back to article South Korea faces $1bn bill after hackers raid national ID database

The South Korean government is considering a complete overhaul of its national identity number computer system – after hackers comprehensively ransacked it and now hold the ID codes for as much as 80 per cent of the population. Each South Korean citizen is issued with a lifetime unique ID number. This number is used in all …

  1. Number6

    British Database

    Look at the bullet we dodged when the current government scrapped the biometric ID cards. An on-line database, accessible from a lot of places with poor control over the access terminals. What could possibly go wrong?

    Roll on the fall out when it happens to the US SSN database...

    1. channel extended

      Re: British Database

      As an american I would like to inform all that the SSN is NOT supposed to be used as an ID number. It does happen to be used as such somtimes, but there is no legal reason to do so. I have often refused to give my SSN and have been refused service about half of the time.

      Remenber do your part. Refuse info, and lie to officials, except under oath.;)

      1. Mark 85 Silver badge

        Re: British Database

        It's fine and well to refuse when dealing with companies. The problem is that if the government DB is hit, SS taxes, payments, and income taxes (and refunds), military pay and benefits, medicare/medicaid and probably more are all at risk. The tip of the iceberg has been broached with income tax refund fraud by those who can get the SSN.

        Edit:

        Disclaimer for pedants: yeah.. I've mixed my metaphors in the last sentence... deal with it.

        1. Yet Another Anonymous coward Silver badge

          Re: British Database

          The point is that if you do issue a single number to everyone and use it for everything you can't assume it's a secret. There is no problem with using SIN as a unique key as long as you don't also think you can use it as a secret key.

          It's like saying, hackers broke into a phone box and have obtained the names and phones numbers of everyone in the city listed in the phone book

      2. tom dial Silver badge

        Re: British Database

        The SSN, for practical purposes, is a national ID in the US. Despite the fact that its use as a primary account identifier has been illegal for nearly 40 years, it still is used extensively within the government and probably in the private sector as well, and retained an a good many files and databases where it has no legitimate purpose.

        In addition to SSN use in filing fraudulent federal income tax returns over the last several years, availability in the last year or so of a national Social Security self-service web site has occasioned fraudulent rerouting of SS payments. There almost certainly are other cases.

      3. John Smith 19 Gold badge
        Big Brother

        Re: British Database

        "As an american I would like to inform all that the SSN is NOT supposed to be used as an ID number."

        Correct citizen.

        That's what your driving license number is for.

        Report to MinLove for reeducation on this matter.

        1. Stevie

          Re: That's what your driving license number is for

          And once again a non-American gets splashed with fail over the vexing Federal/State dichotomy. Sorry, Mr Smith, report to BuEd for mandatory Civics Indoctrination. ;oD

          The SSN is a federal government document, and so should be (but often isn't for quite legal reasons to do with system latency - aka paperwork delays) unique across the country.

          A driver's license is a state-issued document and hence is not only NOT guaranteed to be unique across the country, doesn't even have a nationally agreed format. Stick that in yer filesystem and grep it.

          Besides, here in New York a good half the population no longer bothers with what is increasingly seen as "a formality". Why apply for a driver's license if you know you're going to lose it anyway?

  2. Destroy All Monsters Silver badge
    Facepalm

    the Korean government made Redmond's software a requirement for online shopping and banking

    An arse in charge and the taxpayer and his monies are soon parted.

    I sure hope the Indjuns and Pajis have no Windows control on their non-PALed nukes...

  3. David Pollard

    Maybe when they've sorted this out ....

    ... they might be persuaded to come to the UK for a while to explain to the people responsible for the NHS how large databases can give rise to large problems.

  4. Anonymous Coward
    Anonymous Coward

    proof of identity

    Since when was knowing someone's ID number equivalent to proving that you were that person?

    1. Tom 35

      Re: proof of identity

      Since when would an ID Database have just the ID number?

    2. DropBear
      WTF?

      Re: proof of identity

      We have a similar scheme in Romania but that number isn't exactly a secret; you are expected to hand it out left right and centre for something as simple as buying something from a company that issues invoices. I'm not sure exactly how far one could abuse knowledge of that ID, but in situations that require actual identification one has to present an actual physical ID card with one's photo (yes, the number's on it) - if you assume ability to forge that card, knowing what to put onto it sort of becomes a mere trifle. What I'm saying is - it's not exactly something used to authenticate anyone...

      1. Dan 55 Silver badge

        Re: proof of identity

        Spain's got something similar. People have been known to forge ID cards with their own photo, apply for loans, and saddle the original person with the debt (credit history goes by ID number, see?).

        One number is for life, there's nothing you can do to change it.

        The latest ID cards are chipped, which is a horrific Java bodge-job which authenticates to government and bank websites and fails more often than it works. In fact it fails so much that most government websites also authenticate by other means (mobile text message, PIN via letter, filling-in known details, etc...) otherwise nothing would get done online.

        1. Bloakey1

          Re: proof of identity

          Likewise Portugal. Even Starbucks ask if you want to have it put on to your invoice so that you can claim expenses etc. It can be a real bastard when the cove behind the counter starts to mess about putting in the number.

          They are easy to get and forge.

  5. Christoph

    They should ask Nu Blu Labour's advice. They'll tell them that there's an easy fix for all their problems - a National ID Card!

  6. gerdesj Silver badge

    Classic error

    It's always a bad idea to make an index number mean something. An index should just be that and not hold data in it. Apart from anything else it limits possibilities. For example they have a field that is 1 or 0 for sex: that dichotomy is meaningless in some cases. The UK driver number is nearly as bad - it encodes your date of birth.

    @Christoph: a National ID? Have a closer look at your driver's license and tell me we don't already have one by proxy. If you don't have one then your passport will do the job instead (they are linked nowadays as well). If you don't have either then there are still plenty of other ways to identify you. Got a mobile phone? debit or credit card? Oooh: don't tell me you were born here - you have an NI number. So your NHS card will do the job.

    National ID card? Get a grip: we know who you are without some piece of plastic.

    Cheers

    Jon

    1. qwertyuiop
      WTF?

      Re: Classic error

      "Oooh: don't tell me you were born here - you have an NI number. So your NHS card will do the job"

      Could you explain the link between NI number and NHS number? They're different numbers issued by different organisations.

    2. Bloakey1

      Re: Classic error

      I don't know about that young fellow me lad. My names on different pieces of documentation are different depending on the language and interpretation that I use. All perfectly useless to authority but all totally valid.

      You can call yourself what you like.

  7. Henry Wertz 1 Gold badge

    Actually is illegal

    "It does happen to be used as such somtimes, but there is no legal reason to do so"

    In fact, the text of the social security act makes it *illegal* to require use of SSN for anything except social security purposes (tax forms count, so an employer can ask for it so they can fill out that W9, since your taxable income is the primary determinant of how much social security money is sucked out of your paycheck.) Companies aren't prohibited from *asking* for the SSN (or more often the last 4 digits) but it's illegal for their to be any consequence of saying "no".

    For example, when I worked at the cable co (as a temp), we were to ask for the last 4 digits of the ssn... if they weren't in the system, we'd put them in. If they *were* in the system, this was supposed to make sure the caller was really the caller. (I think for the very few accounts that went to collections*, I think it made it slightly easier for the collection co to ding their credit.) But, if the caller refused to supply them (and they weren't in the system), we were to just put "xxxx" or "----" and add an account note indicating refusal to supply SSN (the purpose of the note was so someone wouldn't think the previous rep was just in a hurry and didn't fill it in). At the customer's option, we could put "see notes" so it'd show on the account screen, and put some other passphrase or password into the notes.

    *This was EXTREMELY uncommon, the local cable co works with people pretty well so if they either got a crazy amount of pay-per-view, or lost some income (but had the deluxe cable package) or whatever, pay off the past-due amount over time rather than cutting them off and (when they then don't pay, since they've already had service cut off...) sending them to collections.

  8. codebeard

    Scrap the whole system

    Having travelled in Korea, I can't begin to say how annoying those resident ID numbers are. You can't open accounts on websites, can't get a SIM card for your phone, can't make online purchases, can't go to some internet cafes etc without one. And you can't get one unless you are a citizen or have a long term visa.

    In my home country you usually only need to give your name, email and address to buy something online or fill in a form. It's much better.

    1. tom dial Silver badge

      Re: Scrap the whole system

      And people whine about NSA's presumed tracking capabilities?

      1. John Smith 19 Gold badge
        Gimp

        "And people whine about NSA's presumed tracking capabilities?"

        Well South Korea's excuse justification is probably that it lives next door to one of the worlds most secretive and repressive regimes.

        Whereas the US lives next door to Canada and Mexico.

        So the question is what's their justification?*

        *Other than "because we can."

    2. Ilmarinen

      Re: Scrap the whole system

      Never been to Korea - but being required continualy to produce "your papers" or ID card is I think a sign that the Gov thinks it owns you.

  9. PeterM42
    Facepalm

    Reasons to NOT....

    ....have a National ID computer system - 1, 2 and 3

  10. Stevie

    Bah!

    Any credential one has to divulge - credit card number, SSN, Spanish ID Code, whatever - is inherently insecure in and of itself. It's the USE of the credential that must be made as secure as possible, and for which fast procedures to detect and remedy misuse must be implemented.

    The problem is that most systems in use today were forked from originals that assumed the person presenting the credential would be present in person at the point of transaction. What is needed is a new model that assumes the opposite.

    No, I can't see a great way to do this other than two-step processes involving telephone calls or SMS messages, which fall afoul of the "lost phone" problem.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Liftoff at last for South Korean space program
    Satellite-deploying rocket finally launches – after a few setbacks

    South Korea's Aerospace Research Institute (KARI) yesterday succeeded in its endeavor to send the home-grown Nuri launcher into space, then place a working satellite in orbit.

    The launch was scheduled for earlier in June but was delayed by weather and then again by an anomaly in a first-stage oxidizer tank. Its October 2021 launch failed to deploy a dummy satellite, thanks to similar oxidizer tank problems that caused internal damage.

    South Korea was late to enter the space race due to a Cold War-era agreement with the US, which prohibited it developing a space program. That agreement was set aside and yesterday's launch is the culmination of more than a decade of development. The flight puts South Korea in a select group of nations that have demonstrated the capability to build and launch domestically designed and built orbital-class rockets.

    Continue reading
  • South Korea's space ambitions stuck on the launchpad
    Second Nuri rocket stalls with problem similar to those that caused first mission to mostly fail

    South Korea's ambition to launch a space industry on the back of a locally developed rocket have stalled, after a glitch saw the countdown halted for its latest attempt to place its Nuri vehicle into orbit.

    The launch was planned for Wednesday, but postponed by a day due to unfavourable weather.

    The Korea Aerospace and Research Institute tried again but, as the countdown progressed, an anomaly appeared in a first stage oxidizer tank. That issue was considered so serious that Nuri was returned to its assembly facility.

    Continue reading
  • Five Eyes alliance’s top cop says techies are the future of law enforcement
    Crims have weaponized tech and certain States let them launder the proceeds

    Australian Federal Police (AFP) commissioner Reece Kershaw has accused un-named nations of helping organized criminals to use technology to commit and launder the proceeds of crime, and called for international collaboration to developer technologies that counter the threats that behaviour creates.

    Kershaw’s remarks were made at a meeting of the Five Eyes Law Enforcement Group (FELEG), the forum in which members of the Five Eyes intelligence sharing pact – Australia, New Zealand, Canada, the UK and the USA – discuss policing and related matters. Kershaw is the current chair of FELEG.

    “Criminals have weaponized technology and have become ruthlessly efficient at finding victims,” Kerhsaw told the group, before adding : “State actors and citizens from some nations are using our countries at the expense of our sovereignty and economies.”

    Continue reading
  • South Korean and US presidents gang up on North Korea's cyber-offensives
    Less than two weeks into his new gig, Yoon cozies up to Biden as China and DPRK loom

    US president Biden and South Korea's new president Yoon Suk Yeol have pledged further co-operation in many technologies, including joint efforts to combat North Korea.

    While the US agreed to deploy physical weapons and hold military drills if necessary to defend the South against the North, the pair together vowed to "significantly expand cooperation to confront a range of cyber threats from the DPRK, including but not limited to, state-sponsored cyber-attacks."

    This cooperation will include working groups attended by law enforcement and homeland security agencies from both nations.

    Continue reading
  • Biden tours Samsung fab, talks chip cooperation with South Korea
    Factory is a model for one the company has planned in Texas

    US president Joe Biden kicked off his first Asian tour since taking office in South Korea, where he visited a Samsung semiconductor fab said to be the model for the company's planned plant in Taylor, Texas.

    While speaking at the Samsung Electronics Pyeongtaek Campus, Biden said the region will be a key part of the next several decades – a reason "to invest in one another to deepen our business ties.". 

    Much of the talk on Biden's five-day trip to South Korea and Japan will center around broader deepening of economic and business ties. In Pyeongtaek, however, the emphasis was on semiconductor cooperation. While touring the plant with recently elected South Korean president Yoon Suk Yeol, Biden noted "these little chips are the key to propelling us into the next era of humanity's technological development."

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • Another ex-eBay exec admits cyberstalking web souk critics
    David Harville is seventh to cop to harassment campaign

    David Harville, eBay's former director of global resiliency, pleaded guilty this week to five felony counts of participating in a plan to harass and intimidate journalists who were critical of the online auction business.

    Harville is the last of seven former eBay employees/contractors charged by the US Justice Department to have admitted participating in a 2019 cyberstalking campaign to silence Ina and David Steiner, who publish the web newsletter and website EcommerceBytes.

    Former eBay employees/contractors Philip Cooke, Brian Gilbert, Stephanie Popp, Veronica Zea, and Stephanie Stockwell previously pleaded guilty. Cooke last July was sentenced to 18 months behind bars. Gilbert, Popp, Zea and Stockwell are currently awaiting sentencing.

    Continue reading
  • US appeals court ruling could 'eliminate internet privacy'
    Tech terms of service dissolve Fourth Amendment rights, EFF warns

    The US Ninth Circuit Court of Appeals on Wednesday affirmed the 2019 conviction and sentencing of Carsten Igor Rosenow for sexually exploiting children in the Philippines – and, in the process, the court may have blown a huge hole in internet privacy law.

    The court appears to have given US government agents its blessing to copy anyone's internet account data without reasonable suspicion of wrongdoing – despite the Fourth Amendment's protection against unreasonable searches and seizures. UC Berkeley School of Law professor Orin Kerr noted the decision with dismay.

    "Holy crap: Although it was barely mentioned in the briefing, the CA9 just held in a single sentence, in a precedential opinion, that internet content preservation isn't a seizure," he wrote in a Twitter post. "And TOS [Terms of Service] eliminate all internet privacy."

    Continue reading
  • Samsung boss Lee Jae-yong in trouble again – this time over financial filings
    Fair Trade Commission concerned false paperwork took years to decipher

    Samsung boss Lee Jae-yong is in trouble – again – this time over false filings about the extent of his shareholdings.

    Korean law requires owners of large businesses to disclose details of affiliate companies they control, or in which family members have an interest. The requirements aim to prevent unfair cross-investment in "Chaebol" – giant industrial conglomerates in which founding families often retain ownership and/or influence. The nation's economy is unusually concentrated in such entities.

    Samsung is the largest Chaebol, and also the largest contributor to South Korea's economy. By some measures it accounts for 20 per cent of the nation's exports, stock exchange capitalization, and perhaps as much as 17 per cent of gross domestic product.

    Continue reading
  • Alibaba Cloud opens first South Korean datacenter
    Better late than never – all its global and Chinese hyperscale rivals are already there

    Alibaba Cloud has opened its first datacenter in South Korea.

    As is nearly always the case when hyperscalers expand their physical footprints, the company has said nothing about where the facility is located, or its capacity. Sadly, the company is also silent on whether it has brought its flagship immersion cooling to South Korea. It is also unclear if all Alibaba Cloud products, or a mere subset, are offered in South Korea. We've asked the company to clarify matters.

    One product that Alibaba has definitely deployed in South Korea is its "China Gateway" – a service that allows users to operate resources on Alibaba Cloud inside China with Alibaba assisting with local compliance chores, while maintaining secure and dedicated links to cloudy resources outside the Middle Kingdom. The service even offers the chance to rent office space from WeWork inside China, and to arrange local logistics. Alibaba Cloud suggests the service is a fine way for web-based businesses to enter China.

    Continue reading

Biting the hand that feeds IT © 1998–2022