Abstract
This paper studies a potential risk of using real name verification systems that are prevalently used in Korean websites. Upon joining a website, users are required to enter their Resident Registration Number (RRN) to identify themselves. We adapt guessing theory techniques to measure RRN security against a trawling attacker attempting to guess victim’s RRN using some personal information (such as name, sex, and location) that are publicly available (e.g., on Facebook). We evaluate the feasibility of performing statistical-guessing attacks using a real-world dataset consisting of 2,326 valid name and RRN pairs collected from several Chinese websites such as Baidu. Our results show that about 4,892.5 trials are needed on average to correctly guess a RRN. Compared to the brute-force attack, our statistical-guessing attack, on average, runs about 6.74 times faster.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Acquisti, A., Gross, R.: Predicting social security numbers from public data. Proc. Natl. Acad. Sci. 106(27), 10975–10980 (2009)
Alsaleh, M., Mannan, M., Van Oorschot, P.: Revisiting defenses against large-scale online password guessing attacks. IEEE Trans. Dependable Secure Comput. 9(1), 128–141 (2012)
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 15 (2009)
Cho, D.: Real name verification law on the internet: a poison or cure for privacy? In: Proceedings of the 10th Workshop on Economics of Information Security (2011)
Gross, R., Acquisti, A.: Information revelation and privacy in online social networks. In: Proceedings of the ACM Workshop on Privacy in the Electronic Society (2005)
Kovacs, E.: Personal Details of 27 Million South Koreans Stolen by Hacker (2014)
Lee, R.: Korean national ID numbers spring up all over Chinese Web (2011)
Lee, T.B.: South Korea’s “real names” debacle and the virtues of online anonymity (2011)
Miyata, S., Suzuki, K., Morizumi, T., Kinoshita, H.: Access control model for the my number national identification program in Japan. In: Computer Software and Applications Conference Workshops (2014)
Oh, Y., Obi, T., Lee, J.S., Suzuki, H., Ohyama, N.: Empirical analysis of internet identity misuse: case study of South Korean real name system. In: Proceedings of the 6th ACM Workshop on Digital Identity Management (2010)
Pak, H., Kim, C., Choi, H.: Preparation a study on the use of the Resident Registration Number and Alternatives for RRN. World Acad. Sci. Eng. Technol. 6(11), 3123–3126 (2012)
Sweeney, L., Yoo, J.S.: De-anonymizing South Korean Resident Registration Numbers Shared in Prescription Data. Technology Science (2015)
Yang, S.: 35m Cyworld, Nate users’ information hacked (2011)
Acknowledgements
This work was supported in part by the NRF Korea (No. 2014R1A1A1003707), the ITRC (IITP-2015-H8501-15-1008), and the MSIP/IITP (2014-PK10-28). Authors would like to thank all the anonymous reviewers for their valuable feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Song, Y., Kim, H., Huh, J.H. (2016). On the Guessability of Resident Registration Numbers in South Korea. In: Liu, J., Steinfeld, R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science(), vol 9722. Springer, Cham. https://doi.org/10.1007/978-3-319-40253-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-40253-6_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40252-9
Online ISBN: 978-3-319-40253-6
eBook Packages: Computer ScienceComputer Science (R0)