It was confirmed that every public office’s unmanned kiosks and more than 3,000 civil kiosks at subway stations can be hacked just by using a fingerprint that is attached on the back of an ID card, a Smartphone, and clay. In midst of this, government departments such as Ministry of the Interior and Safety are putting their hands off on improving and managing ID card system.
Reporters from The Electronic Times and a biometrics research institute under Real iDentity (CEO Lee Seom-kyu), which specializes in biometrics authentication, took pictures of fingerprints that are attached on the back of ID cards, altered them, and used them at unmanned kiosks located at Dong offices and subway stations and found out that it was possible to hack most of these kiosks.
Although there were incidences when fingerprints were copied using 3D printers and others, it was not heard whether it is possible to abuse fingerprints that are attached on back of plastic ID cards. This is the first relevant test that was done in South Korea.
It was very simple to alter fingerprints. First, fingerprint shape is made by taking a picture of fingerprint that is located on the back of ID cards with a Smartphone. A copy of fingerprint is then made using various scan programs from a PC. This fingerprint shape is then stamped on clay which can be used to obtain various documents from unmanned kiosks. Just from two to three tries, it was possible to obtain various certificates such as copies of resident registration and documents that can send and receive money. It is possible to abuse not only civil documents but also many financial services when one loses an ID card.
In January, there were 3,655 unmanned kiosks in South Korea. By using above method, another person can steal one’s authentication certificate of one’s seal and sensitive documents related to real estate by altering his or her fingerprint.
There are also possibilities of abuse by registering as a second author through a lost ID card and a lost phone. Although this method requires two-factor authentication, one can even abuse financial services by using hacking tools. This method can turn into a way of extorting money and online shopping. Besides this, one can extort and forge real estate certificates and even receive ID cards for ID laundering. Right thumb is mostly used for authentication at various financial organizations. Fingerprint that is used the most is exposed just as it is through an ID card.
According to an office of Lee Jae-jung, who is a member of Democratic Party of Korea and is part of The National Assembly’s Public Administration and Security Committee, there were 9.26 million cases of ID card loss in the past 5 years. On the other hand, there were about 350,000 cases of reports of acquisition.
There are also possibilities of abusing others’ fingerprints that are written on lost ID cards within security and financial industries. However, they are not even thinking about converting ID system to electronic ID card system due to opposition from civil groups regarding collection of biometric information and spending of enormous amount of money.
Actually, South Korea is the only country that is copying and exposing fingerprints through ID cards. Even developing countries such as Nigeria, Malaysia, and Pakistan are issuing electronic ID cards. They store biometric information into IC (Integrated Circuit) chips and do not expose one’s biometric information.
“Fact that fingerprints on back of ID cards can be forged indicates that information of every South Korean citizen can be abused.” said Professor Lee Ki-hyuk (Chairman of Korea FIDO Industry Forum) of Chung-Ang University. “Although financial industries are operating biometric information distributed management systems, there are high chances of secondary accidents since fingerprints themselves are exposed.”
“We need to convert our ID card system into electronic ID card system.” said Professor Lee. “We need to create a system where biometric information is stored inside of IC chips so that fingerprints cannot be forged even when ID cards are lost.”
“Although FIDO (Fast Identity Online) 2.0 generation has arrived, we still lack efforts to manage fingerprints and to enhance weak spots of security.” said Vice-Chairman Choi Woon-ho of The Korean Association for Policy Studies. “Just like other countries, we must create a comprehensive electronic ID card system that integrates every ID card into single card.”
Staff Reporter Gil, Jaeshik | osolgil@etnews.com & Staff Reporter Jung, Youngil | jung01@etnews.com