a national ID card. This can even substitute a passport, with entries made every time you leave or enter the country.

    1. Re:Make SSN a national ID card by Zontar+The+Mindless · · Score: 1

      This sounds a lot like my national ID card as well as my permanent resident visa card.

      The latter constitutes proof that I'm a legal resident of the EU and is all I need to travel to most if not all EU/Schengen countries (maybe not the UK, I've not bothered to check). Forgot my passport when going on a trip to Budapest for a holiday this summer, and the security and airline folks where perfectly happy to let me fly in both directions without it, since I had the ID and visa cards. I no longer bother taking my passport on trips to the other 3 Nordic countries (I live in Stockholm).

      I *do* take my passport when travelling to Germany because they tend to be dicks about it there if you're not actually an EU citizen.

      I sort of hope the passport itself doesn't get replaced, though--you can't see the visa stamps on a chip or mag stripe.

      --
      Il n'y a pas de Planet B.
    2. Re:Make SSN a national ID card by Jane+Q.+Public · · Score: 1

      Just add your photo to your SSN card, put it on a credit card like plastic with either a magnetic strip, a QR code or smart card interface, and viola! You have yourself a national ID card. This can even substitute a passport, with entries made every time you leave or enter the country.

      Just no.

      When Social Security was being debated, and presented to the American public, they were promised -- PROMISED -- that it would never be used as a national ID card.

      Because the people back then understood what a bad idea national ID cards are in the United States.

      Many years later, they made an exception. For what? Finance companies.

      You might be interested to know that other than for credit, it is still illegal for companies to use your SSN as identification in your files, if you ask them not to.

    3. Re:Make SSN a national ID card by Jane+Q.+Public · · Score: 1

      This sounds a lot like my national ID card as well as my permanent resident visa card.

      The EU is not the United States.

    4. Re:Make SSN a national ID card by unixisc · · Score: 1

      What's even worse is the idea of using Driver Licenses - that's why you have the problem in some border states of proposals of wanting to issue DLs to illegals so that they don't compound the crime of being here illegally with doing hit and runs, since any discovery would require their instant deportation. But I digress.

      Right now, that ship has sailed - social security is already used as identification, but since it doesn't have a photograph, one is required to show a passport or a driving license in addition to the social security card (which is still required if you're say, applying for a job, which will need it sooner or later for doing your I9 forms.) This is annoying. Just make the changes I suggested above - nobody's asking the US to be EU - and use only the social security card for official ID purposes. Get rid of the practice of requiring DLs for that, and even for passports, have them electronically linked so that one's whereabouts, if one is travelling abroad, is known. (Yeah, yeah, I hear all the screams of 'Snowden, NSA, privacy, blah blah blah, but like it or not, as Scott McNealy once noted, privacy is dead)

      Conservatives don't like national ID cards because of a mistrust of big government. Liberals don't like them for similar reasons. However, fact remains that in today's world, like it or not, they are needed. Put it all in ONE place, and let other things be restricted to their domains - like one's driving record tied only to one's DL (unless any manslaughter cases are involved).

    5. Re:Make SSN a national ID card by unixisc · · Score: 1

      I sort of hope the passport itself doesn't get replaced, though--you can't see the visa stamps on a chip or mag stripe.

      Part of what I suggested above is that they scan the card, which would give them your name, ID number (SSN# for the US), and then you'd by scanning the tickets enter the date they're leaving/entering the continent/country and their source/destinations. All that goes into an online record, which any police official in any country can run up if that person goes on to later blow up a dock in Oakland, or lands up in Syria in ISIS rags and is shown on TV beheading some Infidels.

  7. Ok so Who made it? by Stan92057 · · Score: 1

    Ok so Who made it? No I didn't read the article my eyes hurt.

    --
    Jack of all trades,master of none
  8. Medicare needs a separate number. by Ungrounded+Lightning · · Score: 1

    We have the same thing here in the US, but good luck getting a new SSN if it gets compromised.

    What bugs me is I've been refusing to give out my SS# to any operation that didn't have a federal mandate to get it for decades - since at LEAST the '80s.

    Then I aged into eligibility for medicare - and other health insurers insist that, since I'm eligible, they'll only pay the difference between my coverage with them and what Medicare pays (which is most of the bill), even if I don't collect from Medicare. Not collecting from Medicare would be a financial disaster.

    But Medicare's I.D. is the social security number with a single letter appended to it. Every clerk at every doctor's office, clinic, hospital, pharmacy, etc. that I interact with gets my SS#. Ever such operation's database has my SS#. I went to Costco for a flu shot, so now Costco has my SS#. Every store's database is a chance for a cracker to collect it. Every clerk is a chance for some crook to tempt them and buy it.

    There was recently an article wringing its hands over the discovery that people over 65 have a higher incidence of identity theft. Well DUH!

    The solution would be fore Medicare to assign a separate medicare number for making claims and otherwise interacting with them - something randomly picked (not algorithmically generated from the SS#, which would return to the current case as soon as the algorithm leaked), and only paired with the SS# (if at all) in a database in the relevant government department.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  9. North Korea moves South by ITRambo · · Score: 1

    5 million more stolen ID's and the entire population of North Korea can apply for South Korean benefits.

  10. Just copy the Belgian one by houghi · · Score: 1

    The Belgium part is free (as in both speech and beer). It is a chip that is on the ID that everyybody has to have (when older than 12 years).
    Sources are available for developers for Windows, Mac and Linux.

    Readers can be bought easily. Store or bank needs your ID? They just read the card. No mistyping it anymore.
    The content on it is:
    Name, Given name, Plave and date of birth, Gender, National Number, Nationality, Titel, Special status, Address.
    Card number issue place, chip number,m valid from-until
    It has a pin number, so you can use it to sign over the Internet.

    The only downside, I think, is that not more online companies in Belgium use it. This is because now the burden is with the customer.
    They need to type things in.

    I will NOT prevent abuse. It will make things just a lot easier for all. And with verification online it will be cheked if the card is stolen and if it was not tamperd with.

    And again, this stuff is open source.

    --
    Don't fight for your country, if your country does not fight for you.
  11. What Platform .. by lippydude · · Score: 1

    What Operating System Platform did this id-system run on?