[gred]

Very interesting read. I'm looking forward to the details in the followups (1/9, 1/23, 3/6). However, I'm surprised that there are no KR banks who build their reputation on their technical acuity and who have eliminated (or avoided) reliance on these types of applications. The markets I'm familiar with tend to have a few banks who have a reputation for good websites, good apps, etc. Or perhaps that bit of context was omitted, and these types of banks do exist in KR?

Note for the author: small typo at "requires outmost care".

[palant]

Disclaimer: I am the author of this article.

I think that this issue is really universal across all banks in Korea. I was told (but couldn’t confirm) that this is a liability question. Supposedly, there was a court ruling that held a bank liable for a customer’s losses due to lack of security precautions. So now all of them implement “security precautions” to avoid liability.

Thank you for the hint, I fixed the typo. Not being a native speaker, I had to ask a search engine what I did wrong in this sentence. :-)

[yongjik]

> Supposedly, there was a court ruling that held a bank liable for a customer’s losses due to lack of security precautions.

You already wrote as much in the article, but (AFAIK) the reality is even worse: there were court rulings that exonerated banks, as long as they followed the standard "security practices." Some hacker from China could access the bank's website from a suspicious IP, drain all the money from a poor guy's account, but the bank has zero obligation to do anything as long as it mandated that all users install half a dozen security plugins all the time.

[xorcist]

> security plugins

A contradiction in terms of epic proportions.

[acchow]

Thanks for the writeup.

Do you think getting out of this mess could be as simple as government regulationL: banking (and government and other necessary websites) are not allowed to require installation of plugins or other software to log in.

[palant]

That’s in fact what I suggest in my blog post. But I am pretty certain that it is far from simple. I’m told that the previous Korean government already tried to tackle this issue and failed. It’s a huge and complicated mess.

[csydas]

My information here may be outdated, but when I was in Seoul for awhile, it wasn't limited to just banking apps, many services had similar requirements for specific plugins, even requiring Internet Explorer 11 and a bunch of plugins for that.

I remember trying to get tickets for an event, and it was not possible within MacOS at the time due to the various Windows only requirements. I remember even having to re-download another version of Windows 7 as Tiny7 had various Windows Services removed that for some reason the plugins/apps relied on.

My cynical guess is that the plugins/apps include user data/telemetry that the companies get a cut for, but of course this is just supposition. It's entirely possible it's just some liability thing that has become entrenched in Korean IT, who knows.

But the practice was everywhere.

[JAlexoid]

Well... Over a decade ago Korea was known as the land of IE and ActiveX. It was a weird place at the time.

[palant]

Yes, I’ve seen references to online gaming that also required these “security applications.” In this case it was likely to aid tracking users and to prevent cheating.

[0xCMP]

aside: I think the year on the dates is wrong :)

[palant]

Ah, yes. Fixed. :-/

[wmf]

Are there any US banks that are actually secure? AFAIK they're all using SMS 2FA or worse.

[mikem170]

Schwab has hardware security tokens for the asking. I have one. Similar to the six digit rsa tokens I used at work (but without the rsa token bug from some years ago). It is my understanding they also support software tokens. I'm a happy customer.

https://www.schwab.com/help/two-factor-authentication

[ZekeSulastin]

They do support software tokens - I use that method - but it’s a bit of a pain[1] if you want to use a TOTP program other than Symantec :(

1: https://news.ycombinator.com/item?id=28231146

[smsm42]

Wells Fargo supports these too: https://www.wellsfargo.com/biz/online-banking/securid/

[Arnavion]

The credit union I use does have SMS 2FA as an option, but has other options via Entrust. Specifically there's a "soft token" that's a phone app which implements their own brand of not-TOTP, and a "hard token" that's a fob that generates their own brand of not-TOTPs.

[astrange]

What operations does it require the OTPs for? Generally anyone can do an ACH withdrawal from your account and the bank won’t ask you about it until afterwards. This is dealt with by other legal frameworks but you could certainly call it insecure even if they need 4 factors to let you see your account balance.

[Arnavion]

Just logging in.

[JAlexoid]

I wouldn't say that American digital banking is that bad at this point.

SMS 2FA is pretty robust, as biometrics on the phones reduce the number of SMSes sent.

[stop50]

In germany most banks don't do this anymore due of security reasons.

[JAlexoid]

I can't say about most, but my N26 DE account requires SMS authentication as well.