331 points by pat-jay
6 days ago
I think this requires some prior knowledge.
From https://palant.info/2023/01/02/south-koreas-online-security-... :
> I’ve heard about South Korea being very “special” every now and then. I cannot claim to fully understand the topic, but there is a whole Wikipedia article on it. Apparently, the root issue were the US export restrictions on strong cryptography in the 90ies. This prompted South Korea to develop their own cryptographic solutions.
> It seems that this started a fundamental distrust in security technologies coming out of the United States. So even when the export restrictions were lifted, South Korea continued adding their own security layers on top of SSL. All users had to install special applications just to use online banking.
> Originally, these applications used Microsoft’s proprietary ActiveX technology. This only worked in Internet Explorer and severely hindered adoption of other browsers in South Korea.
Well... SSL was unsafe then.
The problem came from U.S. cryptography export regulation which makes exportable cryptographic algorithm feasible to crack. Bundled Internet Explorer didn't support good algorithms on SSL.
The real problem of South Korea is, the slowness of deprecation.
They deprecated ActiveX (and created NPAPI or WebSocket on localhost) in 2014. After Microsoft deprecated Windows XP, they established "Windows XP Task Forse" to respond security issues with Windows XP computers on government agencies. Yeah, this was fairly late, considering MS declared the Windows XP deprecation schedule in 2007.
IE/ActiveX/Java Applet/etc algorithms aren't still completely deprecated in Korea. NEIS, a giantic service used by every K-12 school to record and manage education-related information, still uses the technology based on Internet Explorer by using IE compatibility mode of MS Edge. Repeat, EVERY K-12 school teacher and staff uses this service, with IE compatibility mode.
I want South Korea to adapt new technology and deprecate old one more in due course. I mean, they should accept TLS provides decent end-to-end encrpytion, and they should recognize Triple DES is deemed unsafe algorithm.
> All users had to install special applications just to use online banking.
This happened here in Brazil as well, perhaps for similar reasons. Most banks require users to install a "security module" in their computers in order to even log into the bank website. Everyone does this unquestioningly, there's even packages for Linux.
In my experience, this software caused massive performance issues. I tried to figure out why by reverse engineering one of these things and it turned out it had a Windows driver that intercepted every single network connection. Literally indistinguishable from malware but this is apparently considered acceptable because banks have a "legitimate interest" in preventing fraud or whatever.
We have a GDPR-like law in effect now, not sure if banks can get away with this anymore. I certainly hope not.
I’ve also wrote a comment on the context of how these ugly programs got adopted on .
To quote myself…
> Everybody knows that the systems are absurd. This is basically a countrywide legacy that we’re figuring our way out for ~30yrs.
> When the idea was first proposed, it was when IE didn’t have a yes/no dialog to ask whether to load native code or not.
> When IE first added ActiveX confirmation dialogs, banks instructed customers to press yes. When IE deprecated ActiveX, banks didn’t remove their 20-yr old code straight away; people were advised to turn on ActiveX support from advanced settings (they added step-by-step instructions to help people). When MS finally ripped out ActiveX, banks copied their ActiveX components into a separate executable that runs a localhost server.
I’m sure that if it wasn’t iPhones, South Korea would have been locked into this legacy for a lot longer. (In fact, we once had versions of these programs for Android as well! iOS didn’t allow this (thankfully).)
Of course one issue here is while it's probably acceptable for South Koreans to trust Chrome, Windows, MacOS, Android and iOS (and also Intel and Ryzen CPUs), it's probably not for their biggest companies (including banks ?) and their government whose security threat likely includes US espionage.
And yes, this might seem silly considering the garbage fire revealed by TFA, but maybe they can use this crisis to jump one extra generation over that security threat too ?
What about people using Apple computers? Were they simply advised to borrow something capable of running Windows from a friend?
It was common 5~10yrs ago to either have a spare Windows laptop or buy Parallels Desktop for handling bank/govt things. Nowadays, macOS got common enough that some of these ugly programs now have a macOS-specific version. :( Some even have downloadable deb/rpm Linux binary packages.
Some softwares: Yes. People with Mac are advised/forced to use Windows. For instance, Uwayapply, a college admission application service, doesn't support macOS.
Or: they provide .pkg file to install similar program.
Most of them want sudo. They use root permission for various purpose, but the most impressive one for me was registering their CA certificate on Firefox root store, to support WebSocket over TLS to localhost on Firefox.
Nice! That way you can extract the private key and cert from the app and spoof the local server! I bet that cert is valid for *. and the same on every machine as well?
That situation was pretty normal if you used Macs back in the day, for many workflows. Virtual PC on PPC Macs were a godsend in many situations in the late 1990s.
This basically reveals that the pretext of this being primarily about increasing security of the connection is not really what it is about.
From having read about this, I think it is completely fair to classify this as spyware.
If at any point a government tells you they are doing something to increase security, or to be tough on crime, or to protect children, it is almost certain they are lying to your face and in fact just want more ways to spy on people.
More likely a massive and internally unrecognized incompetence than some black project from sneaky agencies. I remember some experts in 2000s fighting months to convince banks that TLS with self signed certificate is the way to get customers scammed.
But isn't that sort of true? How can I know what self signed certs to accept and which ones to reject as scam attempts?
I'm not sure if there was such a "fundamental distrust" ever. It is more easily and adaquately explained that they simply followed the path of the least resistance, which is a status quo.
ActiveX-based plug-ins for online banking weren’t exactly SK-specific in the 2000s. I’m surprised these (I mean the no longer ActiveX-based successors) are a still a thing, though.
I'm the one who originally first wrote about the situation in S. Korea in the 90s when I was working for Mozilla and we noticed that Firefox had almost no market share there.
At the end of the day, it's up to the S. Korean govt. or regulator to make the changes necessary to get rid of this nonsense. The govt./regulators have other issues to deal with so these S. Korean 'tech' companies get to make a mess of citizens' computers and privacy. It's been well over 2 decades of crappy S. Korean software like the keyloggers and whatnot and no end in sight.
If S. Korean citizens cared, they would force the politicians to do something and it would change. They don't, so it doesn't change.
Disclaimer: I'm Korean.
A LOT of Korean citizens cared and got angry with this issue. So governments, agencies, and. yeah, "security companies", finally decided/declared to deprecate ActiveX-fu softwares and follow Web Standard.
We didn't expect WebSocket on localhost.
Disclaimer: I am the author of this article.
First of all, thank you very much for informing about this issue. I still remember reading the article you wrote back in 2007, and it really helped me navigate this situation.
I doubt that people in South Korea care so little about it however. Otherwise articles citing an unnamed “famous hacker” about how all of this isn’t really bad and how I misunderstand the domestic security market wouldn’t have been necessary. It seems that lots of uncomfortable questions are being asked right now.
Whether this will be sufficient to produce some real change for the better is a different question of course. I sincerely hope that it will.
Just generally, Korea seems to have some weird legacy internet stuff.
It's pretty hard to find places you can order in Korea, or from Korea, that don't require a Korean phone number. There are services and stores that exist just to buy things from other places in Korea and reship or resell them to people both in and out of the country, just because people don't have Korean phone numbers.
Even online purchases like audiobooks often requires a local phone number.
They sure make it hard to spend for any non Korean to spend money.
And it's not every site, there are some huge retailers (www.aladin.co.kr for example) that do not require it. So it's got to be just that most websites never bothered to build a checkout process that works without a phone number?
I once ordered something online from an EU country. I entered my phone number (from another EU country) in the international format (+xx xxxxxxxxx).
The website silently mangled my phone number into a local number.
I had to e-mail them and tell them "hey, this is not actually my phone number, just some number from your own country that may or may not exist."
You'd be surprised, there are many sites that don't even support names longer than some arbitrary limit like 5 or 10 characters because Korean names are typically 3 to 4 characters long.
The phone number is typically required for real-name verification. Pair that with the low character limit above and a lot of stuff just breaks.
I think non-Korean customers just are not much of a consideration for Korean companies unfortunately.
It goes both ways. Some US sites don’t allow spaces or hyphens in given names.
Most US websites I deal with throw a random error when I give them my name. And it's not even weird, just one non-ascii character. Especially annoying since they always say something to the effect of "Write your legal name here, exactly as it's on your documents, do check twice it's the same".
I know sometimes it's because of legacy ASCII protocols in finance/airlines (but sometimes it's just bad databases/regexes). I know how to fix it, but please just don't say in the error message that my name is "invalid".
Exactly the same in Japan; moreover, many e-commerce sites reject foreign credit cards, even those of international brands (Visa/MasterCard).
What I heard was that payment providers charge higher fees for allowing foreign cards, so website owners (who focus on domestic business anyways) just won't bother.
>What I heard was that payment providers charge higher fees for allowing foreign cards, so website owners (who focus on domestic business anyways) just won't bother.
Here at least that doesn't seem to be the blocking issue. Or at least I often see foreign CC payment options in the list, but if you try to use the option you still need a Korean phone number in the checkout process (and they confirm with an SMS, you can't just type in whatever.)
This used to be done in South Korea by (ab)using ActiveX. This looks like a continuation of a bad practice.
Not that banks in other countries are much better with their reliance on mandatory (or nearly mandatory) smartphone apps.
My italian bank relies on SMS for 2nd factor.
They used to have an actual object generating numbers, but to save money they moved to SMS, claiming it was to follow an EU regulation (which I've read, and mandates the exact opposite).
Established Dutch banks grudgingly keep their 'readers': small pieces of cheap hardware which can generate OTP's by reading the chip on your debit card and verifying the PIN. It works, but the banks are trying really hard to move everybody to their apps, and they are increasingly making that route the one with less friction (e.g., by selecting the app option as default on every transaction and by making it look like the app is the only way in their communication with the customers without explicitly saying so).
A few of the newer online only banks are simply mandating their apps, making them exclusive to people who own (recent-ish) Android or IOS smartphones.
They aren't going back to SMS though. That's really a thing of the past now.
> Android or IOS smartphones
Not only that, but typically also their device ID features. So, for example, your banking app won't work on LineageOS with some free re-implementations of GApps.
For me, mandating a mobile app is a deal breaker.
> free re-implementations of GApps.
"Open" GApps for custom Android builds are not open re-implementation. It was a middle ground between ROM communities and Google reached some decade ago, to disallow inclusion in the ROM and limit redistribution to forms and channels agreed upon.
However, there is a free reimplementation of GApps, namely microG. Not what OP linked to, but it does exist.
I love my card reader (BE) and they can pry it from my cold dead hands.
Every bank app I've looked at here is full of annoying spyware and plugs for third party services. Even on the home screen.
Apparently they do not think anything is wrong with taking an app that is supposed to be your personal wallet, and putting ads in it. Watch you can't turn off, and which keot growing. I complained, but they never did anything. And yes, putting integration for third party services that you can't turn off and which appear right between your own accounts, those are ads, and someone is making money off that.
So I stopped using it. They can go f themselves. It's bad enough that they charge you to hold on to your own money... but worse, they don't even treat you as the customer anymore.
In Sweden it's the same. There are two types, the first one is the one you describe where you put the (chip) Visa / Mastercard / Maestro card. The other kind is just number pad + 7-segment LED. Even when using the (bank cooperation issued) smartphone ID app, you have to first sign some cryptography keys with your hardware fob.
That's interesting. I recently moved to Norway, and first had BankID on mobile, which used GSM level encryption to verify. They're deprecating that now for a regular BankID app. But even though it's supported, I don't think you can get the hardware fobs any more
What frustrates me most is that every bank develops their own shitty-in-their-own-way app for this purpose. There really needs to be an industry standard and then apps like Google Authenticator to exist for this purpose.
I have multiple bank accounts with different banks and upgrading my phone is an absolute nightmare because of apps like this.
It isn’t just banks. 10 years ago I just used TOTP when I wanted 2FA. But now many tech companies are hand-rolling their own MFA. Google Prompts. GitHub Mobile. Microsoft Authenticator. Adobe Account Access. Some of these still support TOTP, but force you to use their app (Google Prompts when a Google app is installed). Others simply removed TOTP to push their app (Adobe).
TOTP was great as I could generate codes on multiple devices and back up my setup codes. Now I’m forced to use my phone, a device that is easily lost or stolen, and restoring a new phone from a backup generally doesn’t transfer the keys for these types of apps (for “security” I guess) so nightmare is probably putting it nicely.
I’m surprised more people aren’t complaining about all of this proprietary/DIY security. Rolling your own is almost always a bad idea - we have open standards for a reason.
We have NFC enabled cards and phones. I guess one could get a challenge from the card's chip with an app if they insist, but the phone can already work as a contactless card over NFC, so one no longer needs the EMV chip.
> They aren't going back to SMS though. That's really a thing of the past now.
Mostly because it costs them money and doesn't allow them to collect data.
They wouldn't care that it's not encrypted.
> doesn't allow them to collect data.
What data? This is your bank, they already know exactly when what for what amount you're buying because you're doing it with their card. There's no other data they can reasonably get away with collecting.
Good point, but maybe the data they don't directly get from banking isn't as heavily regulated ?
IPinside sounds a bit like a really weird medical condition
Well there is a condition called vesicoureteral reflux where pee from the bladder flows back to the kidneys (it should not) and that could be interpreted as IPinside...
I prefer to read it as the killing of Intellectual Property.
in Japan it sounds like Yaranaika... )
I enjoyed this read very much. Hidden gems like these are why I love visiting HN!
As a Korean, great contents with big nodding
I don’t see how this service checks if the website is supposed to be using it. So it seems any website can get all this information and use it to track users.
Disclaimer: I’m the author of this article.
As it says in the article, the application doesn’t check at all which website connects to it. It seems that they rely on their obfuscation, hoping that only eligible websites will be able to decrypt the data. Which, quite frankly, is a stretch.
The idea was that random, unauthorized websites can access the JSONP endpoint but can't use the data because it is encrypted. Which, as the author explained, might have worked - had they not completely botched the encryption by using an extremely short asymmetric key for one set of data and symmetric keys for the other two pieces.
The issue also is (for the banks depending on the application) that they can't trust aplication running on the user's computer. This begs for opensource implementation that returns plausible fake data. :)
Yes, developing such an application would be fairly easy. From what I understand however, South Korea has laws against reverse engineering. So openly distributing this application would probably be risky, asking for lawsuits. Which doesn’t mean of course that no cybercrime gang (particularly those specializing in banking fraud) has such an application.
I was wondering just that. Get the private key, spoof the data to be the "real" ip of your neighbor whom you have, do bank crimes. Ta-dan, you get him in troubles.
South Korea. Be specific about it.
This. I was so confused, like "Korea is not a place; South Korea and North Korea are both places, and are vastly different, so what are you on about?" level of overthinking.
The title should mention South Korea explicitely because without that we may believe that North Korea is included in the story.
I was in doubt after reading "Korea", but after "mandatory spyware" I was certain it was going to be South Korea.
They don't have internet access in North Korea, do they?
Only the priviledged. The rest use Kwangmyong = like Facebook's Free Basics but operated by KCC.
I assume you then read the article, so... no problem here?
Here in the US the authorities just use the Intel ME and AMD PSP. No messy sidecar software needed!
Neither of these are exposed to the wide Internet.
I thought the ME could access the pcie bus and thus network cards (if not embedded into the SoC)? Maybe I was misinformed.
It can, yes, but under ordinary circumstances remote websites cannot access the ME/PSP.
oh my sweet summer child...
Patronizing someone is not evidence that they're wrong.
South Korea for people would thing "duh it's obvious they have spywares"
Good contents with nodding as Korean.
JSONP! It’s been a while
> When a banking website in South Korea wants to learn more about you, it will make a JSONP request to localhost:21300. If this request fails, the banking website will deny entry and ask that you install IPinside LWS Agent first. So in South Korea running this application isn’t optional.
To me this reads as not mandatory in the broadest scope, but needs to be on whatever device people use for online banking.
Right, but the banking website was one example of an system that might force IPinside installation.
Losing access to several necessary systems basically makes it mandatory.
Even if you could buy a burner device to access those systems, the average person will not - and that's the problem here.
Quite a few people living in South Korea say exactly that: they keep an old laptop around only for online banking. And they try to avoid whatever else requires IPinside and similar applications.
This solves the issue at least partially on the individual level. But most people will in fact not do this.
In the article I cannot see Android and iOS mentioned. I also can't discern if banks alone, or banks and other vital services require IPInside. This logic is going somewhere so hear me out please! (and this is meant to be a humble query, I hope it comes across that way).
To me this ambiguity leaves the door open for challenges to the label "mandatory spyware" as a blanket label.
With the ambiguity open, a plausible scenario is this:
Only banks enforce IPInside, and Koreans can access full banking services from their mobile Android and iOS devices (with IPInside installed), meaning their laptops and PC's wouldn't need IPInside installed. Meaning: the label mandatory would be an overstatement.
I'm not against the label mandatory, if... These gaps in knowledge are filled in with more info (forgive me if I it was clearly stated in the article for all to see! I read it the best I could but on mobile so who knows what I missed).
Korea is not authoritarian but a democracy - this is ok
I've never heard around here that spying is good when a democracy does it.
It may be better than when authoritarian countries do it because the consequences are not that severe, but that's far from accepting it.
Spying is never ok as what is acceptable today may not be tomorrow, a moving target regardless of the current government.
I may be wrong but I read the GP as sarcasm.
So lets ignore the government part of this. Anyone can create a webpage that collects this information, which means that a non government hacker (or another government like N. Korea or China) can setup online services that people from South Korea wants to access. They can then use this collected information to impersonate the S. Korean person.
What government part ? Aren't these mostly (?) privately/publicly owned banks ?
If anything, it reveals just how many things are not up for voting in our democracy - because people will definitely vote down spyware whose obvious target is us.