South Korea’s Online Banking System Is Stuck In 1996
By Elaine Ramirez for Forbes
“I can’t f***ing stand this s***. I almost threw my brand new computer across the room,” says Seoulite Jeonghyun Kwon, an avid online shopper, after another failed attempt to buy a sweater.
“[My bank’s] security apps slow my computer to a crawl so I have to uninstall them after every use, and then reinstall them when I want to buy something.”
Anyone in South Korea who has tried to make a financial transaction online knows Kwon’s pain. Even as the $9.8 billion ecommerce industryhas reached fever pitch in a country with world-topping internet speeds and mobile penetration, somehow, in 2016, consumers still endure a labyrinth of archaic financial security software.
South Korea’s online banking infrastructure is a mutation of its own. If a user wants to buy socks, wire money or pay the gas bill, they must pull out a slew of identity checks, from a simple username and password to online digital certificates, unique number cards and one-time password devices that spit out a six-digit code for a few seconds. There might even be a text message or phone call confirmation involved, and all this can only be done after downloading a mountain of cybersecurity programs — limited to your designated device — that some experts say do more harm than good.
The icing on the cake: Desktop users can only use PCs running Internet Explorer, the predecessor to Microsoft’s Edge browser that has been cornered into its dying holdout markets, including Korea, Japan and Greenland.
Wait, but why?
This enduring, anachronistic infrastructure is the decades-old remnant of South Korea’s proud spearheading into online banking’s unknown. With a drive to transfer payments online before the secure internet protocol https was even developed, the first mover had to create innovations of its own.
Enter ActiveX — a software framework that was cutting edge in 1996 and became Korea’s lasting weapon of choice. But it has devolved into a technology whose security is so flawed that Microsoft’s proudest achievement in its new Edge browser was its removal, notes Aviram Jenik, a cybersecurity expert at Beyond Security.
“Due to the way ActiveX runs, it’s relatively simple for malware to exploit any weaknesses in the ActiveX without a way for the user to protect against those flaws,” Jenik says. “It’s ridiculous that banks use technology that is already obsolete.”
As the web became more complex and online financial transactions picked up popularity, hackers began to work their way into the banking industry, creating phishing scams and cyberattacks. Korean cybersecurity developers reacted by building new defenses but kept the old ones, leading to an ever-growing pile of software to download — to this day, all faithfully built on ActiveX.
“Whenever there is a new hacking incident, it uncovers various vulnerabilities and a new security solution system is adopted each time,” says Yongjin Cho, chief technology officer of cybersecurity startup My Device.
But complexity doesn’t necessarily make it more secure, says Ryan MacArthur, CEO of cybersecurity startup Traversal Networks. As he explains, the system is like having nine doors to the same room — hacking into one compromises the whole system.
“So if an attacker is interested in your information or access to your computer, he just needs to find one mistake in any of those applications that your bank makes you run, and potentially can use that to break into your laptop,” he says.
In this environment, downloading so many programs has become the norm for anxious users, whether or not they know what the programs are. Scammers take advantage of their mentality by creating malicious programs that people mistakenly download, giving hackers a door to compromise the users’ devices, notes Lee.
South Korean and, for example, American banks — along with the regulations over them — have evolved with contrasting mentalities about security. As South Korean cybersecurity became more complex, banks heaped on the programs for consumers to download — thus putting the responsibility on the user and freeing themselves of liability. In contrast, American financial institutions, also geared with different insurance systems, build their security protocol into the back-end, so the user’s interaction — user ID and password, perhaps with a second-step authentication — remains largely the same and accessible from most devices.
“A lot of the solution developments were government-led, so they were less responsive to the latest technologies and, from an IT standpoint, directed the wrong way,” says Cho from My Device. “The existing internet service providers and other security services were less motivated to improve since they were protected by the law.”
A taste for better
But the paradigm finally shifted a few years ago, when shopaholics in Korea began to buy directly from e-commerce giant Amazon. Surprised at how easy it was, they questioned why they were going through so many hoops with their local payment platforms, notes Lee of Viva Republica.
“Even the president said, why can’t we buy things like other countries?” he says. “Koreans really wanted to pay the convenient way and use convenient financial services at that point.”
Thus, government regulators, propelled by a national “creative economy” drive to foster the startup ecosystem, began enthusiastically easing rules to spur innovative ideas, Lee says. Last year, regulators finally did away with the requirement for financial institutions to use ActiveX. Soon, credit card companies followed suit.
The move seemed like a victory, yet the benefit is not trickling down to consumers.
Because of the financial industry’s huge infrastructure, even though ActiveX is no longer required, companies still package insecure ActiveX controls into their software so it can interact with other companies’ software that hasn’t changed yet, notes MacArthur.
“Companies are saying they can’t get off of this because they have to support business-to-business interaction, and they’re still supporting these ActiveX controls,” he says. “There’s a huge amount of money that went into building and maintaining that kind of system. They can’t really get off of it.”
Lee mentions that because financial industry is so protected from global competitors, big institutions don’t have a fire under them to innovate. And Koreans are increasingly less secure as even Microsoft is trying to stop supporting the fragile Internet Explorer, but Korean software can’t cope with any other browser.
“If they want to regulate and ultimately get rid of ActiveX, they really need to come up with another strong system to replace it,” says Sung Cho of cybersecurity startup SEWorks. “It makes sense to start a movement to get away from it, but because there is no other substitution and people in the market are so used to using it already … they just go back to using it again.”
But now Koreans have a taste for something better. While big banks sit back on traditional software, fintech startups like Lee’s Viva Republica are coming in like quiet killers. They are agile and mobile-first. They are helping people to remit cheaper, lend to each other and pay faster. Korea’s350-plus fintech startups have received more than $230 million from government and $200 million in private investments, and form one of the local startup scene’s fastest-growing sectors.
“There’s protection for banks, so there’s no reason to innovate,” Lee says. “They don’t see mobile yet. They don’t think fintech will be a big threat.”
First appeared at Forbes