by dirkf on 1/3/23, 2:01 PM with 135 comments
by r2vcap on 1/3/23, 10:20 PM
As in many other countries, banking in Korea is a state-regulated industry. However, Korea's regulatory system rule downs to the smallest detail.
For example, in the Digital Signature Act(전자서명법), a content that allows only digital certificates in the form of files called authorized certificates(공인인증서) to be used for certification was added in 1999. (The contents were revised only in 2020.) As a result, most banking was accessible only using IE and Active-X. Now that Active-X cannot be used, various software is installed using separate installation files.
Korea's financial regulators are strict, but Korean politicians and media are paternalistic, so if there's a problem with finance, most of them try to side with financial consumers. For example, the issue of password leakage due to a keylogger installed on a user's PC is considered to be a bank problem, not a user problem. For this reason, banking websites require all kinds of security software, such as keylogger checking programs and firewalls. (This problem is gradually being mitigated.)
The problem with Korean security software is that the buyer of the security software (in this case, the bank) only requires that it meet the requirements of laws and regulatory authorities, so there is little room for improvement. Security software can be delivered only after CC certification (CC 인증) issued by the National Intelligence Service(국가정보원). By the way, the NIS is interested in which encryption algorithm is used (whether Korean algorithms such as SEED, ARIA, LEA, etc.), but it is not interested in whether Visual Studio Runtime is 2008 or 2019.
Also, financial institutions do not take cybersecurity issues seriously. For example, when I was in the security industry, a financial company asked for security software for ATMs running Windows XP SP2. Even at that time, Windows XP was EOL, and our security software was only supporting Windows XP SP3 or later. Significantly, the company suffered a cyber attack a few years ago that paralyzed its entire financial services for several days.
Most of the things I mentioned here refer to Korean-language materials, so giving references is somewhat limited.
by bob1029 on 1/3/23, 7:38 PM
I've had an opportunity to interact directly with Korean security culture in my time working for Samsung.
I am sure there exists more secure examples out there, but I saw some extremely bad practices like trivially-reversible password shuffling used throughout the entire org. Anyone with access to a certain manufacturing database and knowledge of a particular stored procedure could immediately reverse all passwords and typically use them to go sideways into other engineering/facility systems.
They always seemed substantially more interested in the theatrical aspects of security than focusing on any first principles. Lots of time was spent talking about reactionary crap like a fleet of hardware ARP sniffers installed throughout the network. Not a lot of time was spent talking about PBKDFs, system boundaries and determinism.
by gkanai on 1/4/23, 1:07 AM
CNet back in 2007:
https://www.cnet.com/tech/tech-industry/about-south-koreas-d...
https://it.slashdot.org/story/07/01/26/1455224/why-south-kor...
by varenc on 1/4/23, 1:10 AM
Some quick observations:
- That page intentionally disables right-click! Just by putting `oncontextmenu="return false"` on the <body> tag. This gives me flashbacks to the late 90s when this technique was used to make it harder for users to copy images or inspect HTML source. Browsers all have built in developer tools so pretty silly seeing it now.
- The JS included on that page is a mix of heavily obfuscated code[0] and completely unminified code with all the internal comments left in[1].
- I was impressed that the required software seems to support Fedora and Ubuntu/Debian as well as macOS and Windows.
- One of the installations is checked by making a JSON-P call (another old tech flashback!) to `https://lx.astxsvc.com:55921/ASTX2/hello?...`. This works because lx.astxsvc.com resolves to 127.0.0.1 so you're just hitting your localhost. Presumably the installed software checks the referer header to ensure only citibank is making these requests.
[0] https://www.citibank.co.kr/aB-IFIZu8Pd7Zd1yjboonwGx/uYfEz6Dp...
[1] https://www.citibank.co.kr/3rdParty/wizvera/veraport/install...
by gred on 1/3/23, 8:00 PM
Note for the author: small typo at "requires outmost care".
by second_brekkie on 1/3/23, 10:43 PM
You would hope that these would be somewhat more secure as this may have required a 're-write' as the article suggested.
Though even with mobile apps you sometimes have to install some 3rd party 'anti-virus' software that probably amounts to spyware. But hey you can either lump it or leave it.
They do at least try to make you feel like it's secure. To set up mobile banking you need at least 3 different passwords and need to perform 2fa 3 times as well.
They have 'front end' security too, such as each time you enter a pass code the keyboard is in a different arrangement.
by badrabbit on 1/3/23, 11:48 PM
https://www.fireeye.com/content/dam/fireeye-www/global/en/bl...
I just looked up CVEs for it. I only see 2 in 2017. This is not a good thing, a complex word processor, even if it was rewritten in a memory safe language would have at least some low level non-memory vulns in 6 years!
by physicles on 1/3/23, 8:33 PM
To this day, I can only do online banking with Internet Explorer 11. When logging in, of course the password field doesn't permit pasting. I have a couple ActiveX controls and certs installed, but I've forgotten which ones so I'll just have to keep that old laptop around. The one bright spot is that large transactions do require a USB dongle.
At least one other website I've used (perhaps Alipay?) required you to install a browser plugin simply to be able to "securely" enter your PIN.
Rewinding back to 2014, the brand new government website for buying train tickets[0] didn't have an SSL cert signed by any of the trusted authorities. If you wanted to buy tickets securely, you needed to download a zip file (over http) that contained 1) a self-signed root cert, and 2) a Microsoft Word document explaining how to add this to your OS's trusted root cert store and how this is totally legit and secure.
[0] https://www.techinasia.com/chinas-official-train-ticket-site...
by nibbleshifter on 1/4/23, 12:15 AM
Absolute steaming garbage.
Its "anti keylogging" functionality could be bypassed trivially, as could its various screen hijacking tricks designed to defeat some methods used by the banking trojans that were common at the time.
I see that snake oil industry lives on in Korea :/
Very excited to see the results of OP's work (the disclosures).
by Roark66 on 1/3/23, 10:23 PM
Once I saw this: >This starts with a simple fact: some of these applications are written in the C programming language, not even C++.
I had to stop reading and come here to see if anyone else got annoyed by it. Seriously? "not even c++" are we still in 1990s?
by joshuaissac on 1/4/23, 12:47 AM
by prottog on 1/3/23, 8:47 PM
by rgmerk on 1/4/23, 12:39 AM
Are there any stats comparing levels of banking-related cybercrime in South Korea with other jurisdictions?
by snvzz on 1/10/23, 2:08 AM
Note this is written by Norman Feske, who later went on to develop Genode[1], and continues to be its main developer today.
by smsm42 on 1/4/23, 6:11 AM
Note to self: never move to Korea. Or at least never use Korean bank (can you survive on cash and Bitcoin?)
by kyaru on 1/4/23, 8:02 AM
by intoxicat3d on 1/4/23, 4:12 AM
by black7375 on 1/3/23, 7:35 PM
by richbell on 1/3/23, 10:10 PM
https://krebsonsecurity.com/2021/06/adventures-in-contacting...
A lot of countries seemingly did not have access to American encryption technologies or did not trust them — arguably for good reasons[0] — which has lead to this hodge-podge of homegrown security.
[0] https://www.washingtonpost.com/graphics/2020/world/national-...
by michael1999 on 1/3/23, 10:12 PM
by filoleg on 1/3/23, 7:04 PM
Nitpick for OP (@palant): on mobile Safari (haven't checked any desktop browsers), the images embedded into the post appear stretched out vertically (i.e., too "slim"). It is still technically readable, but very noticeable and jarring. This only applies to the images when embedded, opening direct image URLs in a dedicated browser tab renders them properly without any stretching. I suggest checking CSS, but that's just my first guess and could be entirely wrong.
I think just keeping the same horizontal size of images, but reducing the vertical size, would make it much more aesthetically pleasing + readable.
by nokya on 1/3/23, 6:57 PM
1. Give SK a few months/years until it realizes it is losing billions revenue nationally due to hacking by foreign entities and it will naturally invest in its application security landscape.
2. Reconsider your position on SK's current situation by factoring actual risk in the equation (likelihood of threat, in particular). What you seem to have discovered are client-side vulnerabilities that would require direct network access to the client machines to be exploited (i.e., no firewall, no NAT, no etc.). First, these limitations greatly reduce the attack surface and second, they may actually cost the attacker more to exploit than simply sending a well-crafted message with an attachment to click on.
I would be much more convinced by your conclusions if you added elements that would support the hypothesis that the situation is similar (or worse) server-side.
(edit: removed ugly formatting)