Online accounts at risk from deficient systems

Late last month, Woori Bank’s electronic funds clearing system was off line for almost three hours because of a computer server problem. Despite the outage, the bank did not inform its customers of the problem, and when some customers and employees asked about the matter, the bank said only that the large number of month-end card payments and other transactions had slowed the bank’s computers somewhat. The number of people affected by the outage that day is not known ― Woori is not saying, and still does not acknowledge that there was a problem ― but a merchant who did not want to give his name said he was one of them. He failed to meet a deadline for paying a supplier after trying to send the funds through Woori’s online banking service. The supplier did not ship the goods, and the merchant missed the shipping date to an export customer. A worker in charge of the computer network at another Korean bank, who also declined to be named, said when the bank’s servers go down most customers never know, because the bank takes pains to conceal the outages. An average of 28 trillion won ($28.8 billion, 170 million cases) is moved daily over the nation’s electronic banking network, which is supervised by the Korea Financial Telecommunications & Clearing Institute. There is an average of two or three outages per month on that system, lasting from just a few minutes to several hours and blocking as many as 100,000 banking transactions. Those problems are raising tensions in the financial community, especially with the hordes of Koreans expected to swarm to online banking sites and their telephones to put in their bids for new apartments in Pangyo, south of Seoul, on March 29. Government-owned and private builders plan to erect residential buildings containing 20,000 apartments, and more than 1.5 million Koreans are expected to put in bids for them. The government has decreed that bids will be accepted only through banks’ online systems. When large number of people log onto a bank’s Web site at the same time, the chances of a server overload are not small. If vandals try to attack the system at the same time, as happened on the last day of online applications for college entrance applications, things could get a lot more grim. According to the Korea Information Security Agency, there are more than 300,000 attempts to crack the security of online banking sites every year. And despite boasts about the level of security in online or telephone banking here, it appears to lack the safety found in the systems of other developed countries. The Korea Financial Telecommunications & Clearing Institute, the organization in charge of the country’s banking network, has only 30 staff members at its computer network system control unit, including several managers. They work three shifts, which means only five computer engineers are on duty at any given time. By contrast, Citibank’s headquarters in the United States has more than 300 staff members working solely on banking security. Song Myung-won, a technology team head at the National Computerization Agency, said, “While banks in the United States set aside 5 percent of their annual information technology budget for online security, Korean banks spend only 2 percent.” Cho Soo-hyung, head of financial business at LG CNS Co., a leading IT consulting and network developer in Korea, said, “Because security is recommended but not regarded as a compelling issue here, banks do not tend to place a high priority on it. Ever since the Asian currency crisis in the late 1990s, the number of employees engaged in banking security has been dropping, and new investment has been neglected.” In addition to the low level of expenditures for online banking security, experts cite poor data backup as another problem. The Korea Financial Telecommunications & Clearing Institute rented a backup server for data recovery to guard against crashes, but the server capacity has reached saturation point. Therefore, it has been programmed to store only limited parts of the data set associated with Internet banking. Kim Woo-hwan, a director at the Korea Information Security Agency, said, “The backup is done five hours after each financial transaction, not in real time.” He said it takes five hours to get back to normal operations after a server crash, which means that some original data will be lost. The clearinghouse would have to search through millions of transaction records from individual banks’ computers. Things are supposed to improve next year, however, when the state-run organization completes the construction of a much larger data backup center in Bundang, Gyeonggi province. by Kim Chang-woo