A simple user authentication method that relied only on ID and password is pointed out as the root cause of the accident while the pin numbers of mobile gift certificates purchased by Gmarket customers were stolen en masse. As many platforms with a large number of customers maintain authentication methods that are vulnerable to hacking attacks such as stealing personal information, there are concerns about additional damage.
After the Gmarket incident, concerns about security incidents regarding ID/password single user authentication are growing.
Like Gmarket, most e-commerce and corporate websites such as Auction, Coupang, and SSG.COM can authenticate users by simply entering their ID and password. In that the Gmarket accident was caused by ‘credential stuffing’, which attempts to log in by randomly assigning a password based on leaked user personal information, it means that it is defenselessly exposed to the same attack.
Although each platform detects and blocks brute force such as credential stuffing, it is difficult to defend against hackers as it is possible to authenticate with only one or two attempts if the account information identified in advance is correct.
The hacking of Gmarket was carried out by stealing the mobile gift certificate number purchased by the customer after authenticating the user through credential stuffing. Some e-commerce companies have taken follow-up measures such as introducing separate authentication when reading mobile gift certificates after the Gmarket incident, but many have left the user authentication system as the first gateway.
Even if user authentication is performed due to account hijacking, a significant amount of damage can be prevented by introducing additional authentication such as a password for payment. However, leakage of personal information such as purchase history cannot be prevented. Experts say that hackers are launching sophisticated customized attacks using a variety of personal information, so having personal information stolen is a big threat.
“User authentication is the first gateway to security, and it is no exaggeration to say that all attacks begin with authentication,” said a security company official.
Damage caused by account hijacking is continuously being discovered. Previously, Interpark announced personal information leakage through credential stuffing, and LG U+ suffered an accident in which the rate plan information of some members was changed due to the same attack. In the ‘Happy Point’ app operated by SPC Group Sectanine, an accident occurred in which customers’ points disappeared due to account theft.
As an alternative to ID/password authentication, ‘passwordless’ authentication using biometric authentication is being discussed, but the introduction is not speeding up. This is the background of growing voices that operators of a certain size or larger should be encouraged to strengthen user authentication.
An account security expert said, “In order to switch to two-factor authentication and passwordless, text messages (SMS) and biometrics must be introduced, but it costs more compared to ID and password authentication.” Investing is not easy,” he explained.
“It has been pointed out for a long time that accounts cannot be protected only with passwords, and I agree to some extent,” said Kim Jeong-sam, director of information security network policy at the Ministry of Science and ICT. will do,” he said.