South Korean Citizen IDs Vulnerable, Based On US Model 57
An anonymous reader writes: South Korea's Resident Registration Number (RRN) has been proven 'vulnerable to almost any adversary' by the 'Queen of re-identification', Harvard Professor Latanya Sweeney, who previously proved that 87 percent of all Americans could be uniquely identified using just their ZIP code, birthdate, and sex. Sweeney was able to decrypt personal information from the RRN numbers of 23,163 deceased Koreans with 100% success by two different methods of attack, and notes that the South Korean system is based on one currently in use in the U.S.
What's so secret about those numbers? (Score:2, Interesting)
I'm only familiar with the Swedish model which uses a ten-digit number starting with the person's birth date on the form YYMMDD, three serial digits and a checksum. The key is that it's not designed to be secret at all, you're supposed to use it everywhere and for everything. It's just an ID number, simply knowing it does not entail authentication or authorization.
Re:What's so secret about those numbers? (Score:5, Informative)
The American model of identification number is basically supposed to be a secret between you, your employer, your insurer, your financial institution, and the government. The reason for this is that this is what you use to sign up for things like bank accounts and credit cards - and there's nothing in place to stop someone who has your SSN from getting a bunch of credit cards in your name and maxing them out.
Korea is kind of weird in that they want their numbers to be secret, but have people use them for a lot of things. One of the most wide-scale cases of identity theft in South Korea for a long time (I don't know if it's the case as much today) was in MMORPGs, where they required people to sign up with a Korean identification number to play. There was actually a huge database of so called "KSSNs" (Korean Social Security Number) that were used to do this. The reason for this, oddly enough, had to do with a breach in a game called Lineage 2 that required KSSNs for registration - after the breach, the Korean government mandated that all online games use KSSNs for signups. I've heard they also use them for social media stuff but I've never seen that firsthand.
Re: (Score:3)
a secret between you, your employer, your insurer, your financial institution, and the government.
And that's precisely why in today's world, such a system is broken by default.
It's fine for identification, but we should stop screwing around with a simple 10-digit numbers as a means of authentication. Rather, as citizens, we should be given a tamper-resistant USB hardware dongle that contains a completely secret private key (which literally NO ONE knows - a completely random 256-bit number generated at manufacturing) with a read-only API to decrypt messages created with the public key. The government t
Re:What's so secret about those numbers? (Score:4, Funny)
Any thoughts on why this might not work?
Because it will be interpreted as the Mark of the Beast [wikipedia.org] prophesied in the Book of Revelations. If you still think your plan could work, then please write to CNBC and convince the moderator to ask about your scheme during the next Republican debate on Oct 28th.
Re: (Score:1)
Many ostensibly crazy ideas in religious texts were basically just PSAs (public service announcements) in disguise.
It was more difficult in the past to control things like trichinosis in pork, so don't eat pork. God says so. If you want kosher food, you boil your utensils. Why? Not because of knowledge of bacteria, but because God says so. Originators of such scripts observed what works, and they knew that the masses are extremely *stupid* people that can't be reasoned with. So "God says so" is unfortunatel
Re: (Score:2)
If I know your ID number I can then steal your USB dongle and be you? Or kill you and then "100%" prove I _am_ you?
I suppose a pin could be added to protect against simple theft, with a security flag set if too many wrong guesses are detected. There's no real technical solution if someone is willing to murder you for your identity. I recommend a 12 gauge shotgun instead.
How much are these devices?
I've seen similar devices like the Yubikey for $25 to $50. I'd bet they could be mass produced for about $10 to $15 each at the numbers required to distribute them to the entire population of a country.
What if I don't have a computer or internet connection - say I'm traveling in a backwater like USA instead of SK :D
Har, har. ;-) Keep in mind this is for security
Re: What's so secret about those numbers? (Score:2)
Just FYI Estonia has such a system in place - Our national id card is a smartcard with a private key infrastructure. You too can use it via Estonian e-residency program.
Re: (Score:2)
Thank you, that's interesting to know. I guess it's perhaps not such an outlandish idea after all. Probably the biggest hurdle in getting a system like this would be inertia, and for the US government (well, probably any government), that can be pretty substantial. Well, probably once the rest of the world does something like that, we'll probably implement something similar after a decade or two. That's just how we seem to roll here in the US of A, I guess - incredibly high tech in some areas, but stupi
Re: What's so secret about those numbers? (Score:2)
Well, my first card with the validity period of 10 years is expiring soon, so one decade is already gone.
But anyway, check out https://e-estonia.com/e-reside... [e-estonia.com]
Re: (Score:2)
I'd add that some kind of two factor authentication would be a good idea, rather than relying on the key alone. Otherwise stealing the key means the thief gets everything.
I'm not sure we really want a secure government ID though. Seems like it would be open to abuse, especially if every institution using it had to query government controlled servers for the public key with each transaction.
Re: (Score:3)
"your employer, your insurer, your financial institution, and the government. " and for that reason also your operator, cable provider, random cc providers...
it's not a secret. shouldn't be treated like a secret. it's just an identifier. but oh well a nation that treats 40 year old paper as proof that you're some 40 year old dude..
Re: (Score:2)
It wasn't SUPPOSED to be used for the financial institutions.....they just borrowed the id because they were too lazy to create their own.
Re:What's so secret about those numbers? (Score:4, Insightful)
yeah it's there, so what? it's not a secret, it's not meant to be a secret. the documents detailing your health as you were born are supposed to be confidential, not the fact that you were born with a dick.
and there's countries that have citizens who have lived for generations there but don't have any id, number or even official citizenship to act as a citizen and without the usual human rights to boot.
I don't see what's so great about that.
having an unique to you social security number is handy. it doesn't need to be a secret, when you use it your id is verified by other means - just trusting a string of numbers that stays the SAME through your whole life and is given to countless officials staying secret is so fucking stupid to begin with that it's just a present for ID thieves.
and really, you don't even give it away that often(the ssn in nordic countries).
Re:What's so secret about those numbers? (Score:5, Informative)
This.
Same system in Estonia. What USA lacks for their SSN - is proper authorisation. Estonia, for example, has state-issued smartcards with assymetric cryptography keys generated on-die and then signed by central certification center, so that at any time you can verify whether ID is active, is not listed as stolen, etc. Software developed to work with the cards is opensourced and available for Win, Lin, Mac under BSD license and can be used to sign documents and encrypt documents for transit (public keys of all active IDs are stored on central certification server, much like GPG keyservers). Number in itself is in no way valid identification, only a valid signature by the private key is accepted as proof of identity. And guess what - identity theft problem solved in most part.
Re: (Score:2)
sorry about your redundant mod, that was one of the best comments in the thread.
The USA doesn't want to fix identity theft, obviously.
Not just South Korea (Score:2)
Re: (Score:1)
This problem will be fixed once we just give in and get the number tattooed on our foreheads.
You know it's coming.
Re: (Score:1)
Well, let's just hope they do it fashionably. Can we at least pick the font?
Re: (Score:1)
Yes. You will be able to choose between Curlz and Giddyup.
Re: (Score:1)
For you, the number will be so long, they will have to graft a bunch of extra skin onto your forehead.
And they'll put a backup copy across your penis, balls and ass.
SSN are not secret (Score:3)
Re: (Score:3)
even if you don't tell me the first 5 digits, if I know your birthday and place of birth and the last 4 digits, I know all 9. It's a public algorithm.
Not true. My sister and I were born two years apart and in different states. Our SSNs were issued on the same day, and are identical except for the last digit. They just pulled the next two numbers off the list. There is no "algorithm".
Re: SSN are not secret (Score:2)
In the early 80s, SSN became required to receive child tax deductions (I believe it was then, part of regan closing loop holes).
I suspect this is when you received your SSNs. I am born 81, but have the SSN of someone born a few years later myself.
The algorithm exists, but it's not based on birth, it's based on registration.
Re: (Score:1)
The format of South Korean SSN is YYMMDD-GGXXXX# where Y, M and D are birthdate, G is gender, X is I don't really know well but some kind of number of area from where your ancestor originated or something and # is a checksum digit. (gender is two digits because since from 2000 or later to differentiate from people born in 19XX AFAIK) So in short it is quite possible to guess most digits if you know a person's birthdate and gender. The checksum number is quite easy to calculate because it is simple arithmeti
Re: (Score:2)
Re: (Score:1)
Id numbers shouldn't be required to be secret (Score:1)
Can we give up now? (Score:2)
Are we still expecting to build a system that can't be hacked? I don't understand why anyone would think that possible.
We gave up on that hundreds of years ago for so many things -- think the lock on your front door, next to the glass window; or your car, with the slim-jim. You can walk up to anyone on the street, and just stab them to death with a kitchen knife. You can drive your car onto the sidewalk and kill a dozen people in mere seconds.
I think it's high-time we stop wasting so much time and money
Not used for SSN in the US (Score:2)
This system is NOT used in the US for social security numbers, its a private vendor that uses it....the /. summary is misleading..
Nobody reads the articles anymore so...here is the quote.