[In-depth interview] Online security, at a rather lofty price
Many financial and retail firms require Internet customers to use the program - which involves downloading virus detection programs, firewalls and other software - to help ensure that personal information used in such transactions is secure from hackers.
But it can take a fair amount of time to download the necessary software, and browsers on most smartphones aren’t compatible with ActiveX, limiting the use of the high-tech devices.
Korea University law professor Kim Kee-chang, 47, lays a large share of the blame on government financial authorities, whom he says have steered the financial industry toward ActiveX.
ActiveX was designed exclusively for use on Internet Explorer (IE), which is by far the dominant Web browser in Korea. Kim said that the country’s overall domestic Internet structure does not adequately accommodate browsers like Firefox or Safari, hence the heavy use of IE. That means many consumers must use IE to conduct financial transactions on the Web - and therefore must navigate through ActiveX installations online.
Kim spoke with the JoongAng Ilbo about the ActiveX issue and the country’s Internet backbone.
Q. It is unusual for a law professor to get involved in electronic banking reform. Why did you become interested in this issue?
A. I had been using a Linux-based laptop instead of a Windows-based one since 1990, when I became a researcher and a professor at the University of Cambridge in Britain. However, I could not use the Internet on my laptop when I returned to Korea in 2002. I soon found out that the fundamental problem was rooted in ActiveX.
Isn’t ActiveX better than nothing in terms of security?
There are a few major problems. ActiveX is not an international standard, yet it is widely used in Korea. In online financial transactions, users are required to go through confirmation procedures between the server at an institution - such as a bank or credit card firm - and a client’s computer.
Basically, to protect a client PC from a hacker’s attack, passwords are exchanged between a server and a PC using a digital certificate issued by a credible financial institution. Every browser - including IE and Firefox - can store a digital certificate by encoding it. Korea should have used methods that involve encoding and storing a digital certificate in a PC, but the country instead chose to use a system that involves installing additional programs.
At the end of last year, the online bookstore Aladdin introduced a payment system that did not require users to install ActiveX. Users therefore could immediately order and pay for a product through Web browsers like Firefox and Safari as well as smartphones. However, the service was axed in just two months, as every credit card company rejected the payment system. Why did those financial companies react that way?
Because the Financial Supervisory Service put pressure on card firms. Most people know about this. The FSS oversees security matters of banks and card firms. It is difficult for local financial companies to disobey the FSS.
From a security perspective, isn’t it safer to require PC users to install a program on their computers? If security measures are optional, then many users might not take those steps and put themselves at risk.
No countries are asking for users to take all of the responsibility when accidents occur during online transactions. In the case of the United States, when a person loses their online PIN, he or she is only responsible for $50 of any money spent by another person if the loss is reported within two days.
The amount that the person is responsible for expands to $500 after two days.
However, if the person does not report it after 60 days, he or she might have to pay the whole amount of money illegally spent after the loss.
In 2007, you filed a lawsuit against the Korea Financial Telecommunications & Clearings Institute (KFTC), claiming that the use of licensed digital certificates only accessible on IE browsers is illegal. You lost the suit, which ended last October. What can you say today about the suit?
I would like to say that I was somewhat successful with the lawsuit. Under the FSS’s method, every PC user should receive a licensed digital certificate. However, the court concluded that Firefox users are not required to issue a licensed digital certificate.
That means it is hard for the FSS to require the use of a licensed digital certificate for every PC user.
How should the local Web infrastructure be changed?
I don’t know why the government - and specifically the FSS - is pushing for the requirement of licensed digital certificates. No other country requires the use of any particular authentication technology. Only Korea has this problem.
I think using just one particular authentication technology is basically a huge loss for the Korean software industry. A number of security companies are making huge profits under the current system; however, the overall software industry is seeing losses. Therefore, the government should allow banks or card firms to choose their own ways of installing security programs.
Have there been any overall improvements in this area in recent years?
I think the government is finally mulling over the matter as the public starts to raise questions on the issue. They have begun forming measures that can improve the current system. I think this marks a new beginning.
However, a new problem has arisen after the Korea Internet and Security Agency and the Ministry of Public Administration and Security jointly released a standard for the usage of a licensed digital certificate exclusively designed for smartphones. Under the new standard, mobile phones featuring Windows or Android operating systems must use the current authentication system.
The iPhone, developed by Apple Inc., is the only smartphone that follows the international standard. The local PC environment has been like the Galapagos on this issue for the past decade, and I fear we’ll see the same problems in the smartphone realm over the next decade.
By Kim Chang-woo, Jung Jae-yoon [firstname.lastname@example.org]