Korea is the only country that mandates the installation of financial security software. However, research has shown that financial security software can become targets for hackers. Instead of forcibly installing complex and risky security programs, it is safer to follow the original safe rules and web standards set by websites and internet browsers.
A research team led by Professors Kim Yong-dae and Yoon In-soo from the Korea Advanced Institute of Science and Technology (KAIST), along with Professor Kim Seung-joo from Korea University, Professor Kim Hyung-sik from Sungkyunkwan University, and researchers from the security company Theori, revealed on the 2nd that they systematically analyzed the structural vulnerabilities of Korea's financial security software.
The research team focused on why Korea's security software is a primary target for North Korean cyberattacks. An analysis of seven major security programs (Korea Security Applications, KSA) used by major domestic financial institutions and public organizations revealed a total of 19 severe security vulnerabilities. Key vulnerabilities included keyboard input hijacking, man-in-the-middle (MITM) attacks, certificate leaks, remote code execution (RCE), and user identification and tracking.
Some vulnerabilities were patched as a result of the research team's reports, but the fundamental design vulnerabilities that permeate the entire security ecosystem remain unresolved. The researchers emphasized, 'Although such security software should be a tool for user safety, it can instead be misused as an avenue for attacks,' noting that a fundamental paradigm shift in security is necessary.
The researchers pointed out that domestic financial security software is designed to bypass the security structure of web browsers to perform sensitive system functions. Although browsers are fundamentally designed to restrict external websites from accessing sensitive information such as internal system files, the KSA uses methods to circumvent these restrictions through external channels, such as loopback communication, calling external programs, and utilizing non-standard application programming interfaces (APIs) to maintain the so-called 'security trinity' of keyboard security, firewalls, and certificate storage.
This approach was conducted through the security plugin ActiveX until 2015, but with the discontinuation of ActiveX support due to security vulnerabilities and technical limitations, fundamental improvements were expected. However, in practice, it was replaced with a similar structure utilizing executable files (.exe), which led to a repetition of the existing problems. As a result, the security risk of bypassing browser security boundaries and directly accessing sensitive information has persisted.
Additionally, this design directly contradicts modern web security mechanisms such as the Same-Origin Policy (SOP), which is one of the core concepts of web security, the sandbox that confines code or program activities within a system, and the 'privilege separation' that enhances system security. The researchers confirmed that this structure could indeed be exploited as a new attack vector.
In an online survey conducted by the research team involving 400 participants nationwide, 97.4% reported having experience installing the KSA for financial services, while 59.3% responded that they 'do not know what the program does.' An analysis of 48 actual user PCs revealed that an average of nine KSAs were installed per person, with many using versions prior to 2022. Some were even using versions as old as 2019.
Professor Kim Yong-dae noted, 'Now is the time to shift away from the forced installation of non-standard security software and move toward following web standards and browser security models,' adding, 'Otherwise, the KSA is likely to remain at the center of national security threats in the future.'
This research was accepted into 'USENIX Security 2025,' one of the world's leading security conferences.
References