Online break-in at Cyworld, Nate prompts ‘real action’ to keep websites secure
The first thing Choi Hyun-hee did on Monday morning was change the passwords of the accounts she held at Kookmin Bank, Naver and Gmarket.
She went through her mind several more times and came up with a list of other commercial or email accounts she had frequently used in the past and changed those as well.
An office at the headquarters of SK Communications. (Chung Hee-cho/ The Korea Herald)
The entire process took only about 10 minutes, but Choi said she had spent about half an hour beforehand to come up with the passwords, since she needed something that was easy to remember, yet difficult to decode.
“I considered taking pictures of the new passwords with my phone, but then decided against it because I was concerned about security, so I ended up trying to think up a brand new sequence that will now take me ages to memorize,” the 32-year-old said.
Choi complained of the unnecessary hassle ― not to mention an overall sense of unease because her Cyworld account had been hacked.
“I don’t really even log onto Cyworld anymore, which is what makes me even angrier since I am being inconvenienced by an account I rarely use,” she added.
Cyworld and Nate, both operated by SK Communications Co., were hacked last week, with hackers getting access to up to 35 million users, according to SK.
The prosecution is investigating the case, which means nobody will say anything definite as of yet, but the incident highlighted that Korea is as vulnerable to online crimes as much as it is wired.
So far there have yet to be formal claims to be issued by users of phishing or other fraud schemes in connection with the hacking at Cyworld, but the possibility still lurks.
Further, the Cyworld hacking fiasco fanned public criticism as the incident follows a string of hacking attacks at high-profile financial institutions this year including Nonghyup.
Too much information
What made Cyworld so vulnerable to the hacking, and what it did wrong is something the prosecutors will have to figure out, but for the time being, users are more interested in how to protect their personal information.
The root of the problem is that there is simply too much personal information floating around on the Internet.
This is because many websites, including Cyworld, demand a load of information including social identification numbers, which individuals use to identify themselves.
Imposters with access this number would be able to pose as someone else to dip into their bank accounts or cause other damage.
“We’re hoping to address this issue by having more users, meaning both website operators and those on the consumer side, opt for I-PIN methods when they create accounts,” said Ahn Jung-eun, a spokesperson for the state-run Korea Internet Security Agency.
I-PIN is short for Internet Personal Identification Number and is used to identify users without requiring them to expose their social security numbers.
Slap-on-the-wrist penalties
Companies and users usually request or give out social security numbers, Ahn pointed out, because that’s easier than going through the I-PIN process, but more website operators are accepting the idea, she said.
Another reason why online hacking schemes are still rampant ― and at such high-profile companies ― is because of the light penalties, industry watchers argued.
“Look at the previous case at Nonghyup, which despite having put millions at risk because it allowed itself to get into the hands of hackers, did not face any real punishment,” said one source who declined to be identified.
Nonghyup, the biggest financial network in the country, was hacked into in April this year, but the prosecution wrapped up the case by naming North Korea as the culprit.
Nongyup is currently waiting for audit results from the Financial Supervisory Service expected to be out this month.
Not only is it hard to detect and prove the weak links that caused the crimes, but companies also can get around the law if the mass hacking did not actually result in the actual theft of information.
The current law states that if a company is responsible for leaking personal information, they may be slapped with up to 100 million won in fines and up to two years of jail time.
Cyworld and Nate users are now talking of a class action suit, but if the past is anything to go by, their chances of winning are slim.
In 2008, when Auction was hacked into, more than 140,000 users signed up to file a suit, but the lawyers walked away with money.
Users of Nonghyup and Hyundai Capital who filed class action suits suffered similar fates.
By Kim Ji-hyun (jemmie@heraldcorp.com)