South Korean ID System To Be Rebuilt From Scratch After Massive Leaks

AmiMoJo writes: South Korea's national identity card system may need a complete overhaul following huge data thefts dating back to 2004. The government is considering issuing new ID numbers to every citizen over age 17, costing billions of dollars. The ID numbers and personal details of an estimated 80% of the country's 50 million people have been stolen from banks and other targets. Some 20 million people, including President Park Geun-hye, have been victims of a data theft. Citizens are unable to change their credentials, which are used in many different sectors, making them an attractive target for hackers.

20 million out of 50 million stolen?

[Spy Handler]

Is that really true? How can 40% of your entire country's population have their identities stolen and still have a functioning economy? Man those Koreans are really tough.

Didn't RTFA but I wonder if their reliance on IE6 and ActiveX had anything to do with this...

Re:20 million out of 50 million stolen?

[mlts]

We have the same thing here in the US, but good luck getting a new SSN if it gets compromised.

Re:

[Jane Q. Public]

We have the same thing here in the US, but good luck getting a new SSN if it gets compromised.

That is a perfect illustration of why any kind of "National" ID system is a bad idea: it's a bill-board-sized, high-value target.

There are other reasons, too, but that one alone is sufficient.

Re:20 million out of 50 million stolen?

[Reason58]

National identifaction is perfectly fine. The problem is when it is also used as the national authentication.

Re:20 million out of 50 million stolen?

[Reason58]

Identification even.

Re:

[Anonymous Coward]

> National identifaction is perfectly fine. The problem is when it is also used as the national authentication.

No, it isn't just a problem with authentication. A single ID becomes a handle to track people across all databases So ANY data leak becomes something that the thieves can cross-reference and use elsewhere.

Here's a really simplistic example - if you carry auto insurance the liability levels on your policy give a good indication of how much wealth you have (because liability coverage is about pr

Re:

[arglebargle_xiv]

Here's a really simplistic example - if you carry auto insurance the liability levels on your policy give a good indication of how much wealth you have (because liability coverage is about protecting your assets not anyone else).

You don't even need to go to the insurance companies, in Russia you just buy the registration database and then target people who have Mercedes and BMWs.

(I'm not being facetious, this is how the criminals actually do it).

Make SSN a national ID card

[unixisc]

Just add your photo to your SSN card, put it on a credit card like plastic with either a magnetic strip, a QR code or smart card interface, and viola! You have yourself a national ID card. This can even substitute a passport, with entries made every time you leave or enter the country.

Re:

[Zontar The Mindless]

This sounds a lot like my national ID card as well as my permanent resident visa card.

The latter constitutes proof that I'm a legal resident of the EU and is all I need to travel to most if not all EU/Schengen countries (maybe not the UK, I've not bothered to check). Forgot my passport when going on a trip to Budapest for a holiday this summer, and the security and airline folks where perfectly happy to let me fly in both directions without it, since I had the ID and visa cards. I no longer bother taking my

Re:

[Jane Q. Public]

This sounds a lot like my national ID card as well as my permanent resident visa card.

The EU is not the United States.

Re:

[unixisc]

I sort of hope the passport itself doesn't get replaced, though--you can't see the visa stamps on a chip or mag stripe.

Part of what I suggested above is that they scan the card, which would give them your name, ID number (SSN# for the US), and then you'd by scanning the tickets enter the date they're leaving/entering the continent/country and their source/destinations. All that goes into an online record, which any police official in any country can run up if that person goes on to later blow up a dock in Oakland, or lands up in Syria in ISIS rags and is shown on TV beheading some Infidels.

Re:

[Jane Q. Public]

Just add your photo to your SSN card, put it on a credit card like plastic with either a magnetic strip, a QR code or smart card interface, and viola! You have yourself a national ID card. This can even substitute a passport, with entries made every time you leave or enter the country.

Just no.

When Social Security was being debated, and presented to the American public, they were promised -- PROMISED -- that it would never be used as a national ID card.

Because the people back then understood what a bad idea national ID cards are in the United States.

Many years later, they made an exception. For what? Finance companies.

You might be interested to know that other than for credit, it is still illegal for companies to use your SSN as identification in your files, if you ask them no

Re:

[unixisc]

What's even worse is the idea of using Driver Licenses - that's why you have the problem in some border states of proposals of wanting to issue DLs to illegals so that they don't compound the crime of being here illegally with doing hit and runs, since any discovery would require their instant deportation. But I digress.

Right now, that ship has sailed - social security is already used as identification, but since it doesn't have a photograph, one is required to show a passport or a driving license in add

Re:

[mlts]

Going on a limb here, why not replace the national ID system with a bunch of decentralized CAs that sign certificates with a piece of data. For example, a user would have some cryptographic token. This could be a smartphone, a card, a USB keyfob, a SIM card, or something similar.

Then, the state would add a signed entry with the person's name and photo to the key as a certificate. The actual public key is not affected. It just gets a cert attached that can be deleted by the user just like a PGP/gpg cert.

Re:

[unixisc]

So one would still have a unique ID for identification and authentication, but entities that have that same thing would only have access to particular pieces of information? How exactly would that be implemented? I thought something like a smart card with an interface to a database that has various pieces of information, of which only some are easily obtained (say age) vs having to get a warrant for some others.

Re:

[mlts]

The certificates would be carried with the cryptographic token. If more info is needed, the old fashioned way of hitting queries is always still there.

The goal is to give people/companies just the info they need to be compliant... and nothing more.

Re:20 million out of 50 million stolen?

[TubeSteak]

The hardest part of getting a new SSN is gathering up originals/certified copies of the documents you need to support your application.
http://www.consumer.ftc.gov/articles/0248-do-you-need-new-social-security-number [ftc.gov]

Applying for a New Number or Replacement Card

The SSA may assign a new Social Security number to you if you are being harassed, abused, or are in grave danger when using the original number, or if you can prove that someone has stolen your number and is using it. You must provide evidence that the number is being misused, and that the misuse is causing you significant continuing harm.

Please don't spread misinformation.

Medicare needs a separate number.

[Ungrounded Lightning]

We have the same thing here in the US, but good luck getting a new SSN if it gets compromised.

What bugs me is I've been refusing to give out my SS# to any operation that didn't have a federal mandate to get it for decades - since at LEAST the '80s.

Then I aged into eligibility for medicare - and other health insurers insist that, since I'm eligible, they'll only pay the difference between my coverage with them and what Medicare pays (which is most of the bill), even if I don't collect from Medicare. Not col

Re:

[Anonymous Coward]

Let South Korea be an object lesson in why we should not be using the Social Security Number as a unique ID here in the States.

As a security measure, services available via Internet in South Korea require registration using the KSSN. Naturally, they were hilariously easy to steal because of this. In fact most gamers these days who want to play in the South Korean sandbox have access to South Korean KSSN generators because the issuing algorithm was cracked almost as soon as it was created.

Re:

[Zontar The Mindless]

Let South Korea be an object lesson in why we should not make an ActiveX "security" applet a nationwide requirement for online financial transactions.

TFTFY.

Re:

[AqD]

It's just list of ID: Name. What's secret about that? There is no harm in publishing these and anyone could have obtained yours if they actually attempt it.

You could print it on your clothes for ease of identification!

But the ID shouldn't have to be secret

[Lorens]

Granted it's not good if the IDs are easy to guess, nor if the list of IDs+names gets out, but as long as you're not using the ID to authenticate people, only to identify them, it shouldn't be a terrible problem. Think ID=username, not password. What they say about the credentials seems a bit more worrying, but we'd need a lot more info here . . .

Re:

[Koby77]

A similar thing happens in the USA. It's not especially difficult to ID someone based on their Social Security Number and home address. The problem occurs when a lender foolishly extends credit to anyone based on that criteria alone. Rarely do they recover the money (although it does create quite a headache for the actual person). Most USA lending institutions do a much more thorough ID check nowadays. I would imagine that a bank or other business in South Korea would be smart not to exclusively use a Kore

Re:

[rtb61]

So the real problem is not identity theft at all, the real problem is vendors failing to properly identify the person, allowing a fraudulent transaction to occur and then pursuing the wrong person.

Easy way to solve the problem, charge the vendor with fraud with they make a false claim against person when then vendor can not prove a fraudulent transaction was made against them.

It should never ever be a innocent parties fault who had not part in the transaction, they should not need to prove anything. Fi

Re:

[dgatwood]

So the real problem is not identity theft at all, the real problem is vendors failing to properly identify the person, allowing a fraudulent transaction to occur and then pursuing the wrong person.

Exactly what I've been saying for years. There's no such thing as identity theft. You can't steal an identity, by definition, because an identity is who you are, not some arbitrary piece of information used to represent you. An SSN is an identifier, not an identity. (This is not precisely correct in the crypto

Re:

[Kjella]

Except authentication is usually not username+password or digital signature, it's identification+official paper saying you're that person. Everywhere your use your passport, driver's license or any other photo ID you're relying on three things:

1) The difficulty of acquiring the information to be on the card
2) The difficulty of forging the card
3) The difficulty of fooling the issuers into producing a fake card

The last one is often a sneaky one, enough ID info and you might trick one of them into believing yo

AnusPooPoo

[Hognoxious]

The ID details of an average Korean: $25
The ID details of a high ranking politician: $17,000

BritHatingShitcock linking to the BBC: Priceless.

Identification != Authentication

[Anonymous Coward]

In Switzerland the equivalent of a Social Security Number (AHV-Nummer) is pretty much public knowledge.
E.g mine is 114.77.233.114, and I'm posting as AC!! There is even an online tool [gamedays.ch] to calculate the number from birthday, name and gender.
And we don't have more problems with identity theft than the rest of the world.
The difference is for authentication for important stuff we have to show up in person with an ID and a real human checks the identity.

Re:

[sconeu]

If it's derived from name/birthdate/gender, what happens if you have two men named "Johann Schmidt" who were born on the same date?

Re:

[ColaMan]

It's pretty simple. One of them has to find and kill the other.

There can be only one.

Re:

[Anonymous Coward]

Showing up in person? How inconvenient. One should be able to get multiple lines of credit over the phone just by knowing a few names and a couple numbers.

Re:Identification != Authentication

[IamTheRealMike]

The difference is for authentication for important stuff we have to show up in person with an ID and a real human checks the identity.

For some things you can also use a SuisseID which is just a regular PKI smartcard USB dongle thingy. I have one. After installing the software, you can log in to some Swiss websites by just clicking the login button in the web page. You might have to enter a password and the dongle then signs the SSL session. It's all standards based and the certificate in the hardware is based on your legally verified identity, i.e. you show a passport at the post office and get your personalised stick through the mail a few days later.

Re:

[Zontar The Mindless]

Yes, it's the same here in Sweden.

No, I'm not going to post mine. :)

Back into the tarpit

[david_thornley]

Okay, so South Korea's going to issue new ID numbers to people. What is that going to accomplish? The current ones appear to do plenty well for identification; it's only a problem if they're going to use a number that people can't change and which they have to share with a lot of other people as authentication. In other words, if they're not plain stupid about it. It's like my Social Security number: I got it as a child, and I can't change it, and at the very minimum every employer and financial insti

Rethink this ID process

[sithkhan]

The South Koreans need to learn that requiring individuals in society to proved identification to verify their identity is as racist as a Texan GOPer.

Bad verification system....

[mythosaz]

The system was easily breached.

To reset your password, you had to correctly answer your security question: "What is your last/family name?" You did only get three guesses though before being locked out though.

Ok so Who made it?

[Stan92057]

Ok so Who made it? No I didn't read the article my eyes hurt.

North Korea moves South

[ITRambo]

5 million more stolen ID's and the entire population of North Korea can apply for South Korean benefits.

Re:

[account_deleted]

Comment removed based on user account deletion

What Platform ..

[lippydude]

What Operating System Platform did this id-system run on?