South Korean ID System To Be Rebuilt From Scratch After Massive Leaks

AmiMoJo writes: South Korea's national identity card system may need a complete overhaul following huge data thefts dating back to 2004. The government is considering issuing new ID numbers to every citizen over age 17, costing billions of dollars. The ID numbers and personal details of an estimated 80% of the country's 50 million people have been stolen from banks and other targets. Some 20 million people, including President Park Geun-hye, have been victims of a data theft. Citizens are unable to change their credentials, which are used in many different sectors, making them an attractive target for hackers.

Re:20 million out of 50 million stolen?

[mlts]

We have the same thing here in the US, but good luck getting a new SSN if it gets compromised.

But the ID shouldn't have to be secret

[Lorens]

Granted it's not good if the IDs are easy to guess, nor if the list of IDs+names gets out, but as long as you're not using the ID to authenticate people, only to identify them, it shouldn't be a terrible problem. Think ID=username, not password. What they say about the credentials seems a bit more worrying, but we'd need a lot more info here . . .

Re:20 million out of 50 million stolen?

Let South Korea be an object lesson in why we should not be using the Social Security Number as a unique ID here in the States.

As a security measure, services available via Internet in South Korea require registration using the KSSN. Naturally, they were hilariously easy to steal because of this. In fact most gamers these days who want to play in the South Korean sandbox have access to South Korean KSSN generators because the issuing algorithm was cracked almost as soon as it was created.

Identification != Authentication

In Switzerland the equivalent of a Social Security Number (AHV-Nummer) is pretty much public knowledge.
E.g mine is 114.77.233.114, and I'm posting as AC!! There is even an online tool to calculate the number from birthday, name and gender.
And we don't have more problems with identity theft than the rest of the world.
The difference is for authentication for important stuff we have to show up in person with an ID and a real human checks the identity.

Re:Identification != Authentication

[IamTheRealMike]

The difference is for authentication for important stuff we have to show up in person with an ID and a real human checks the identity.

For some things you can also use a SuisseID which is just a regular PKI smartcard USB dongle thingy. I have one. After installing the software, you can log in to some Swiss websites by just clicking the login button in the web page. You might have to enter a password and the dongle then signs the SSL session. It's all standards based and the certificate in the hardware is based on your legally verified identity, i.e. you show a passport at the post office and get your personalised stick through the mail a few days later.

Re:20 million out of 50 million stolen?

[Reason58]

National identifaction is perfectly fine. The problem is when it is also used as the national authentication.

Re:20 million out of 50 million stolen?

[Reason58]

Identification even.

Re:20 million out of 50 million stolen?

[TubeSteak]

The hardest part of getting a new SSN is gathering up originals/certified copies of the documents you need to support your application.
http://www.consumer.ftc.gov/articles/0248-do-you-need-new-social-security-number

Applying for a New Number or Replacement Card

The SSA may assign a new Social Security number to you if you are being harassed, abused, or are in grave danger when using the original number, or if you can prove that someone has stolen your number and is using it. You must provide evidence that the number is being misused, and that the misuse is causing you significant continuing harm.

Please don't spread misinformation.