Establishing Digital Trust: Don't Sacrifice Security for Convenience
The Korea JoongAng Daily reports that South Korean authorities last week arrested 16 people in connection with the theft in 2013 of the personal information of 27 million people between the ages of 15 and 65 -- almost three quarters of the population of South Korea.
The thieves leveraged the data to steal hundreds of millions of won worth of online gaming currency, and to conduct fraudulent transactions worth billions of won.
One of the 16 arrested, a 24-year-old man with the surname Kim, allegedly received 220 million personal information items, including 27 million names, resident registration numbers, account names and passwords, from a Chinese hacker he met online in 2011.
Kim is suspected of using the account names and passwords to steal online gaming currency, then selling the stolen currency for a profit. He allegedly earned about 400 million won (almost $400,000) from six major gaming sites, and gave 130 million won (approximately $128,000) of those funds to the Chinese hacker who had provided him with the data.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Kim also allegedly sold some of the personal information provided to him by the Chinese hacker to others, at rates of between 10 and 300 won ($0.01 to $0.30) per item. Purchasers included mortgage fraud perpetrators and illegal gambling advertisers, whose actions using the stolen data caused damages totaling 2 billion won (almost $200,000).
Seven other suspects are currently being sought, including the Chinese hacker who provided Kim with the stolen personal information.
Adam Kujawa, head of malware intelligence at Malwarebytes, noted by email that two-factor authentication could have prevented much of the damage in this case. "Many online games involve the user synchronizing an app on their phone, like Okta Verify or Google Authenticator, with their account; then, when the user logs in, they not only have to provide their personal credentials but also a one-time key provided by the app ... Without that correct value, the attacker or application acting for the attacker would never gain access to the stolen account," he said.
There's been a series of massive data breaches recently in South Korea -- in January 2014, an IT employee of the Korea Credit Bureau was charged with stealing at least 20 million credit card users' personal information; in February 2014, three people were charged with stealing 17 million people's personal information from 225 websites; and in March 2014, two people were arrested for allegedly stealing 12 million customers' personal information from South Korean mobile carrier KT Corp.
RedSeal Networks executive Steve Hultquist said by email that these breaches demonstrate how challenging it is to protect such an active base of users. "This announcement of yet another major breach [affecting] a huge percentage of the South Korean populace demonstrates both the widespread use of the Internet by virtually an entire population and the impact of accessible vulnerabilities on providers of online services to that population," he said. "In other words, almost everyone uses the Internet and is then vulnerable to an attack they can't prevent."
Only the service providers, Hultquist said, can prevent these types of breaches. "And that prevention requires being able to get your head around an extremely complex system of networks and servers to understand what is possible, what has happened, and how to prevent anything that could cause a breach," he said.