[r2vcap]

Disclaimer. I am Korean and currently live in Korea. Online banking in Korea is very poor, so even though I code on Linux and macOS, I use Windows for internet banking.

As in many other countries, banking in Korea is a state-regulated industry. However, Korea's regulatory system rule downs to the smallest detail.

For example, in the Digital Signature Act(전자서명법), a content that allows only digital certificates in the form of files called authorized certificates(공인인증서) to be used for certification was added in 1999. (The contents were revised only in 2020.) As a result, most banking was accessible only using IE and Active-X. Now that Active-X cannot be used, various software is installed using separate installation files.

Korea's financial regulators are strict, but Korean politicians and media are paternalistic, so if there's a problem with finance, most of them try to side with financial consumers. For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem. For this reason, banking websites require all kinds of security software, such as keylogger checking programs and firewalls. (This problem is gradually being mitigated.)

The problem with Korean security software is that the buyer of the security software (in this case, the bank) only requires that it meet the requirements of laws and regulatory authorities, so there is little room for improvement. Security software can be delivered only after CC certification (CC 인증) issued by the National Intelligence Service(국가정보원). By the way, the NIS is interested in which encryption algorithm is used (whether Korean algorithms such as SEED, ARIA, LEA, etc.), but it is not interested in whether Visual Studio Runtime is 2008 or 2019.

Also, financial institutions do not take cybersecurity issues seriously. For example, when I was in the security industry, a financial company asked for security software for ATMs running Windows XP SP2. Even at that time, Windows XP was EOL, and our security software was only supporting Windows XP SP3 or later. Significantly, the company suffered a cyber attack a few years ago that paralyzed its entire financial services for several days.

Most of the things I mentioned here refer to Korean-language materials, so giving references is somewhat limited.

[kragen]

this is a cautionary tale for people who hope that government regulation will solve the current computer security disaster outside korea

you cannot solve problems by giving authority to people who are motivated to solve them, but do not understand what the problem is, so that they can tell the people who do understand the problem what to do

anyone who has dealt with pci-dss presumably knows this but that is a much smaller group than all south koreans

think of that the next time someone contrasts bitcoin with the heavily regulated conventional banking system

[MBCook]

Isn’t this an issue of mandating the means and not the ends?

If the regulations said banks had to be secure by ‘taking all due care’ and follow ‘best practices’ and such, this wouldn’t be such an issue. That gives room for improvements and for problematic standards to be weeded out over time.

It sounds like the government instead said banks had to be secure by using (for example) SSL 1.0 with a 64-bit key. Because the specified the exact how, that’s what banks did. And when that how was broken the law wasn’t changed, so banks still do the old thing.

And when the old thing (Active-X) stopped working they invented new ways to do the old thing with local proxies. Because the law says they must and are safe if they do.

This is the danger of legislating an exact how. It may be the right thing sometimes, but it can also go sideways.

[thaumasiotes]

> This is the danger of legislating an exact how. It may be the right thing sometimes, but it can also go sideways.

> If the regulations said banks had to be secure by ‘taking all due care’ and follow ‘best practices’ and such, this wouldn’t be such an issue.

Legislating the outcome is even worse than legislating the means.

American medical care is regulated in the exact manner you describe - a doctor is required to follow the local standard of care, whatever that may be.

This means that every time anyone takes a precaution, it becomes part of the standard of care and must be taken in every case from now until the end of time. If you stop doing it, perhaps because on a cost-benefit analysis it has wildly negative benefits, you're not following the local standard of care and you're wide open to a malpractice suit.

Your preferred legal phrasing is a ratchet; the only outcome it can ever have is insanity.

Legislating outcomes can be even worse than that: https://www.theonion.com/proposed-bill-would-bring-4-000-tro...

[kragen]

that just leaves the courts to decide what the best practices are, and what due care is or isn't, which i think is actually what happened in south korea

that would be great if judges were hackers and legislators weren't, but that isn't the current situation

[likecarter]

In court, you bring in experts (usually professors from reputable universities) to state best practices. Judges don't act as experts in a trial.

[roenxi]

That is also how the legislative process works, and is likely how the Koreans got in to this mess in the first place. Experts at the time identified IE6 and ActiveX as dominating the market and standardised on them^. If the web had converged on IE and ActiveX it wouldn't look as stupid as it does now. Back at the time it was arguably clever, it only looked ill-advised if you were a free-market thinker.

^ The cynic in me cheerfully suggests the experts were probably endorsed by Microsoft, at the time a colossus on the net and world's most successful web browser purveyor. Hard to get better pedigree experts. All recommending that people commit hard to Microsoft technologies.

[kragen]

this is an excellent point

i had not thought of this

[kragen]

judges decide who counts as experts, and doing that correctly requires expertise

this is why so many people get convicted on the basis of pseudoscience like lie detector tests and tracy harpster's 911 call analysis https://www.propublica.org/article/911-call-analysis-fbi-pol...

it would not be especially difficult to find a professor from a reputable university who would explain that using dynamically typed languages was malpractice, or that using the waterfall model was, or that using threads was, or that running the servers on microsoft windows was just fine, or that running virus scanners was useless, or that running virus scanners was essential and therefore it's malpractice to not run on an os that can run them, or that using crypto that had lost a nist competition was malpractice, or that unauthenticated rce security holes were unavoidable and the best you can do is to patch them quickly, or that you need to prove all your security-relevant code correct with coq or something before you ship it and therefore any security hole is malpractice, etc.

[likecarter]

That's why both sides get experts.

Your reasoning is extremely reductive – I can't tell if you're just trying to win an argument here. You could say people will be misleading about anything. Your doctor, the police, the DMV clerk. At some point, you have to recognize you live in a society, and society is built on some level of trust and fairness.

[JAlexoid]

This comment is hard to understand.

PCI-DSS is not a government body, nor is legally mandated by the government. It's not the government.

[kragen]

clueless regulation is equally harmful regardless of how it's imposed

both governments and visa are in a position to impose it

[chunsj]

Neither, this should not be an example/a cautionary tale against government regulation. This is an example of wrong/invalid kind of regulation which other countries should not follow. We, SK, could not fixed this problem because the private sector (companies who pursuit their private interest and against public interest) depending on the wrong/invalid regulation has lobbied and prevented several attempts to fix the regulation. So, this is not a problem of regulation or motivation or even knowledge; this is more of the problem of capitalism.

[kragen]

the clueless regulation is the problem, not capitalism

once you're competing by lobbying for regulation what you're doing isn't capitalism anymore

[franga2000]

So the US isn't doing capitalism anymore? If your system is based on the idea that "those with more money have more power", then those people using that power to stop competitors sounds like an entirely logical outcome to me. "Doing capitalism" means running your company with profit as your goal, and if the best way to profit is lying, bribing, preventing competition, exploiting workers and destroying the environment, that's what a capitalist will do.

That's not to say that capitalism can't be, to some extent, prevented from doing those harms by strong regulation. But as long as those writing the regulation live in and benefit from that same system, that regulation will never be particularly strong - and that's by design.

[kragen]

nobody has ever done pure capitalism; social systems are always a messy mix of modalities

but some societies are more capitalist than others, like those where markets rather than regulators make collective choices, and those tend to be the more prosperous and competent societies

'running your company with profit as your goal' predates capitalism by several millennia, and for that reason among others it is totally inadequate as a definition of capitalism

quoting wikipedia:

Capitalism is an economic system based on the private ownership of the means of production and their operation for profit.[1][2][3][4] Central characteristics of capitalism include capital accumulation, competitive markets, price system, private property, property rights recognition, voluntary exchange, and wage labor.[5][6] In a market economy, decision-making and investments are determined by owners of wealth, property, or ability to maneuver capital or production ability in capital and financial markets—whereas prices and the distribution of goods and services are mainly determined by competition in goods and services markets.

market competition is fundamental to capitalism. calling a competition-prohibiting government decree like this 'capitalist' because private companies presumably lobbied for it last millennium is like calling iran or venezuela today 'democratic' because their dictatorships were voted in by their citizens many years ago

you say, 'capitalism [can] be, to some extent, prevented from doing those harms by strong regulation' but in fact in this case the strong regulation is what is doing the harm, not whatever vestiges of capitalism remain after the regulators removed competitive markets, voluntary exchange, price signals, and private-sector decision-making

[pjc50]

> think of that the next time someone contrasts bitcoin with the heavily regulated conventional banking system

Just watching the largest fraud trial in history unfold over at FTX.

Bitcoin deals with any and all questions of fraud by dumping them on the victim. No help and no recourse. Very libertarian, but of course routinely results in people losing life changing amounts of money.

[kragen]

there have been plenty of larger frauds and outright thefts in history (i'd point at our own sovereign default and mass confiscation of dollar bank accounts, respectively, in 02001), but the culprits were never brought to trial because they were the government

[pjc50]

> mass confiscation of dollar bank accounts, respectively, in 2001

Argentina?

[kragen]

yup

[beebmam]

Isn't that exactly the position that tech executives are in?

[ravel-bar-foo]

It is worth mentioning that to make a bank transfer in Korea (used to[1]) require 3 factor authentication: the user's website password, the user's PIN, the user's encryption certificate signature/공인인증서, and two randomly selected codes from a paper numbers card (보안카드: https://file2.nocutnews.co.kr/newsroom/image/2013/07/02/2013...), which users are instructed to never copy or digitize.

Of all these solutions, the numbers card gives me the most peace of mind: even if my machine is fully compromised and all my passwords and certificates stolen, the attacker would likely need very long-term access (or access to the bank's server) to get all 35 numbers from the card. (If the attacker compromises the card by attacking the bank, I trust attackers will reveal themselves going after larger accounts). As long as I keep this piece of laminated plastic private and visit a bank branch to replace it every 17 to 35 transactions, I can have some peace of mind, at least regarding my bank account.

[1] There have since been efforts to streamline mobile payments, which I avoid because it leaves the phone as a single point for compromise.

[gruez]

>Of all these solutions, the numbers card gives me the most peace of mind: even if my machine is fully compromised and all my passwords and certificates stolen, the attacker would likely need very long-term access (or access to the bank's server) to get all 35 numbers from the card

I think you're overestimating how much security this provides and missing a very simple workaround: the attacker can simply wait until you preform a transfer, and then replace the intended recipient detail with theirs. For instance, if alice was sending funds to bob, and the attacker controls the machine, they can simply replace the recipient to malory, while still displaying bob to the user.

[ravel-bar-foo]

You're right. The machine remains a big single vulnerability. However, there is a process to catch this: one (used to?) have the option to get a text by SMS following the transfer. This (used to) list the recipient. For whatever reason I haven't gotten a text like this in a few years. Probably my bank disabled it to push people to their mobile app.

[maxgashkov]

btw, this paper card approach was replaced by physical hardware OTP tokens (lasting multiple years until they have to be replaced), it’s as secure as the supply chain (which is also a factor for paper cards), so I’m not sure why Korea still clings to this as tokens are obviously a net gain in ops cost

[kijin]

I dunno where you got the idea that South Korea still clings to paper-based number cards, but OTP tokens have been in use for the better part of a decade here. Nowadays you don't even need hardware tokens, since it's considered OK to replace them with mobile apps that use TPM to manage keys.

[maxgashkov]

I’ve got the idea from the parent comment obviously. It’s cool that the practice of paper cards is not as widespread as I thought after reading it.

[ravel-bar-foo]

Sorry about that. My bank still provides me with cards. I never asked about a OTP dongle and I don't want to enable mobile banking, so cards it is. But almost everyone in Korea (who isn't paranoid about a single compromised device) is now on mobile banking, rather than website banking.

[jszymborski]

The Canada Revenue Agency does something similar, where instead of TOTP they ask you to print a grid of alphanums and they ask you for combinations.

The only problem is I think they're only good for a couple months at which point you need to do verification by mailed token which is a royal pain in the ass

[zinekeller]

As pointed out, legislation detailing the exact measures needed to be done. I guess they copied over the idea of European TANs but they never found out about hardware OTPs.

[cameronh90]

In the UK, the bank is also usually responsible for any unauthorised transfer, yet our banks are generally quite digitally enabled.

Some banks solve the transfer authorization issue using an external bit of hardware that you type the transaction details into and it gives you a signature OTP.

[martinald]

I honestly dont know much much longer the banks can continue to refund people for fraud. The scale of it is enormous - £600m last year (which is likely to be the floor of it as I imagine it doesn't all get reported correctly).

If it continues growing (~40% y/y) at this kind of rate then it will soon outstrip any profits from retail banking (which is pretty low margin as it is compared to banks investment and commercial arms).

I wouldn't be surprised if we see UK banks exiting retail banking because of this.

[bee_rider]

I’m not sure how to understand that £600m in the grand scheme of things. If they are making billions of pounds in profit for example, maybe it is just the cost of doing business.

Of course, exponentials being exponentials, if they continue along long enough they always eat the universe.

[pjc50]

UK banking still looks pretty profitable: https://www.theguardian.com/business/2022/oct/25/hsbc-intere...

The banks will be made to keep reimbursing people. They are, after all, in control of the system and the people with most information about what might be fraudulent.

[xwolfi]

I work in Hong Kong, in the securities industry. We interact a lot with Korean laws, and all of APAC, and Korea is special in that they enjoy nonsensical rules that provide no protection to anyone except the politicians who came up with them and can argue they did do "something".

It's, I think, even worse than China's philosophy, because China is young and pretentious in capitalism, while Korea seems more dishonest and cowardly.

[gruez]

>Korea's financial regulators are strict, but Korean politicians and media are paternalistic, so if there's a problem with finance, most of them try to side with financial consumers. For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem.

Isn't this also the case in the US? You're generally not liable for fraudulent transactions, as long as you took "reasonable" measures to prevent the fraud from happening. Given the technical ineptitude of the average person, banks/regulators will rarely blame the consumer.

[Abishek_Muthian]

Woah, I thought Indian banks blocking right clicks on their website as "security" measure was obsurd.

You mentioned about PC environments, What's up with mobile? Specifically with Android & iOS; Do you have to install rootkits there too for online financial transaction?

[sandos]

So if keyloggers are such an issue I must assume that they don't even use any kind of 2-factor system?

[userbinator]

For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem.

In other words, they're authoritarians at heart. They want complete control over the environment and don't want users to have any personal responsibility.

[pessimizer]

In non-authoritarian countries like the US, the users are responsible for all of the bank's losses.

[astrange]

They certainly aren’t. That’s what FDIC / Reg E / Reg NMS and co are for. US financial regulation is pretty customer friendly.

[LadyCailin]

And who do you think pays if the FDIC is activated?

[astrange]

Not the specific customers of the failed bank.

And not really anyone else either. You'd lose more wealth in a financial crisis than you would from the government printing money to refill the FDIC fund.

[shkkmo]

The FDIC is funded by insurance premiums that banks pay that are then invested an generate returns.

Thus it comes out of the returns the bank generates using your money to invest, and then also from the returns the FDIC generates investing the premiums.

In the case of a black swan event, the US Gov might have to step in to increase funding, but that is not how the FDIC normally operates.

[mardifoufs]

> In non-authoritarian countries like the US, the users are responsible for all of the bank's losses.

What? You can almost always get a refund even when someone gets access to your account. That's true for debit, and even more so for credit. Some types of transferts might be irreversible after a certain delay, but again, for customer facing retail banking, those are generally not widespread anyways

[yieldcrv]

hard to shake that off

[hunter2_]

> Security software can be delivered only after CC certification

I wonder if the author should extend the 90-day disclosure window to account for this red tape.

[pigtailgirl]

-- dont know who you bank with but fyi - shinhan - charles schwab and kakao all work well on os x that who I use! --