back to article South Korea faces $1bn bill after hackers raid national ID database

The South Korean government is considering a complete overhaul of its national identity number computer system – after hackers comprehensively ransacked it and now hold the ID codes for as much as 80 per cent of the population. Each South Korean citizen is issued with a lifetime unique ID number. This number is used in all …

  1. Number6

    British Database

    Look at the bullet we dodged when the current government scrapped the biometric ID cards. An on-line database, accessible from a lot of places with poor control over the access terminals. What could possibly go wrong?

    Roll on the fall out when it happens to the US SSN database...

    1. channel extended

      Re: British Database

      As an american I would like to inform all that the SSN is NOT supposed to be used as an ID number. It does happen to be used as such somtimes, but there is no legal reason to do so. I have often refused to give my SSN and have been refused service about half of the time.

      Remenber do your part. Refuse info, and lie to officials, except under oath.;)

      1. Mark 85 Silver badge

        Re: British Database

        It's fine and well to refuse when dealing with companies. The problem is that if the government DB is hit, SS taxes, payments, and income taxes (and refunds), military pay and benefits, medicare/medicaid and probably more are all at risk. The tip of the iceberg has been broached with income tax refund fraud by those who can get the SSN.

        Edit:

        Disclaimer for pedants: yeah.. I've mixed my metaphors in the last sentence... deal with it.

        1. Yet Another Anonymous coward Silver badge

          Re: British Database

          The point is that if you do issue a single number to everyone and use it for everything you can't assume it's a secret. There is no problem with using SIN as a unique key as long as you don't also think you can use it as a secret key.

          It's like saying, hackers broke into a phone box and have obtained the names and phones numbers of everyone in the city listed in the phone book

      2. tom dial Silver badge

        Re: British Database

        The SSN, for practical purposes, is a national ID in the US. Despite the fact that its use as a primary account identifier has been illegal for nearly 40 years, it still is used extensively within the government and probably in the private sector as well, and retained an a good many files and databases where it has no legitimate purpose.

        In addition to SSN use in filing fraudulent federal income tax returns over the last several years, availability in the last year or so of a national Social Security self-service web site has occasioned fraudulent rerouting of SS payments. There almost certainly are other cases.

      3. John Smith 19 Gold badge
        Big Brother

        Re: British Database

        "As an american I would like to inform all that the SSN is NOT supposed to be used as an ID number."

        Correct citizen.

        That's what your driving license number is for.

        Report to MinLove for reeducation on this matter.

        1. Stevie Silver badge

          Re: That's what your driving license number is for

          And once again a non-American gets splashed with fail over the vexing Federal/State dichotomy. Sorry, Mr Smith, report to BuEd for mandatory Civics Indoctrination. ;oD

          The SSN is a federal government document, and so should be (but often isn't for quite legal reasons to do with system latency - aka paperwork delays) unique across the country.

          A driver's license is a state-issued document and hence is not only NOT guaranteed to be unique across the country, doesn't even have a nationally agreed format. Stick that in yer filesystem and grep it.

          Besides, here in New York a good half the population no longer bothers with what is increasingly seen as "a formality". Why apply for a driver's license if you know you're going to lose it anyway?

  2. Destroy All Monsters Silver badge
    Facepalm

    the Korean government made Redmond's software a requirement for online shopping and banking

    An arse in charge and the taxpayer and his monies are soon parted.

    I sure hope the Indjuns and Pajis have no Windows control on their non-PALed nukes...

  3. David Pollard

    Maybe when they've sorted this out ....

    ... they might be persuaded to come to the UK for a while to explain to the people responsible for the NHS how large databases can give rise to large problems.

  4. Anonymous Coward
    Anonymous Coward

    proof of identity

    Since when was knowing someone's ID number equivalent to proving that you were that person?

    1. Tom 35

      Re: proof of identity

      Since when would an ID Database have just the ID number?

    2. DropBear
      WTF?

      Re: proof of identity

      We have a similar scheme in Romania but that number isn't exactly a secret; you are expected to hand it out left right and centre for something as simple as buying something from a company that issues invoices. I'm not sure exactly how far one could abuse knowledge of that ID, but in situations that require actual identification one has to present an actual physical ID card with one's photo (yes, the number's on it) - if you assume ability to forge that card, knowing what to put onto it sort of becomes a mere trifle. What I'm saying is - it's not exactly something used to authenticate anyone...

      1. Dan 55 Silver badge

        Re: proof of identity

        Spain's got something similar. People have been known to forge ID cards with their own photo, apply for loans, and saddle the original person with the debt (credit history goes by ID number, see?).

        One number is for life, there's nothing you can do to change it.

        The latest ID cards are chipped, which is a horrific Java bodge-job which authenticates to government and bank websites and fails more often than it works. In fact it fails so much that most government websites also authenticate by other means (mobile text message, PIN via letter, filling-in known details, etc...) otherwise nothing would get done online.

        1. Bloakey1

          Re: proof of identity

          Likewise Portugal. Even Starbucks ask if you want to have it put on to your invoice so that you can claim expenses etc. It can be a real bastard when the cove behind the counter starts to mess about putting in the number.

          They are easy to get and forge.

  5. Christoph

    They should ask Nu Blu Labour's advice. They'll tell them that there's an easy fix for all their problems - a National ID Card!

  6. gerdesj Silver badge

    Classic error

    It's always a bad idea to make an index number mean something. An index should just be that and not hold data in it. Apart from anything else it limits possibilities. For example they have a field that is 1 or 0 for sex: that dichotomy is meaningless in some cases. The UK driver number is nearly as bad - it encodes your date of birth.

    @Christoph: a National ID? Have a closer look at your driver's license and tell me we don't already have one by proxy. If you don't have one then your passport will do the job instead (they are linked nowadays as well). If you don't have either then there are still plenty of other ways to identify you. Got a mobile phone? debit or credit card? Oooh: don't tell me you were born here - you have an NI number. So your NHS card will do the job.

    National ID card? Get a grip: we know who you are without some piece of plastic.

    Cheers

    Jon

    1. qwertyuiop
      WTF?

      Re: Classic error

      "Oooh: don't tell me you were born here - you have an NI number. So your NHS card will do the job"

      Could you explain the link between NI number and NHS number? They're different numbers issued by different organisations.

    2. Bloakey1

      Re: Classic error

      I don't know about that young fellow me lad. My names on different pieces of documentation are different depending on the language and interpretation that I use. All perfectly useless to authority but all totally valid.

      You can call yourself what you like.

  7. Henry Wertz 1 Gold badge

    Actually is illegal

    "It does happen to be used as such somtimes, but there is no legal reason to do so"

    In fact, the text of the social security act makes it *illegal* to require use of SSN for anything except social security purposes (tax forms count, so an employer can ask for it so they can fill out that W9, since your taxable income is the primary determinant of how much social security money is sucked out of your paycheck.) Companies aren't prohibited from *asking* for the SSN (or more often the last 4 digits) but it's illegal for their to be any consequence of saying "no".

    For example, when I worked at the cable co (as a temp), we were to ask for the last 4 digits of the ssn... if they weren't in the system, we'd put them in. If they *were* in the system, this was supposed to make sure the caller was really the caller. (I think for the very few accounts that went to collections*, I think it made it slightly easier for the collection co to ding their credit.) But, if the caller refused to supply them (and they weren't in the system), we were to just put "xxxx" or "----" and add an account note indicating refusal to supply SSN (the purpose of the note was so someone wouldn't think the previous rep was just in a hurry and didn't fill it in). At the customer's option, we could put "see notes" so it'd show on the account screen, and put some other passphrase or password into the notes.

    *This was EXTREMELY uncommon, the local cable co works with people pretty well so if they either got a crazy amount of pay-per-view, or lost some income (but had the deluxe cable package) or whatever, pay off the past-due amount over time rather than cutting them off and (when they then don't pay, since they've already had service cut off...) sending them to collections.

  8. codebeard

    Scrap the whole system

    Having travelled in Korea, I can't begin to say how annoying those resident ID numbers are. You can't open accounts on websites, can't get a SIM card for your phone, can't make online purchases, can't go to some internet cafes etc without one. And you can't get one unless you are a citizen or have a long term visa.

    In my home country you usually only need to give your name, email and address to buy something online or fill in a form. It's much better.

    1. tom dial Silver badge

      Re: Scrap the whole system

      And people whine about NSA's presumed tracking capabilities?

      1. John Smith 19 Gold badge
        Gimp

        "And people whine about NSA's presumed tracking capabilities?"

        Well South Korea's excuse justification is probably that it lives next door to one of the worlds most secretive and repressive regimes.

        Whereas the US lives next door to Canada and Mexico.

        So the question is what's their justification?*

        *Other than "because we can."

    2. Ilmarinen

      Re: Scrap the whole system

      Never been to Korea - but being required continualy to produce "your papers" or ID card is I think a sign that the Gov thinks it owns you.

  9. PeterM42
    Facepalm

    Reasons to NOT....

    ....have a National ID computer system - 1, 2 and 3

  10. Stevie Silver badge

    Bah!

    Any credential one has to divulge - credit card number, SSN, Spanish ID Code, whatever - is inherently insecure in and of itself. It's the USE of the credential that must be made as secure as possible, and for which fast procedures to detect and remedy misuse must be implemented.

    The problem is that most systems in use today were forked from originals that assumed the person presenting the credential would be present in person at the point of transaction. What is needed is a new model that assumes the opposite.

    No, I can't see a great way to do this other than two-step processes involving telephone calls or SMS messages, which fall afoul of the "lost phone" problem.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020