On the Guessability of Resident Registration Numbers in South Korea
This paper studies a potential risk of using real name verification systems that are prevalently used in Korean websites. Upon joining a website, users are required to enter their Resident Registration Number (RRN) to identify themselves. We adapt guessing theory techniques to measure RRN security against a trawling attacker attempting to guess victim’s RRN using some personal information (such as name, sex, and location) that are publicly available (e.g., on Facebook). We evaluate the feasibility of performing statistical-guessing attacks using a real-world dataset consisting of 2,326 valid name and RRN pairs collected from several Chinese websites such as Baidu. Our results show that about 4,892.5 trials are needed on average to correctly guess a RRN. Compared to the brute-force attack, our statistical-guessing attack, on average, runs about 6.74 times faster.
KeywordsKorean identification system Resident Registration Number Brute-force attack Statistical-guessing attack
This work was supported in part by the NRF Korea (No. 2014R1A1A1003707), the ITRC (IITP-2015-H8501-15-1008), and the MSIP/IITP (2014-PK10-28). Authors would like to thank all the anonymous reviewers for their valuable feedback.
- 4.Cho, D.: Real name verification law on the internet: a poison or cure for privacy? In: Proceedings of the 10th Workshop on Economics of Information Security (2011)Google Scholar
- 5.Gross, R., Acquisti, A.: Information revelation and privacy in online social networks. In: Proceedings of the ACM Workshop on Privacy in the Electronic Society (2005)Google Scholar
- 6.Kovacs, E.: Personal Details of 27 Million South Koreans Stolen by Hacker (2014)Google Scholar
- 7.Lee, R.: Korean national ID numbers spring up all over Chinese Web (2011)Google Scholar
- 8.Lee, T.B.: South Korea’s “real names” debacle and the virtues of online anonymity (2011)Google Scholar
- 9.Miyata, S., Suzuki, K., Morizumi, T., Kinoshita, H.: Access control model for the my number national identification program in Japan. In: Computer Software and Applications Conference Workshops (2014)Google Scholar
- 10.Oh, Y., Obi, T., Lee, J.S., Suzuki, H., Ohyama, N.: Empirical analysis of internet identity misuse: case study of South Korean real name system. In: Proceedings of the 6th ACM Workshop on Digital Identity Management (2010)Google Scholar
- 11.Pak, H., Kim, C., Choi, H.: Preparation a study on the use of the Resident Registration Number and Alternatives for RRN. World Acad. Sci. Eng. Technol. 6(11), 3123–3126 (2012)Google Scholar
- 12.Sweeney, L., Yoo, J.S.: De-anonymizing South Korean Resident Registration Numbers Shared in Prescription Data. Technology Science (2015)Google Scholar
- 13.Yang, S.: 35m Cyworld, Nate users’ information hacked (2011)Google Scholar