The Banking Scandal

R. B. Laughlin
Korea Advanced Institute for Science and Technology
373 Guseong-dong, Yuseong-gu, Daejeon 305-711, Republic of Korea

Chosun Ilbo, January 27, 2006

While Koreans are wringing their hands over their cloning scandal they are overlooking a vastly more important science and technology problem here, namely the problem of banks.

Banks operate in the private sector where key facts are hidden from view, so I cannot make any accusations other than pointing out what does and does not work. However, it is my experience that problems of this nature typically arise when businesses refuse to pay software licensing fees. These fees can be quite large, and companies often conclude that the cost is not justified for such a simple thing. Then they take matters into their own hands, with disastrous consequences. The problem can also result from sheer technical incompetence, but it usually doesn't.

I signed up for internet banking in the US with a phone call. They assigned me a user name and password over the phone, and I then used these two pieces of information to access my account through an encrypted (https) internet site. That was it.

Please come with me now into the branch office of my Korean bank to get internet banking. You will not forget the experience. After taking a number and waiting, I'm called by a clerk, who asks me to fill out a form that includes two secret passwords. She also gives me a little card with secret codes assigned to numbers. She then sends me to a nearby computer terminal, into which she has inserted a fresh floppy disc. She sits me down at the terminal and directs me to an internet site. The English side of this site doesn't work, and the Korean side has wrong instructions, but I nonetheless figure out what the Korean side of the site meant to say but didn't---after some time. I type the two passwords into appropriate boxes, some personal information into other boxes, and press "Enter". Oh no! An incomprehensible message pops up: "Error Number 4396895944" or something. So I go back and retype everything. The same message appears! Evidently I have not made a typing error but instead have misunderstood the format required. I go back and retype a third time, changing one of the entries experimentally. No luck! I then retype with another change. No luck! Change. No luck! Change. No luck! After about thirty minutes of retyping the same information over and over, I hit on the solution at last: the password must contain at least one number! I didn't know this because I filled out the password on the sheet of our application in letters only, and nobody objected. The computer then asks me for one of the secret code numbers on the card. The floppy drive hums into action and writes something. Hurrah! The computer says I'm done.

What has happened technically is fairly obvious. The bank needed to give me encryption keys, but didn't want send them over the internet by public-key cryptography for some reason. (Didn't pay patent licensing fees, perhaps?) So it gave me the keys on a floppy disc instead. But that created the further problem that people might steal my floppy and get access to my bank account. The bank addressed this problem encrypting everything on my disc a second time using a second password and secret codes. Thus the floppy I took home was an electronic version of a Russian Matrushka doll, secrets within secrets.

Now it's time to get the secrets out. I want to rest from my labors, but there is no time for complacency. I resolve to keep focused. I take the floppy disc immediately to the computer in my office, insert it into the drive, point my browser at the bank's web site, and log in. A box pops up asking "Download this .exe file?" Oh no! I close my eyes and shake my head. There is no point in continuing. My computer runs Linux, not Windows, and thus does not know what ".exe" files are. I click the browser away.

The only reason my bank can get away with such dismal service is that its market is protected. If it had to compete, it would have to offer painless internet banking or lose customers. Thus Koreans have only their own lawmakers to blame for this terrible state of affairs.

The moral of this story is not that I hate Korean banks (I don't) but that science and technology don't make value by themselves. Organizations investing in technology but not in proper planning and use of that technology are just wasting their money and making trouble for the rest of us.

If Korea is serious about becoming a Science and Technology Society, I suggest it start by reforming its banks.

[Copyright 2006 R. B. Laughlin. The author grants permission to copy, distribute, display, and perform this work in unaltered form, with attribution to the author, for noncommercial purposes only. All other rights, including commercial rights, are reserved to the author.]