Disclaimer. I am Korean and currently live in Korea. Online banking in Korea is very poor, so even though I code on Linux and macOS, I use Windows for internet banking.
As in many other countries, banking in Korea is a state-regulated industry. However, Korea's regulatory system rule downs to the smallest detail.
For example, in the Digital Signature Act(전자서명법), a content that allows only digital certificates in the form of files called authorized certificates(공인인증서) to be used for certification was added in 1999. (The contents were revised only in 2020.) As a result, most banking was accessible only using IE and Active-X. Now that Active-X cannot be used, various software is installed using separate installation files.
Korea's financial regulators are strict, but Korean politicians and media are paternalistic, so if there's a problem with finance, most of them try to side with financial consumers. For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem. For this reason, banking websites require all kinds of security software, such as keylogger checking programs and firewalls. (This problem is gradually being mitigated.)
The problem with Korean security software is that the buyer of the security software (in this case, the bank) only requires that it meet the requirements of laws and regulatory authorities, so there is little room for improvement. Security software can be delivered only after CC certification (CC 인증) issued by the National Intelligence Service(국가정보원). By the way, the NIS is interested in which encryption algorithm is used (whether Korean algorithms such as SEED, ARIA, LEA, etc.), but it is not interested in whether Visual Studio Runtime is 2008 or 2019.
Also, financial institutions do not take cybersecurity issues seriously. For example, when I was in the security industry, a financial company asked for security software for ATMs running Windows XP SP2. Even at that time, Windows XP was EOL, and our security software was only supporting Windows XP SP3 or later. Significantly, the company suffered a cyber attack a few years ago that paralyzed its entire financial services for several days.
Most of the things I mentioned here refer to Korean-language materials, so giving references is somewhat limited.
this is a cautionary tale for people who hope that government regulation will solve the current computer security disaster outside korea
you cannot solve problems by giving authority to people who are motivated to solve them, but do not understand what the problem is, so that they can tell the people who do understand the problem what to do
anyone who has dealt with pci-dss presumably knows this but that is a much smaller group than all south koreans
think of that the next time someone contrasts bitcoin with the heavily regulated conventional banking system
It is worth mentioning that to make a bank transfer in Korea (used to[1]) require 3 factor authentication: the user's website password, the user's PIN, the user's encryption certificate signature/공인인증서, and two randomly selected codes from a paper numbers card (보안카드: https://file2.nocutnews.co.kr/newsroom/image/2013/07/02/2013...), which users are instructed to never copy or digitize.
Of all these solutions, the numbers card gives me the most peace of mind: even if my machine is fully compromised and all my passwords and certificates stolen, the attacker would likely need very long-term access (or access to the bank's server) to get all 35 numbers from the card. (If the attacker compromises the card by attacking the bank, I trust attackers will reveal themselves going after larger accounts). As long as I keep this piece of laminated plastic private and visit a bank branch to replace it every 17 to 35 transactions, I can have some peace of mind, at least regarding my bank account.
[1] There have since been efforts to streamline mobile payments, which I avoid because it leaves the phone as a single point for compromise.
In the UK, the bank is also usually responsible for any unauthorised transfer, yet our banks are generally quite digitally enabled.
Some banks solve the transfer authorization issue using an external bit of hardware that you type the transaction details into and it gives you a signature OTP.
I work in Hong Kong, in the securities industry. We interact a lot with Korean laws, and all of APAC, and Korea is special in that they enjoy nonsensical rules that provide no protection to anyone except the politicians who came up with them and can argue they did do "something".
It's, I think, even worse than China's philosophy, because China is young and pretentious in capitalism, while Korea seems more dishonest and cowardly.
>Korea's financial regulators are strict, but Korean politicians and media are paternalistic, so if there's a problem with finance, most of them try to side with financial consumers. For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem.
Isn't this also the case in the US? You're generally not liable for fraudulent transactions, as long as you took "reasonable" measures to prevent the fraud from happening. Given the technical ineptitude of the average person, banks/regulators will rarely blame the consumer.
Woah, I thought Indian banks blocking right clicks on their website as "security" measure was obsurd.
You mentioned about PC environments, What's up with mobile? Specifically with Android & iOS; Do you have to install rootkits there too for online financial transaction?
For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem.
In other words, they're authoritarians at heart. They want complete control over the environment and don't want users to have any personal responsibility.
> This prompted South Korea to develop their own cryptographic solutions.
I've had an opportunity to interact directly with Korean security culture in my time working for Samsung.
I am sure there exists more secure examples out there, but I saw some extremely bad practices like trivially-reversible password shuffling used throughout the entire org. Anyone with access to a certain manufacturing database and knowledge of a particular stored procedure could immediately reverse all passwords and typically use them to go sideways into other engineering/facility systems.
They always seemed substantially more interested in the theatrical aspects of security than focusing on any first principles. Lots of time was spent talking about reactionary crap like a fleet of hardware ARP sniffers installed throughout the network. Not a lot of time was spent talking about PBKDFs, system boundaries and determinism.
I was working at Mozilla in 2007 when I first brought this issue to the wider (i.e. beyond S. Korea) Internet. My post from then was widely covered by Slashdot and Boing Boing and other tech sites. S. Korea clearly doesn't care to 'fix' this because they've had more than enough time to do so.
- That page intentionally disables right-click! Just by putting `oncontextmenu="return false"` on the <body> tag. This gives me flashbacks to the late 90s when this technique was used to make it harder for users to copy images or inspect HTML source. Browsers all have built in developer tools so pretty silly seeing it now.
- The JS included on that page is a mix of heavily obfuscated code[0] and completely unminified code with all the internal comments left in[1].
- I was impressed that the required software seems to support Fedora and Ubuntu/Debian as well as macOS and Windows.
- One of the installations is checked by making a JSON-P call (another old tech flashback!) to `https://lx.astxsvc.com:55921/ASTX2/hello?...`. This works because lx.astxsvc.com resolves to 127.0.0.1 so you're just hitting your localhost. Presumably the installed software checks the referer header to ensure only citibank is making these requests.
Very interesting read. I'm looking forward to the details in the followups (1/9, 1/23, 3/6). However, I'm surprised that there are no KR banks who build their reputation on their technical acuity and who have eliminated (or avoided) reliance on these types of applications. The markets I'm familiar with tend to have a few banks who have a reputation for good websites, good apps, etc. Or perhaps that bit of context was omitted, and these types of banks do exist in KR?
Note for the author: small typo at "requires outmost care".
I think that this issue is really universal across all banks in Korea. I was told (but couldn’t confirm) that this is a liability question. Supposedly, there was a court ruling that held a bank liable for a customer’s losses due to lack of security precautions. So now all of them implement “security precautions” to avoid liability.
Thank you for the hint, I fixed the typo. Not being a native speaker, I had to ask a search engine what I did wrong in this sentence. :-)
I live in Korea. In my experience pretty much everyone I know uses banking apps which you can do everything through, not online banking through a browser.
You would hope that these would be somewhat more secure as this may have required a 're-write' as the article suggested.
Though even with mobile apps you sometimes have to install some 3rd party 'anti-virus' software that probably amounts to spyware. But hey you can either lump it or leave it.
They do at least try to make you feel like it's secure. To set up mobile banking you need at least 3 different passwords and need to perform 2fa 3 times as well.
They have 'front end' security too, such as each time you enter a pass code the keyboard is in a different arrangement.
For threat actors that target Korean users their favorite software to exploit for initial access is HWP (Hangul Word Processor). It's MS Word for Korean users. If you are being sent official docs of any kind, chances are it is a .hwp file that needs the program. Banking and internet access affects consumers but HWP is used by more interesting espionage/sabotage targets.
I just looked up CVEs for it. I only see 2 in 2017. This is not a good thing, a complex word processor, even if it was rewritten in a memory safe language would have at least some low level non-memory vulns in 6 years!
This mirrors the situation in China, likely for similar reasons.
To this day, I can only do online banking with Internet Explorer 11. When logging in, of course the password field doesn't permit pasting. I have a couple ActiveX controls and certs installed, but I've forgotten which ones so I'll just have to keep that old laptop around. The one bright spot is that large transactions do require a USB dongle.
At least one other website I've used (perhaps Alipay?) required you to install a browser plugin simply to be able to "securely" enter your PIN.
Rewinding back to 2014, the brand new government website for buying train tickets[0] didn't have an SSL cert signed by any of the trusted authorities. If you wanted to buy tickets securely, you needed to download a zip file (over http) that contained 1) a self-signed root cert, and 2) a Microsoft Word document explaining how to add this to your OS's trusted root cert store and how this is totally legit and secure.
Maybe 5 years ago, but now nobody uses web-based online banking any more in China. Most banks have decent mobile apps now, which have much better usability than the web-based ones. The IE situation is irrelevant now.
10 years ago for work we assessed a similar client side software solution (a "secure browsing" pile of ActiveX and C++) for protecting banking sites users.
Absolute steaming garbage.
Its "anti keylogging" functionality could be bypassed trivially, as could its various screen hijacking tricks designed to defeat some methods used by the banking trojans that were common at the time.
I see that snake oil industry lives on in Korea :/
Very excited to see the results of OP's work (the disclosures).
Large banks in the UK used to promote an application called Trusteer Rapport that secured the connection between the bank's server and the user's computer. It was not mandatory like the Korean apps, just strongly suggested. I can see that some banks still offer it.
This always bothered the hell out of me when interacting with Korean websites, especially online banking. I believe in addition to the factors that the article listed, there are several laws in place that mandate this chicanery, at least for banking.
I was just there for two weeks, and while I used my card a lot, I don't think there's anything I couldn't have done with cash. For that matter, I had no problem using my American bank, though obviously if I were being paid in Won that would be less of an option.
A lot of countries seemingly did not have access to American encryption technologies or did not trust them — arguably for good reasons[0] — which has lead to this hodge-podge of homegrown security.
Yeah I found his problem in the first line of the article
> KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI).
The FSB is not equivalent to the FBI, it's the successor to the KGB. If it's equivalent to any other country's org, look to the Gestapo.
[+] [-] r2vcap|3 years ago|reply
As in many other countries, banking in Korea is a state-regulated industry. However, Korea's regulatory system rule downs to the smallest detail.
For example, in the Digital Signature Act(전자서명법), a content that allows only digital certificates in the form of files called authorized certificates(공인인증서) to be used for certification was added in 1999. (The contents were revised only in 2020.) As a result, most banking was accessible only using IE and Active-X. Now that Active-X cannot be used, various software is installed using separate installation files.
Korea's financial regulators are strict, but Korean politicians and media are paternalistic, so if there's a problem with finance, most of them try to side with financial consumers. For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem. For this reason, banking websites require all kinds of security software, such as keylogger checking programs and firewalls. (This problem is gradually being mitigated.)
The problem with Korean security software is that the buyer of the security software (in this case, the bank) only requires that it meet the requirements of laws and regulatory authorities, so there is little room for improvement. Security software can be delivered only after CC certification (CC 인증) issued by the National Intelligence Service(국가정보원). By the way, the NIS is interested in which encryption algorithm is used (whether Korean algorithms such as SEED, ARIA, LEA, etc.), but it is not interested in whether Visual Studio Runtime is 2008 or 2019.
Also, financial institutions do not take cybersecurity issues seriously. For example, when I was in the security industry, a financial company asked for security software for ATMs running Windows XP SP2. Even at that time, Windows XP was EOL, and our security software was only supporting Windows XP SP3 or later. Significantly, the company suffered a cyber attack a few years ago that paralyzed its entire financial services for several days.
Most of the things I mentioned here refer to Korean-language materials, so giving references is somewhat limited.
[+] [-] kragen|3 years ago|reply
you cannot solve problems by giving authority to people who are motivated to solve them, but do not understand what the problem is, so that they can tell the people who do understand the problem what to do
anyone who has dealt with pci-dss presumably knows this but that is a much smaller group than all south koreans
think of that the next time someone contrasts bitcoin with the heavily regulated conventional banking system
[+] [-] ravel-bar-foo|3 years ago|reply
Of all these solutions, the numbers card gives me the most peace of mind: even if my machine is fully compromised and all my passwords and certificates stolen, the attacker would likely need very long-term access (or access to the bank's server) to get all 35 numbers from the card. (If the attacker compromises the card by attacking the bank, I trust attackers will reveal themselves going after larger accounts). As long as I keep this piece of laminated plastic private and visit a bank branch to replace it every 17 to 35 transactions, I can have some peace of mind, at least regarding my bank account.
[1] There have since been efforts to streamline mobile payments, which I avoid because it leaves the phone as a single point for compromise.
[+] [-] cameronh90|3 years ago|reply
Some banks solve the transfer authorization issue using an external bit of hardware that you type the transaction details into and it gives you a signature OTP.
[+] [-] xwolfi|3 years ago|reply
It's, I think, even worse than China's philosophy, because China is young and pretentious in capitalism, while Korea seems more dishonest and cowardly.
[+] [-] gruez|3 years ago|reply
Isn't this also the case in the US? You're generally not liable for fraudulent transactions, as long as you took "reasonable" measures to prevent the fraud from happening. Given the technical ineptitude of the average person, banks/regulators will rarely blame the consumer.
[+] [-] Abishek_Muthian|3 years ago|reply
You mentioned about PC environments, What's up with mobile? Specifically with Android & iOS; Do you have to install rootkits there too for online financial transaction?
[+] [-] sandos|3 years ago|reply
[+] [-] userbinator|3 years ago|reply
In other words, they're authoritarians at heart. They want complete control over the environment and don't want users to have any personal responsibility.
[+] [-] hunter2_|3 years ago|reply
I wonder if the author should extend the 90-day disclosure window to account for this red tape.
[+] [-] pigtailgirl|3 years ago|reply
[+] [-] bob1029|3 years ago|reply
I've had an opportunity to interact directly with Korean security culture in my time working for Samsung.
I am sure there exists more secure examples out there, but I saw some extremely bad practices like trivially-reversible password shuffling used throughout the entire org. Anyone with access to a certain manufacturing database and knowledge of a particular stored procedure could immediately reverse all passwords and typically use them to go sideways into other engineering/facility systems.
They always seemed substantially more interested in the theatrical aspects of security than focusing on any first principles. Lots of time was spent talking about reactionary crap like a fleet of hardware ARP sniffers installed throughout the network. Not a lot of time was spent talking about PBKDFs, system boundaries and determinism.
[+] [-] black7375|3 years ago|reply
- https://en.wikipedia.org/wiki/SEED - https://en.wikipedia.org/wiki/ARIA_(cipher)
Of course, it's close to technology debt now.
[+] [-] gkanai|3 years ago|reply
https://archive.is/ermII
CNet back in 2007:
https://www.cnet.com/tech/tech-industry/about-south-koreas-d...
https://it.slashdot.org/story/07/01/26/1455224/why-south-kor...
[+] [-] varenc|3 years ago|reply
Some quick observations:
- That page intentionally disables right-click! Just by putting `oncontextmenu="return false"` on the <body> tag. This gives me flashbacks to the late 90s when this technique was used to make it harder for users to copy images or inspect HTML source. Browsers all have built in developer tools so pretty silly seeing it now.
- The JS included on that page is a mix of heavily obfuscated code[0] and completely unminified code with all the internal comments left in[1].
- I was impressed that the required software seems to support Fedora and Ubuntu/Debian as well as macOS and Windows.
- One of the installations is checked by making a JSON-P call (another old tech flashback!) to `https://lx.astxsvc.com:55921/ASTX2/hello?...`. This works because lx.astxsvc.com resolves to 127.0.0.1 so you're just hitting your localhost. Presumably the installed software checks the referer header to ensure only citibank is making these requests.
[0] https://www.citibank.co.kr/aB-IFIZu8Pd7Zd1yjboonwGx/uYfEz6Dp...
[1] https://www.citibank.co.kr/3rdParty/wizvera/veraport/install...
[+] [-] palant|3 years ago|reply
Did you notice the plain HTTP (no SSL) download URLs for the “security software”? If not, you are missing out!
[+] [-] curling_grad|3 years ago|reply
[+] [-] gred|3 years ago|reply
Note for the author: small typo at "requires outmost care".
[+] [-] palant|3 years ago|reply
I think that this issue is really universal across all banks in Korea. I was told (but couldn’t confirm) that this is a liability question. Supposedly, there was a court ruling that held a bank liable for a customer’s losses due to lack of security precautions. So now all of them implement “security precautions” to avoid liability.
Thank you for the hint, I fixed the typo. Not being a native speaker, I had to ask a search engine what I did wrong in this sentence. :-)
[+] [-] wmf|3 years ago|reply
[+] [-] second_brekkie|3 years ago|reply
You would hope that these would be somewhat more secure as this may have required a 're-write' as the article suggested.
Though even with mobile apps you sometimes have to install some 3rd party 'anti-virus' software that probably amounts to spyware. But hey you can either lump it or leave it.
They do at least try to make you feel like it's secure. To set up mobile banking you need at least 3 different passwords and need to perform 2fa 3 times as well.
They have 'front end' security too, such as each time you enter a pass code the keyboard is in a different arrangement.
[+] [-] flotzam|3 years ago|reply
https://privsec.dev/posts/android/banking-applications-compa...
Does it mean none are usable on a modern clean Android? Or is there a total Samsung monoculture? Something else?
[+] [-] badrabbit|3 years ago|reply
https://www.fireeye.com/content/dam/fireeye-www/global/en/bl...
I just looked up CVEs for it. I only see 2 in 2017. This is not a good thing, a complex word processor, even if it was rewritten in a memory safe language would have at least some low level non-memory vulns in 6 years!
[+] [-] physicles|3 years ago|reply
To this day, I can only do online banking with Internet Explorer 11. When logging in, of course the password field doesn't permit pasting. I have a couple ActiveX controls and certs installed, but I've forgotten which ones so I'll just have to keep that old laptop around. The one bright spot is that large transactions do require a USB dongle.
At least one other website I've used (perhaps Alipay?) required you to install a browser plugin simply to be able to "securely" enter your PIN.
Rewinding back to 2014, the brand new government website for buying train tickets[0] didn't have an SSL cert signed by any of the trusted authorities. If you wanted to buy tickets securely, you needed to download a zip file (over http) that contained 1) a self-signed root cert, and 2) a Microsoft Word document explaining how to add this to your OS's trusted root cert store and how this is totally legit and secure.
[0] https://www.techinasia.com/chinas-official-train-ticket-site...
[+] [-] WiSaGaN|3 years ago|reply
[+] [-] ThePowerOfFuet|3 years ago|reply
Straight-up government malware right there.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] nibbleshifter|3 years ago|reply
Absolute steaming garbage.
Its "anti keylogging" functionality could be bypassed trivially, as could its various screen hijacking tricks designed to defeat some methods used by the banking trojans that were common at the time.
I see that snake oil industry lives on in Korea :/
Very excited to see the results of OP's work (the disclosures).
[+] [-] Roark66|3 years ago|reply
Once I saw this: >This starts with a simple fact: some of these applications are written in the C programming language, not even C++.
I had to stop reading and come here to see if anyone else got annoyed by it. Seriously? "not even c++" are we still in 1990s?
[+] [-] ronsor|3 years ago|reply
[+] [-] int_19h|3 years ago|reply
[+] [-] Beltalowda|3 years ago|reply
I wouldn't be surprised if a lot of this was written in the 90s or early 00s originally, and then "minimally maintained" only when required.
[+] [-] joshuaissac|3 years ago|reply
[+] [-] glebd|3 years ago|reply
[+] [-] prottog|3 years ago|reply
[+] [-] rgmerk|3 years ago|reply
Are there any stats comparing levels of banking-related cybercrime in South Korea with other jurisdictions?
[+] [-] snvzz|3 years ago|reply
Note this is written by Norman Feske, who later went on to develop Genode[1], and continues to be its main developer today.
0. http://demo.tudos.org/nitpicker_tutorial.html
1. https://www.genode.org/
[+] [-] smsm42|3 years ago|reply
Note to self: never move to Korea. Or at least never use Korean bank (can you survive on cash and Bitcoin?)
[+] [-] GauntletWizard|3 years ago|reply
[+] [-] kyaru|3 years ago|reply
[+] [-] intoxicat3d|3 years ago|reply
[+] [-] black7375|3 years ago|reply
[+] [-] richbell|3 years ago|reply
https://krebsonsecurity.com/2021/06/adventures-in-contacting...
A lot of countries seemingly did not have access to American encryption technologies or did not trust them — arguably for good reasons[0] — which has lead to this hodge-podge of homegrown security.
[0] https://www.washingtonpost.com/graphics/2020/world/national-...
[+] [-] himinlomax|3 years ago|reply
> KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI).
The FSB is not equivalent to the FBI, it's the successor to the KGB. If it's equivalent to any other country's org, look to the Gestapo.
[+] [-] wmf|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] michael1999|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]