South Korean Citizen IDs Vulnerable, Based On US Model

An anonymous reader writes: South Korea's Resident Registration Number (RRN) has been proven 'vulnerable to almost any adversary' by the 'Queen of re-identification', Harvard Professor Latanya Sweeney, who previously proved that 87 percent of all Americans could be uniquely identified using just their ZIP code, birthdate, and sex. Sweeney was able to decrypt personal information from the RRN numbers of 23,163 deceased Koreans with 100% success by two different methods of attack, and notes that the South Korean system is based on one currently in use in the U.S.

Re:What's so secret about those numbers?

[timrod]

The American model of identification number is basically supposed to be a secret between you, your employer, your insurer, your financial institution, and the government. The reason for this is that this is what you use to sign up for things like bank accounts and credit cards - and there's nothing in place to stop someone who has your SSN from getting a bunch of credit cards in your name and maxing them out.

Korea is kind of weird in that they want their numbers to be secret, but have people use them for a lot of things. One of the most wide-scale cases of identity theft in South Korea for a long time (I don't know if it's the case as much today) was in MMORPGs, where they required people to sign up with a Korean identification number to play. There was actually a huge database of so called "KSSNs" (Korean Social Security Number) that were used to do this. The reason for this, oddly enough, had to do with a breach in a game called Lineage 2 that required KSSNs for registration - after the breach, the Korean government mandated that all online games use KSSNs for signups. I've heard they also use them for social media stuff but I've never seen that firsthand.

Re:What's so secret about those numbers?

[Pi1grim]

This.

Same system in Estonia. What USA lacks for their SSN - is proper authorisation. Estonia, for example, has state-issued smartcards with assymetric cryptography keys generated on-die and then signed by central certification center, so that at any time you can verify whether ID is active, is not listed as stolen, etc. Software developed to work with the cards is opensourced and available for Win, Lin, Mac under BSD license and can be used to sign documents and encrypt documents for transit (public keys of all active IDs are stored on central certification server, much like GPG keyservers). Number in itself is in no way valid identification, only a valid signature by the private key is accepted as proof of identity. And guess what - identity theft problem solved in most part.