In terms of e-authentication, ROK has introduced policies, including certifications, i-PIN/my-PIN, and OTP, which require the government to certify e-authentication or to enforce other specific measures. As the government of ROK ensured the credibility of e-authentication, ROK’s e-authentication policy, in particular, is considered to have played an important role in expanding e-commerce in the early 2000s. However, the Korean government obligated the use of specific technologies such as PKI and OTP in the e-authentication policy, which generated various problems.
In March 2015, the highly controversial system that forced the use of e-authentication in electronic finance was abolished with the FSS’ complete elimination of the mandatory certification from the Electronic Financial Supervision Regulation, revised on March 18, 2015. E-authentication, which was introduced with the enactment of the Digital Signature Act in July 1999, was instituted rapidly in the early 2000s with the establishment of the accredited certification system and introduction of a decree that made the use of accredited digital certificates for electronic financial transactions mandatory. In January 2003, six certification authorities agreed to integrate all electronic signatures under one single authentication system. In September 2002 and March 2003, e-authentication was applied to Internet banking and online stock exchanges, accelerating the spread of e-authentication. Currently, e-authentication is widely used in domestic Internet banking, e-commerce transactions, government procurement, e-bidding, online securities trading, and electronic trade and customs clearance.
The reason the FSS abolished the regulation requiring the use of e-authentication for electronic financial transactions was the intense criticism of the policy resulting from the protracted controversy over the convenience and safety of e-authentication over the previous 10 years. During that time, e-authentication technology relied heavily on ActiveX, which is highly vulnerable to security risks and widely believed to be hindering efforts to increase the compatibility of Web browsers. The ActiveX software is stored in a specific folder on users’ hard disks, making it highly vulnerable to hacking and cyber-attacks. Although e-authentication technology is not based on ActiveX, most domestic financial institutions use ActiveX to provide e-authentication services. Once ActiveX is installed on a user’s PC, it can run on arbitrary websites, allowing others to access the user’s system resources without any security restrictions. Although KISA has not made any official announcements on this issue, the number of authorized certificate outflows increased from 8 in 2012 to 8,710 in 2013, and further to 41,733 in 2014. The total number of outflows from January to July of 2015 was 20,359. ##MORE_LAYER_BOX##
[The Leak in E-Authentication Certificates]
The FSS acknowledged the inconvenience of the certificate but insisted on its use, arguing that there was no reasonable alternative. It claimed that, although the other authentication schemes that had been suggested as alternatives to public certificates offered security measures, such as confidentiality, integrity, and authentication, they were ineffective at preventing non-repudiation. However, some have questioned the strength of the anti-repudiation function of the current system. In other words, if certificates are never lost, the anti-repudiation function of the system is said to be strong, but if certificates are leaked or lost through cyber-attacks such as hacking or pharming, then the function is said to be weak, giving rise to problems. Although KISA does not collect such statistics, according to websites on the issue of pharming, the number of pharming victims has been increasing annually, from 7,018 cases in 2012 to 14,135 cases in 2013, 18,326 cases in 2014, and 9,586 cases as of July 2015. Like a seal, an official certificate is a powerful means of identifying a person, for which consumers bear the responsibility of custody. A public Chapter 3. Electronic Authentication Policy in the ROK • 077 certificate, therefore, provides strong security for a service provider, such as a financial company or e-commerce company. However, as the consumer is responsible for the custody of the certificate, there is still a risk of the certificate being hacked or lost due to consumer negligence. ##MORE_LAYER_BOX##
[The Number of Incidences in Pharming]
The effectiveness of the i-PIN and My-PIN systems is also questionable. The problem is the inconveniences caused by the complex authentication procedures involved in the issuance of i-PIN and My-PIN numbers. i-PIN has been largely neglected by users due to its complicated authentication procedure, and the penetration rate of My-PIN is quite low. In order to receive a My-PIN number, users must first acquire an i-PIN number and go through the difficult process of installing additional software in order to verify their identity. As a result, i-PIN and My-PIN are not frequently used. The penetration rate of public i-PIN decreased consistently from just before 2011 to May 2015. As smartphonebased verification processes are capable of replacing i-PIN and other more convenient verification technologies exist as well, the penetration rates of i-PIN and My-PIN are expected to continue falling.
The side effects of the obligated use of specific technologies were the following: first, the disincentives to invest in new technologies that prohibit the inventions of new technologies; second, the transfer of responsibilities to the consumers on issues that arise during e-commerce transactions; third, the security problems in the case of e-authentication as the Internet environment as a whole heavily relies on ActiveX technology. The biggest problem with ROK's e-authentication policy is the obligated use of specific technologies, which hinders the invention of new technologies and the growth of the industry as a whole. As a consequence, developing countries should maintain technology neutrality and dynamic private sector as the foundation of e-authentication policy even when the government intervention is necessary to establish trust between early consumers and sellers. In addition, they should take customer convenience into consideration as the failure cases of i-PIN and my-PIN demonstrate.