On the Guessability of Resident Registration Numbers in South Korea

  • Youngbae Song
  • Hyoungshick KimEmail author
  • Jun Ho Huh
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9722)


This paper studies a potential risk of using real name verification systems that are prevalently used in Korean websites. Upon joining a website, users are required to enter their Resident Registration Number (RRN) to identify themselves. We adapt guessing theory techniques to measure RRN security against a trawling attacker attempting to guess victim’s RRN using some personal information (such as name, sex, and location) that are publicly available (e.g., on Facebook). We evaluate the feasibility of performing statistical-guessing attacks using a real-world dataset consisting of 2,326 valid name and RRN pairs collected from several Chinese websites such as Baidu. Our results show that about 4,892.5 trials are needed on average to correctly guess a RRN. Compared to the brute-force attack, our statistical-guessing attack, on average, runs about 6.74 times faster.


Korean identification system Resident Registration Number Brute-force attack Statistical-guessing attack 



This work was supported in part by the NRF Korea (No. 2014R1A1A1003707), the ITRC (IITP-2015-H8501-15-1008), and the MSIP/IITP (2014-PK10-28). Authors would like to thank all the anonymous reviewers for their valuable feedback.


  1. 1.
    Acquisti, A., Gross, R.: Predicting social security numbers from public data. Proc. Natl. Acad. Sci. 106(27), 10975–10980 (2009)CrossRefGoogle Scholar
  2. 2.
    Alsaleh, M., Mannan, M., Van Oorschot, P.: Revisiting defenses against large-scale online password guessing attacks. IEEE Trans. Dependable Secure Comput. 9(1), 128–141 (2012)CrossRefGoogle Scholar
  3. 3.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 15 (2009)CrossRefGoogle Scholar
  4. 4.
    Cho, D.: Real name verification law on the internet: a poison or cure for privacy? In: Proceedings of the 10th Workshop on Economics of Information Security (2011)Google Scholar
  5. 5.
    Gross, R., Acquisti, A.: Information revelation and privacy in online social networks. In: Proceedings of the ACM Workshop on Privacy in the Electronic Society (2005)Google Scholar
  6. 6.
    Kovacs, E.: Personal Details of 27 Million South Koreans Stolen by Hacker (2014)Google Scholar
  7. 7.
    Lee, R.: Korean national ID numbers spring up all over Chinese Web (2011)Google Scholar
  8. 8.
    Lee, T.B.: South Korea’s “real names” debacle and the virtues of online anonymity (2011)Google Scholar
  9. 9.
    Miyata, S., Suzuki, K., Morizumi, T., Kinoshita, H.: Access control model for the my number national identification program in Japan. In: Computer Software and Applications Conference Workshops (2014)Google Scholar
  10. 10.
    Oh, Y., Obi, T., Lee, J.S., Suzuki, H., Ohyama, N.: Empirical analysis of internet identity misuse: case study of South Korean real name system. In: Proceedings of the 6th ACM Workshop on Digital Identity Management (2010)Google Scholar
  11. 11.
    Pak, H., Kim, C., Choi, H.: Preparation a study on the use of the Resident Registration Number and Alternatives for RRN. World Acad. Sci. Eng. Technol. 6(11), 3123–3126 (2012)Google Scholar
  12. 12.
    Sweeney, L., Yoo, J.S.: De-anonymizing South Korean Resident Registration Numbers Shared in Prescription Data. Technology Science (2015)Google Scholar
  13. 13.
    Yang, S.: 35m Cyworld, Nate users’ information hacked (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringSungkyunkwan UniversitySuwonRepublic of Korea
  2. 2.Honeywell ACS LabsGolden ValleyUSA

Personalised recommendations