Wave of identity thefts forces South Korea to overhaul national ID system

After an avalanche of data breaches, South Korea's national identity card system has been raided so thoroughly by thieves that the government says it might have to issue new ID numbers to every citizen over 17 at a possible cost of billions of dollars.

The admission is an embarrassment for a society that prides itself on its high-tech skills and has some of the fastest Internet access.

The issue came to a head after 20 million people including the president, Park Geun-hye, were victims of a data theft at three credit card companies. Park acknowledged in January change was needed and ordered a study of possible options. A decision is due later this year.

Rebuilding the system and tightening security could take up to a decade, according to Kilnam Chon, a researcher known as the "Father of the Korean Internet" for his pioneering work in online technology in the 1980s.

"The problems have grown to a point where finding a way to completely solve them looks unlikely," said Chon.

Ahn Seong-jin, a Seoul office worker, lost $4,700 in a high-tech crime wave after hackers posing as a friend asked for a loan in a computer message.

Details that included a national ID number stolen from the friend's social media account made the plea look plausible. Five minutes after Ahn sent the money by smartphone, the real friend sent a message warning him someone might be using his name. Ahn called his bank but the money was gone.

"One of my colleagues came to me and said, 'Hey, I got robbed too, and so did Mr. Lee," said Ahn, 37.

ID numbers and personal details of an estimated 80 percent of South Korea's 50 million people have been stolen from banks and other targets since 2004, according to experts.

Those numbers stay with South Koreans for life and, instead of being picked randomly, are based on their age, sex and other details. They are used to confirm identity, get a job or government services and even to buy cigarettes. A thief who gets a number and a name to match can set up phone, email or bank accounts.

The problems stem from South Korea's enthusiasm for the Internet and information technology, which grew faster than security measures.

Hoping to spur technology development, the government rolled out fast Internet access to nearly every home and business. About 85 percent of South Korea's people are online and the country has 40 million smartphones.

But critics say that instead of protecting users, the online identity system mandated by Seoul makes them more vulnerable to theft.

Everyone is tied to identity numbers created by a dictatorship in the 1960s to control the public, with no thought to privacy. The first few digits are the user's birth date, followed by a "1'' for male or "2'' for female and then other details.

"Resident registration numbers' usage across different sectors made them 'master keys' for hackers to open every door and steal whole packages of personal information from unassuming victims," said researcher Geum Chang-ho at the state-run Korea Research Institute for Local Administration. The agency carried out the study of possible new models for personal codes.

"Even if their numbers are leaked, people are unable to change them, so hackers are constantly trying to obtain these numbers and are managing it easily," said Geum.

The government required Web surfers who wanted to deal with banks or shop online to use ActiveX, a Microsoft Corp. product that provides a digital signature.

Critics say the ActiveX signature was no more than a simple password and could easily be duplicated. They said another weakness is that the program runs only on Microsoft's operating system and browser and requires full access to the computer's operating system. Thieves who learned to hack that system could steal from any computer.

In Ahn's case, police said hackers working from an Internet address in China stole his friend's details from one of South Korea's biggest social media sites. They used them to write a plausible message saying his friend, an entrepreneur, needed money in hours to avoid a business crisis. Ahn sent 5 million won ($4,700) without hesitation.

"I have a lot of friends who run their own business and they often run into situations where they need to borrow money quickly," Ahn said.

Police told Ahn there was no way to chase the criminals. He was shown video of a man in a baseball cap withdrawing the money from an automatic teller.

"Everything happened within seven or eight minutes," said Ahn. "The man in the baseball cap probably was waiting near the cash machine with his phone."

At a recent public hearing, officials of the Ministry of Security and Public Administration said possible changes include issuing random numbers as identity codes. That would require approval from lawmakers.

"There is no doubt that we are talking about massive changes," said Kim Ki-su, a director at Seoul's Ministry of Security and Public Administration.

It was Park's late father, then-dictator Park Chung-hee, who ordered identity cards created in 1968 in a security crackdown after he survived an assassination attempt by North Korean commandos.

Records of identity numbers are held by employers, retailers and others, some with little security.

Auction, a consumer-to-consumer e-commerce platform, weathered class-action lawsuits after China-based hackers stole ID numbers and other information of 11 million users in 2008. Nexon, South Korea's largest video game company, lost personal details of 13 million customers in 2011.

Information stolen from the Kookmin Card, Lotte Card and NH Nonghyup Card this year included names, ID and phone numbers, credit card numbers and personal credit ratings.

ID numbers are so easy to obtain that they should be considered "public domain," said Oh Byeong-il, an activist with the group Korean Progressive Network.

Stolen numbers are so plentiful that six men arrested in the city of Muan in August on charges of trading details of some 27 million people told police they were able to get just 1 won (under one-tenth of 1 U.S. cent) for each name and ID number combination.

A new ID system would cost at least 700 billion won (about $650 million) to overhaul government computers and issue cards, according to Kim, the official of the public administration ministry.

Costs to companies such as financial firms to redesign services could reach several trillion won (several billion dollars).

Oh argued that just issuing new numbers won't solve the problem if they still are used universally to verify identities. He said thieves will just steal the new numbers.

"We need different numbers for different social purposes," he said at the government hearing. "And private companies should be restricted from keeping and using the data."