> The real number of users is likely considerably higher, the software being installed on pretty much any computer in South Korea.
This is a bit of an exaggeration. Plenty of young people hate this stuff enough that they do all of their banking through their phone and if they absolutely must do it on a pc, they either use an old disused laptop, do it at work, do it at an internet cafe (not that those don't bring risks) or make sure to remove the spyware the second they've completed the task at hand.
I wrote this sentence three months ago. Since then people already pointed out that mobile banking is being used as escape hatch. The question is still: how many people do this? Everyone younger than 30? Or only 80% of them? Or only people who are moderately tech-savvy?
Not a real statistic, but everyone I know in South Korea use their phones for personal banking. Especially people who aren't tech-savvy.
At first it might have been because mobile apps were easier to use than the crap they had to go through on a PC. Nowadays, though, there is no need to compare because mobile is the default choice anyway. Younger people don't even bother trying it on a PC. Older people, on the other hand, skipped the PC era altogether and went straight to smartphones. I don't think my mother has ever done any banking on a PC, but she has a bank app on her phone.
This is also used by some payment processors (probably belongs to banks).
I can relate as I was in Korea some months ago and in order to buy some concert tickets the platform required me to install that shitty thing. I end up not buying the tickets as it was not possible to me to install anything in my corporate machine.
As you said, my friend point out people don't have it installed in their personal computers but use a third party one which brings more insecurity.
> or make sure to remove the spyware the second they've completed the task at hand.
Yup. The problem is that those spywares are not cleanly uninstalled and leave junks on the disk. Some independent developers even created a dedicated tool for removing those "security" software to solve the problem.
Like you're saying, there's tools for that. Google autocompletes "은행 설치" (bank installation) to "은행 설치 프로그램 삭제" (bank installed programs removal) and the very first link immediately is the homepage of the tool you're talking about, so it doesn't require much inside knowledge to use. Of course the majority of people doesn't bother with this but quite a lot of people do. Even if many of those do so for non-security reasons, e.g. gamers who are afraid the crapware will slow their computer down.
I am very grateful for the modern web. It used to be commonplace to install a bunch of executables that interacted with the browser and took instructions from random websites (Flash, Silverlight, Java applets).
I have my reservations with the browserfication of software (and the restriction of browser extensions), but at the same time it is absolutely for the best that normal users just run sandboxed phone apps and browsers these days. Hopefully South Korea will retire this tool soon.
Honesty (from what I’ve heard) AFAIK the South Korean society itself is much more digitized than other first-world countries. It’s just that… digitalization happened a bit too fast with a bit too much legacy.
One can request a passport and receive it the next day from a machine without ever seeing a real person for more than 5 seconds… if you can tolerate installing these strange anti-keylogger programs.
> One can request a passport and receive it the next day from a machine without ever seeing a real person for more than 5 seconds…
This seems more like properly functioning government than advanced digitalization. I have no idea what takes the US State Department 6 weeks.
In fact, I'd guess the internal processes to issue a single passport are quite fast and that there would be no issue with achieving turnaround less than a week. The issue seems to be that the US Government regards any government function that takes less than a week to be "wasteful" or "overfunded" and reduces resources accordingly. Slowest wheel gets the grease, so to speak. It doesn't pay to be fast -- literally.
Not a great example since this really is purely a Korean thing not seen elsewhere. Afaik Brazil had similar issues for very long but they've finally been fixed in the last few years (maybe a Brazil-based user can chime in).
A bit more context for people who don’t live in South Korea (I’m a South Korean):
Everybody knows that the systems are absurd. Most newer systems don’t require the use of such anti-keylogger programs. This is basically a countrywide legacy that we’re figuring our way out for ~30yrs.
This started in the 90s where South Korea got high speed internet everywhere, and people demanded internet banking… when IE didn’t ship 128-bit AES support due to export laws.
The South Korean govt submitted a law to enforce encryption for such services (i.e. an custom algorithm called SEED and 128-bit or higher keys were required), and without IE support, these encryption were developed in ActiveX. (For who don’t know, it was a COM-based solution to load native code from IE.) Laws and protocols are sticky, and even after IE shipped better encryption, these stayed.
When the anti-keylogger idea was first proposed, it was simple: the anti-keylogger could ship with the encryption support. It was when IE didn’t have a yes/no dialog to ask whether to load native code or not; everything felt easy, and at that point everybody got locked into this legacy mess where nobody could use different browsers other than IE.
When IE added confirmation dialogs, banks instructed customers to press yes. When IE deprecated ActiveX, banks didn’t remove their 20-yr old code straight away; people were advised to turn on ActiveX support from advanced settings (they added step-by-step instructions to help people), and when MS finally ripped out ActiveX, banks just copied their ActiveX components into a separate executable that runs a localhost server. (And that explains the hastily coded JSON support, the never-updated libraries, and so on that the article shows.)
Every time MS tried making running untrusted native code harder, the banks and customers got used to it… until it became acceptable to install 2~3 different executables for each bank, each running a server on a different port.
Thanks to smartphones, newer solutions now develop all of the encryption code in JS, and the legacy now runs in JS without native code. Still legacy, but it’s been much better for the last 5yrs.
Not really the same thing from what I can tell. Nitpicker is merely about isolating processes from each other, making sure keyboard input is only received by the currently focused process. Windows already does that, and so does Wayland in my understanding.
The goal here seems to be rather stopping applications with sufficient privileges to install a system-wide keylogger. Which Nitpicker likely solves implicitly – by providing an OS that isn’t exactly flexible in what it can do, meaning that security was bought by sacrificing usability.
>making sure keyboard input is only received by the currently focused process.
Yes. This guarantee is of course only possible due to the operating system underneath supporting the whole thing; No capability to the keyboard means no keyboard access.
>by providing an OS that isn’t exactly flexible in what it can do
While this was somewhat true about TUD:OS, note that Genode is very different.
Particularly, Sculpt[0] provides a dynamic scenario for Genode, where programs can be launched and stopped, installed and removed, without giving up the properties the use of capabilities thorough offer.
Besides offering virtual machines as a way to get around its own limitations, it does currently support sound, accelerated graphics and enough POSIX butter to run a webkit-derived browser without relying on e.g. a Linux VM.
> The current approach is for the websites to use WebSockets API to communicate with the application directly.
Is this really current best practice? I know of a handful of applications that implement webapp to native app communication like this, but it doesn't seem especially stable/portable to me, considering that it usually uses some ephemeral port that applications have no way of globally reserving.
Also, how does HTTPS work in this scenario? Wouldn't there be a self-signed certificate or mixed content warning in many cases?
All applications I’ve looked into so far were communicating via a local web server. It wasn’t always WebSockets, one would also see JSONP or even submitting data to a frame.
They typically run the server on a fixed port. Port conflicts are rare in practice, so these applications don’t really care. In one case I’ve seen port probing however: if one port fails, websites will try to connect with subsequent ports.
As to best practices: I wouldn’t consider websites communicating with local applications best practice at all, by whatever means. It’s generally something to avoid.
I was transferring the domain to a new provider, and the old provider decided to drop the DNS entries before the transfer was completed. Great service. :-/
Yes, default Content Security Policy of add-ons doesn’t allow eval(), and they likely couldn’t figure out how to change it. So it might be that they never even realized the security impact of these changes, which makes it even worse.
It's interesting how long they could get away with such horrible practices despite having a neighbor up north that a) won't hesitate to use cybercrime to fund their country b) probably wouldn't mind causing some random disruption even if it can't profit from it.
Yeah it could be a cultural thing though - in our culture this kind of stuff is squarely up to the parents. I remember always BBS'ing from midnight because my daily connection time renewed at midnight :) As long as it didn't affect my school performance it was not a problem for my parents, and it was a handy time because they didn't make personal calls during the night so I didn't tie up the phone line for them. It would have been unthinkable that the government would decide I should be in bed at that time.
Perhaps the culture requires the country to take a stronger role in this, though embedding it into law feels very severe. Even in Europe a lot of this stuff that used to be up to the parents is being taken to central control. More and more countries are proposing laws for a website to verify the user is 18+. I don't like where this is going either. When I was living in Ireland my local provider "Three" routed all my mobile traffic through a super slow child-friendly filtering proxy and I had to ID myself in one of their stores to get past that. People were referring it as the "porn viewers register" and the people in the store were being weird about it, even though it blocked way more than porn sites (also random UDP connections for example so most VPNs didn't work) and it made internet access super slow and quirky.
Luckily the other mobile providers didn't have this boneheaded rule so I simply switched to Vodafone.
I kinda wonder to what extent neo-Confucian norms are widespread among Korea's elites, because that might explain quite a bit about its internal politics.
I consider lack of digital freedom quite oppressive, especially given "software eating the world" trend. The fact that they even can tell the age of person playing games during night time in the first place sounds quite sketchy to me (I guess I'm supposed to tie my gaming account to my real id?).
In Korea you do. In part because of multiple things such as a desire to prevent defamation, which is a big deal in Korea because people take their reputation very seriously and bullying is a big problem as a result, having notably lead to multiple high profile suicides. https://en.wikipedia.org/wiki/South_Korean_cyber_defamation_...
The laws on libel and slander are notorious for being very alien to westerners. In particular saying something true but bad about someone isn't typically libel in other countries, but in Korea it is: true or false, you shouldn't speak ill of people.
It's a very different society where very different tradeoffs have been made.
Different cultural norms. Korea has a strong paternalistic tangent running through. Corporations are paternalistic, governments are paternalistic. As a foreigner you might feel this is simply oppression, because you lack the context so it comes to you as simply oppressive and nothing more.
I'm one of those foreigners who didn't appreciate that my apartment's management office would blast public broadcast messages directly inside my apartment at 8AM to say stuff like "there's a farmer's market in the parking lot today (like every week)". I asked them to stop spamming my household via their PA system for non-emergency stuff and they thought I was a antisocial psychopath.
Then I learned and just disconnect the PA system. They don't mean to invade my privacy, but my privacy boundaries aren't the same as theirs.
Wasn't controlled by the landlord, but by the management team which is paid by the condo fee. If you own the condo, you pay that fee, if you rent it from a landlord you also pay it. The management team I believe is hired by the residents committee which is elected by the residents. Sort of like an HOA, I guess? There were elections during my stay and we were invited to participate, but I didn't care enough and this was a temporary situation.
This was in a large apartment tower complex in the semi-countryside. Not sure if it's always like that, it's the only apartment I stayed in. In Seoul I've only lived in villas.
Perhaps it's a countryside thing because I've also noticed noisy public speakerphones in the streets blasting PAs about random stuff, but I haven't seen it in Seoul.
Overall though, the local governments do spam your phone with alerts about all sorts of remotely relevant (IMO) things on a daily/hourly basis. I find it annoying but it's just how it is here. Today they were spamming about possible debris from a NASA satellite deorbiting.
It was very interesting to me that South Korea is a high trust society in terms of crime (cash boxes left unattended, bicycles unlocked, people feel safe to walk the streets alone late at night), however it is very tribal and low trust in terms of providing assistance (less help provided to strangers in the streets compared to the US.. I've had to step in multiple times as I noticed that local Koreans were not helping). Maybe it's a big city thing (above experiences were in Seoul).
Haha, now I vaguely remember something like that in soviet union’s “rest houses” (was a kid, may mistake it for something else). I think I slept next to a speaker on the wall and wanted to kick it.
It’s very nice of you to respect cultural aspects, but I suspect that at least some koreans also simply disconnect it and accept the risks :)
Like Japan, it's a "one and a half party state"; while there are multiple parties and free elections, in practice one party wins a majority almost all the time and there's very little space for diverse viewpoints.
It's more like "two party state" though. Take a look at presidential election results[0]: after Chun Doo-hwan's(전두환) military dictatorship ended, candidates from conservative and liberal parties were elected taking turns.
Is two-factor security an alien concept to South Korean banking system? At least via SMS? But either way if they're going to make everyone install an application, why not OTP generator?
Oh, they do have multiple factors. In fact, so much that each factor should be guarded to the maximum extent, which is the crux of actual problems. At least many SK websites now work without anti-keyloggers.
This is a bit of an exaggeration. Plenty of young people hate this stuff enough that they do all of their banking through their phone and if they absolutely must do it on a pc, they either use an old disused laptop, do it at work, do it at an internet cafe (not that those don't bring risks) or make sure to remove the spyware the second they've completed the task at hand.