A man was arrested on suspicion of using stolen personal data to hack into online gaming accounts in order to make a profit, Seoul police said Friday.
The 23-year-old suspect, identified only by his surname Jeong, allegedly tricked two victims into giving him their phone numbers and 13-digit resident registration numbers by pretending he would trade online game items with them. Using the information, he applied for new i-PIN, an online identification system, and hacked into the victims’ game accounts.
The suspect used the account for fraudulent virtual item trades and cashed in mileage points in it, making 1.19 million won ($1,100).
Police found that Jeong is a repeat offender in hacking and fake online game trades. He had used most of the profit on Internet gambling.
Officials are conducting further investigations to see if there are additional crimes.
The case showed the vulnerability of the i-PIN, which the government implemented in 2006 to enhance protection of the people’s personal information.
Most websites in Korea require new users to submit their 13-digit resident registration number, which is only issued once per each citizen. The widely-used ID number had long been targeted by domestic and international hackers, and is commonly traded outside the country such as in China.
In order to reduce such data theft, the government introduced the i-PIN system, issued by government-certified institutions. Internet users can use it to verify his or her identification without revealing the resident registration number.
Experts, however, are questioning i-PIN’s efficiency in protecting crucial personal information.
It was revealed last month that some 10,000 i-PINs had been leaked via Chinese websites. Police arrested two suspects for selling i-PINs on online gaming websites for 20,000 won each.
The officials from the Korea Internet Security Agency have said people can just reapply for a new i-PIN in case of data theft. But the victims in this case were unaware that their data were stolen, since one can apply for another person’s i-PIN if they have their name, resident registration number and a cellphone number.
In addition, a mass data theft can take place if an organization in charge of issuing i-PINs can become the source of the leak.
In January, millions of client information was stolen from major credit card firms in one of the worst cases of data theft in the country’s history.
Police investigation found that that an employee from local personal credit ratings agency the Korea Credit Bureau ― one of the government-approved institutes that issue i-PINs ― had stolen the information.
By Yoon Min-sik (firstname.lastname@example.org