Korean public certificates are preventing international shoppers from making payments, hindering Korean shopping malls from expanding overseas. Here’s what’s wrong with them and how to improve them.
“Many Chinese viewers of recent Korean dramas have accessed Korean shopping malls to buy clothes, fashion accessories, and other items, but have been unable to make purchases because of the authorization certificate required for payment. The authorization certificate, which is only required in Korea, has become an obstacle for Korean shopping malls to expand overseas.”
The controversy over public certificates is not new. The barriers to authorization when making credit card payments are unusually high compared to other countries, effectively preventing shoppers from overseas, let alone the 1.5 million foreigners living in Korea. Introduced in 1999, it has served as a cyber ID card and seal for over 24 years, but it is not in line with the reality that emphasizes global standards, and it has been raised as an unreasonable regulation by various civil society organizations for a long time due to frequent personal information leaks. Let’s take a look at what a public certificate is, what the problems are, and what needs to change.
A public certificate is simply an electronic seal. Korea has a unique system of seals that are officially registered through government agencies to say, “This is a seal that I recognize. The public certificate is an example of applying this seal system to the Internet, i.e., it is a technology that authenticates the transaction authorized by the user using the public certificate on the Internet, saying, “This transaction was conducted by me. Korea is one of the world’s leading countries that mandates the use of public certificates, and the Electronic Financial Supervision Regulation (Article 4 of the Enforcement Regulation) states that public certificates must be used for payments over KRW 300,000. The Financial Services Commission can issue a business suspension order for up to six months to financial companies or e-finance companies that do not comply with the regulations on the use of public certificates. Why does the law require the use of public certificates if they cause so many problems and inconvenience to users?
The web browsers we use today didn’t have the encryption capabilities we have today until the early 90s. SSL, a technology invented by the Netscape Group, became the standard for encrypted transmissions, but it wasn’t strong enough to enable internet banking due to U.S. government policies. The lack of encryption made it too easy for hackers to intercept data on the web for banking or e-commerce. The government’s answer was public certificates. It’s a technology that was invented to make internet banking and e-commerce work in the harsh environment of the early days of the internet.
The only reason that public certificates have survived so far, despite the inconvenience they caused in the early days when browsers lacked encryption capabilities, is that they were the government’s standard for security. This government policy has not only left South Korea’s security technology behind over the past decade or so, but has also prevented many excellent internet companies from entering the global market and seriously threatened the safety of electronic financial transactions. While advanced security technologies are constantly evolving, South Korea is still stuck in the shackles of 15 years ago. Even the crypto policy guidelines developed by security experts from member countries of the Organization for Economic Cooperation and Development (OECD) state that “the development and provision of cryptographic techniques should be determined by the market in an open and competitive environment. Only then can it keep up with the pace of technological change and respond in a timely manner to user demand and the evolution of attack methods against information and communication network security.” In the face of this reality, the Korea Internet & Security Agency, the Financial Supervisory Service Commission, and authorized certification companies have insisted on public certificates, claiming various institutional and technical advantages of public certificates. Let’s take a look at whether their claims are true.
The government says that unlike foreign banks, which do not make real-time transfers, Korea needs a strong security measure in the form of a public certificate because it makes real-time transfers. Anyone who has ever made a real-time transfer online or on their cell phone can attest to how convenient it is. You don’t have to go to a bank or ATM far away, you can transfer money from your desk, or even on the subway. But are these real-time transfers only possible because of the Certificate of Authenticity? The short answer is no. There’s a simple reason why foreign banks don’t offer real-time bank transfers. There’s no reason for them to do so when services like PayPal and Google Wallet are so well established and popular. In fact, Google Wallet makes sending money as easy as sending an email to a friend. While these technologies and services have evolved, South Korea has been stuck with an outdated public certificate technology.
The Korea Internet & Security Agency says that there is no other technology that is as secure as public certificates. However, a public certificate system is simply a combination of a certificate file and a password. According to the Electronic Authentication Guideline (SP800-63-1) published by the US National Institute of Standards and Technology, certificates that are stored in a file and used through software, such as public certificates, are only Grade 3, while OTP generators with locks are Grade 4, which is a superior authentication technology. In fact, public certificates are very vulnerable to copying. Anyone who has ever tried to copy a certificate file to a USB stick or smartphone has had to go through a rather complicated process. In the case of USB, you’d have to enter a password, and in the case of smartphone, you’d have to go to the bank’s website to verify it. But would you believe it if I told you that you don’t have to go through all of that? It’s actually incredibly simple to copy a public certificate. All public certificates are stored in C:\Program Files\NPKI. All you need to do is copy this file and paste it into the folder on your USB or phone where you want to move your certificate, and you’re good to go. The complicated process of installing multiple keyboard security programs and entering verification codes, social security numbers, and passwords to move the certificate was a show to convince the public that public certificates are secure.
The situation is not much different from the security programs that were required to be installed in order to use public certificates. In fact, if you’ve ever made a bank transfer online, you’ve probably seen a number of security programs running. These programs stop working as soon as you leave the financial institution’s site. The malware that hackers have created isn’t as simple as you might think, and it’s not just about securing your keyboard as soon as you type your passwords. This means that any computer with malware on it is at risk of having your passwords stolen, regardless of whether you have security programs running or not. That’s not the only problem. Public certificates can be reissued online by anyone who knows your security card number, account number, and account password. They don’t even need to know the certificate’s password, as it can be set by the person reissuing the certificate. Many of the most prevalent voice phishing scams are designed to obtain the information needed to reissue a public certificate.
So why do we continue to use these problematic certificates? Government agencies are pushing for them because they don’t have a viable alternative and they fear confusion. The solution is simpler than you might think. We just need to get away from the idea that the government has to provide a technical alternative. The recent high-profile breaches are proof that the government’s misguided security policies have lowered the level of security in South Korea. There are already reliable security technologies in use around the world, and the industry should be given the autonomy to choose them for themselves. Instead, the industry should be strictly supervised to ensure that it is compensated for any incidents that occur according to the law. With this oversight, the financial industry will naturally invest in their own security technologies, and consumers will not have to suffer the same inconvenience.
I’m not advocating for the abolition of public certificates. Financial organizations that don’t want to pay for new security technologies can continue to maintain and maintain their own certificates and use them as they do today. However, there is no reason to force organizations that don’t want to use them to do so. With these different security technologies coexisting, consumers will be able to choose the bank they feel most comfortable with. It’s time for governments to move away from outdated ideas and give the industry the freedom to develop security technologies that live up to the image of an ‘IT powerhouse’.