In this blog post, we take a closer look at why the Korean public key certificate system makes it difficult for overseas consumers to make payments and the limitations of e-commerce as a result.
“Many Chinese viewers who have recently watched Korean dramas have tried to access Korean shopping malls to buy clothes, fashion accessories, etc. but have failed to make purchases because of the public key certificate required for payment. The public key certificate, which is required only in Korea, is becoming an obstacle to the overseas expansion of domestic shopping malls.”
The controversy over the public key certificate is not a new issue. The barrier to public key certification when making credit card payments is unusually high compared to other countries, effectively preventing payments from not only the 1.5 million foreigners living in Korea, but also overseas shoppers. It was introduced in 1999 and has served as a cyber resident registration card and seal for over 24 years, but it is not in line with the current emphasis on global standards, and frequent personal information leaks have led to long-standing complaints from various civic groups about this unreasonable regulation. Let’s take a look at what public certificates are, what problems they specifically have, and how they should be changed.
A public key certificate is, in simple terms, like an electronic seal. In Korea, there is a unique system of seals that are officially registered through government agencies as “this seal is the one I have recognized.” A public key certificate is an example of applying this seal system to the Internet. In other words, it is a technology that certifies that a transaction approved by a user using a public certificate on the Internet is a transaction that the user has conducted. Korea is a leading country in the world that requires the use of public certificates, and the Electronic Financial Supervision Regulations (Article 4 of the Enforcement Regulations) stipulate that a public certificate must be used for payments of 300,000 won or more. The Financial Services Commission can order financial companies or electronic financial service providers that do not comply with the regulations on the use of public certificates to suspend their business for up to six months. Why is it that the law requires the use of public certificates, which cause many problems and add to the inconvenience of users?
The web browsers we use today did not have the high encryption capabilities that they have today, even as recently as the early 1990s. The SSL technology developed by the Netscape Group was hailed as the standard for encryption transmission technology, but the level of encryption was insufficient for implementing Internet banking due to the US government’s policy. It was easy for hackers to intercept data in the middle when implementing Internet banking or e-commerce on the web, which lacked encryption capabilities. In this situation, the answer proposed by the government was the public certificate. This is a technology that was devised to enable internet banking and e-commerce in the early days of poor internet environments.
The reason that the public certificate, which caused a lot of inconvenience in the early days when browsers lacked encryption capabilities, has survived to this day is because it was the standard of security set by the government. This government policy has not only left South Korea’s security technology behind for the past decade, but has also blocked many excellent Internet companies from entering the global market and has seriously threatened the safety of electronic financial transactions. While advanced security technologies are constantly evolving, South Korea is still bound by the shackles of 15 years ago. The Guidelines on Cryptographic Policies prepared by security experts from the member countries of the Organisation for Economic Co-operation and Development (OECD) also state that “the development and provision of cryptographic techniques should be determined through the market in an open and competitive environment. This will enable us to keep up with the pace of technological change and respond in a timely manner to changes in user demand and the evolution of attack techniques for information and communication network security.” In this reality, the Korea Internet & Security Agency, the Financial Supervisory Service, and the public certification authorities have insisted on public certificates, citing various institutional and technical advantages of public certificates. Let’s take a look at whether the advantages of public certificates they claim are true.
The government says that unlike foreign banks where real-time transfers are not possible, Korea requires a strong security measure called a public certificate because real-time transfers are possible. Anyone who has ever made a real-time transfer via the Internet or mobile phone has experienced firsthand how convenient this system is. You can make an account transfer from your desk without having to go to a distant bank or ATM, or even from inside a subway. So, is this real-time transfer possible thanks to a public certificate? The answer is no. The reason why foreign banks do not offer real-time account transfer services is simple. This is because services such as PayPal and Google Wallet are so well developed and popular that there is no reason to offer such services. In fact, Google Wallet offers a service that allows you to send money as easily as sending an email to a friend. While technology and services were developing in this way, Korea was bound by the old public certification technology.
The Korea Internet & Security Agency says that there is no technology as secure as public certification. However, the public key certificate system is simply a combination of a certificate file and a password. According to the Electronic Authentication Guideline (SP800-63-1) published by the National Institute of Standards and Technology, certificates stored in the form of files and used through software, like public key certificates, are only rated at level 3, while OTP generators with a lock are rated at level 4, which is superior. In fact, the public key certificate has a structure that is very vulnerable to copying. Anyone who has tried copying a certificate file to a USB or smartphone has probably had to go through a rather complicated process. Even when moving to a USB, you have to enter a password, and when moving to a smartphone, you have to go through a cumbersome process of accessing the bank’s website and authenticating yourself. But would you believe it if all these processes were unnecessary? In fact, the method of copying a public key certificate is incredibly simple. All public key certificates are stored in C:\Program Files\NPKI. All you have to do is copy this file and paste it into the USB or internal folder of your phone where you want to move the certificate, and you can use that certificate right away. This simple task was a show to make people believe that the public key certificate is a secure system, which used to require the installation of multiple keyboard security programs and the input of authentication codes, resident registration numbers, and passwords before the certificate could be moved.
The situation of security programs that had to be installed to use a public key certificate is not much different from the above. In fact, if you try to transfer money online, you will see numerous security programs running. These programs stop working as soon as they leave the financial institution’s website. Malware created by hackers is not as simple as we think, so it is not safe just because keyboard security is only activated when you enter a password. In other words, if a computer is infected with malware, there is a risk of the password being leaked regardless of whether security programs are in operation. The problem is not limited to this. Anyone can reissue a public certificate online by simply knowing the user’s security card number, account number, and account password. The certificate password can be set by the person who is newly reissuing it, so there is no need to know it. A large number of recent cases of “voice phishing” that are extremely rampant are actually aimed at obtaining information from users to reissue their public certificates.
Then why do we continue to use the problematic public key certificate? Government agencies are forcing the use of public key certificates because there is no alternative and they are concerned about the confusion that would result from not using them. The solution is simpler than you might think. We just need to get away from the idea that the government should come up with a technological alternative. The large-scale information leaks that have occurred on a daily basis in recent years prove that the government’s poor security policies have lowered the level of security in Korea. There are security technologies that are already being used reliably around the world, and the industry should be given the autonomy to choose those technologies. In return, the industry should be strictly supervised to ensure that it compensates for any accidents that occur in accordance with the law. With such supervision, the financial industry will naturally invest in security technologies on its own, and consumers will no longer have to experience the inconveniences they are currently facing.
This is not a call to abolish public certificates. The financial industry, which finds the cost of introducing new security technologies burdensome, can continue to use public certificates as they are now, while maintaining and repairing them on its own. However, there is no reason to force public certificates on companies that do not want to do so. With the coexistence of various security technologies, consumers will be able to choose the bank that they find convenient. It is time for the government to move away from outdated ideas and give the industry freedom in security technology. We hope that security technologies befitting the image of an “IT powerhouse” will be commercialized.
