In this blog post, we take a detailed look at why South Korea’s digital certificate system makes it difficult for overseas consumers to make payments and the resulting limitations on e-commerce.
“Recently, many Chinese viewers who watched Korean dramas reportedly visited Korean online stores to buy clothing and fashion accessories, but ultimately failed to make a purchase due to the requirement for a digital certificate. This digital certificate, required only in Korea, is becoming a major obstacle to domestic online stores expanding into overseas markets.”
The controversy surrounding digital certificates is nothing new. The barrier posed by digital certificates during credit card payments is significantly higher than in other countries, effectively blocking payments not only from the 1.5 million foreigners residing in Korea but also from overseas shoppers. Introduced in 1999, it has served as a digital ID and digital seal for over 24 years. However, it not only fails to align with the current emphasis on global standards but has also been the subject of criticism from various civic groups for years as an unreasonable regulation, particularly due to frequent personal data breaches. Let’s examine what a digital certificate is, what specific problems it poses, and how it needs to change.
Simply put, a public certificate is akin to an electronic seal. Korea has a unique system called “seal registration,” where a seal is officially registered through government agencies to certify that “this seal is one I have authorized.” The public certificate is an application of this seal registration system directly to the internet. In other words, it is a technology that certifies a transaction approved by a user using a public certificate online, stating, “This transaction was conducted by me.” South Korea is one of the world’s leading countries requiring the mandatory use of digital certificates. The Electronic Financial Supervision Regulations (Article 4 of the Enforcement Rules) explicitly state that digital certificates must be used for payments of 300,000 won or more. The Financial Services Commission can issue a business suspension order of up to six months to financial companies or electronic financial service providers that fail to comply with the regulations on digital certificate usage. Why has the law mandated the use of digital certificates, which cause so many problems and increase user inconvenience?
The web browsers we use today did not possess the high level of encryption capabilities they have now as recently as the early 1990s. Although SSL, a technology devised by the Netscape Group, was hailed as the standard for encrypted transmission, its encryption level was insufficient for implementing internet banking due to U.S. government policies. In a web environment with insufficient encryption capabilities, the structure made it easy for hackers to intercept data in transit when implementing internet banking or e-commerce. The solution proposed by the government in this situation was the public certificate. It was a technology devised to somehow enable internet banking and e-commerce in the poor internet environment of the early days.
While one might accept this as a necessary compromise when browser encryption capabilities were lacking in the early days, the sole reason the public certificate—which caused so much inconvenience—has survived to this day is that it was the security standard mandated by the government. This government policy has not only held back South Korea’s security technology for the past decade or so and blocked many excellent internet companies from entering the global market, but it is also seriously threatening the overall safety of electronic financial transactions. While advanced security technologies continue to evolve, Korea remains shackled by regulations from 15 years ago. The cryptography policy guidelines established by security experts from OECD member countries explicitly state: “The development and provision of cryptographic methods should be determined by the market in an open and competitive environment. Only then can we keep pace with the speed of technological change and respond in a timely manner to user demand and the evolution of attack methods targeting information and communications network security.” Amid this reality, the Korea Internet & Security Agency, the Financial Services Commission, and certified certificate providers have insisted on the use of certified digital certificates, touting their various institutional and technical advantages. Let’s examine one by one whether the advantages of public certificates claimed by these entities are indeed true.
The government argues that, unlike foreign banks where real-time transfers are not possible, Korea requires a strong security measure like public certificates because real-time transfers are available here. Anyone who has made a real-time transfer via the internet or a mobile phone has personally experienced just how convenient this system is. You can transfer funds from your desk—or even while riding the subway—without having to go to a distant bank or ATM. So, is this real-time transfer really made possible by the public certificate? To put it simply, no. The reason foreign banks do not offer real-time account transfer services is straightforward: services like PayPal and Google Wallet are already so well-established and popular that there is no need for them to launch such a service. In fact, Google Wallet offers a service that allows you to send money as easily as sending an email to a friend. While technology and services have evolved in this way, Korea has remained tied to outdated digital certificate technology.
The Korea Internet & Security Agency claims that there is no technology as secure as digital certificates. However, the digital certificate system is simply a combination of a certificate file and a password. According to the “Electronic Authentication Guideline (SP800-63-1)” published by the U.S. National Institute of Standards and Technology (NIST), certificates stored as files and used via software—such as public certificates—are rated only Level 3, while OTP generators with a lock mechanism are evaluated as Level 4 authentication technology, which is superior. In reality, public certificates have a structure that is highly vulnerable to copying. Anyone who has tried copying a certificate file to a USB drive or a smartphone would have had to go through a somewhat complicated process. When transferring to a USB drive, you must enter a password, and when transferring to a smartphone, you must go through a cumbersome process such as accessing the bank’s website to receive authentication. But would you believe it if there were a method that didn’t require any of these steps? In reality, the method for copying a public certificate is unbelievably simple. All public certificates are stored in C:\Program Files\NPKI. Simply copy this file and paste it into the internal folder of the USB drive or smartphone where you want to move the certificate, and you can use it immediately. This simple task was made into a cumbersome procedure—requiring the installation of various keyboard security programs and the entry of authentication codes, resident registration numbers, and passwords—simply to make the public believe that the public certificate system is secure.
The situation with the security programs that had to be installed to use public certificates is not much different. In fact, if you’ve ever made an online bank transfer, you’ve likely seen numerous security programs running. These programs stop working the moment you leave the financial institution’s website. Malware created by hackers isn’t as simple as we might think, so relying solely on keyboard security while entering a password doesn’t guarantee safety. In other words, if a computer is infected with malware, there’s a risk that passwords will be leaked regardless of whether these security programs are running. But the problem doesn’t end there. With a digital certificate, anyone who knows a user’s security card number, account number, and account password can have the certificate reissued online. Since the person reissuing the certificate sets the new password, there’s no need to know the old one. A significant portion of the voice phishing scams that have been rampant recently are aimed at extracting the information needed to reissue digital certificates from users.
So why do we continue to use these problematic digital certificates? Government agencies enforce their use, claiming there is no suitable alternative and that discontinuing them would cause confusion. The solution is simpler than one might think: we need to move away from the notion that the government must provide a technical solution. The massive data breaches occurring almost daily lately prove that the government’s flawed security policies have lowered South Korea’s security standards. Security technologies that are already being used reliably worldwide exist, and the industry must be given the autonomy to choose those technologies on its own. In return, the government must oversee the industry to ensure it provides thorough compensation in accordance with the law for any incidents that occur as a result. With such oversight, the financial industry will naturally invest in security technologies on its own, and consumers will no longer have to endure the inconveniences they face today.
This is not a call to abolish digital certificates. The financial industry, which finds the cost of adopting new security technologies burdensome, can continue to use digital certificates as they do now, maintaining and updating them on their own. However, there is absolutely no reason to force digital certificates on companies that do not wish to use them. If diverse security technologies coexist in this way, consumers will be able to choose the bank they find most convenient. It is now time for the government to move beyond outdated thinking and grant the industry freedom regarding security technologies. We look forward to the commercialization of security technologies befitting the image of a “leading IT nation.”
