Resident Registration Number (RRN): South Korean ID System Used To Identify Over 50 Million Citizens Is Vulnerable To Cracking, Says Harvard Professor Latanya Arvette Sweeney
Harvard Professor Latanya Arvette Sweeney, known as the "Queen of Re-identification," published a set of findings that showed how vulnerable to security breach the Resident Registration Number (RRN) system of the country is.
The RRN is a 13-digit number, with the first six digits representing the birth date of the person, assigned to every resident in South Korea used to identify each person in various private transactions such as in education, banking and employment.
The system was originally created in order to identify North Korean spies following the Blue House Raid on Jan. 21, 1968, where South Korea's then President Park Chung Hee was attempted to be assassinated by North Korean commandos.
According to The Stack on Wednesday, Sweeney was able to crack a set of 26,163 South Korean sample IDs through two different methods. The first is with the use of logical reasoning and computer analysis of an Excel spreadsheet of gathered data, and the second is through machine analysis of patterns, traits and relationships within the RRNs.
Sweeney, therefore, concluded that the encrypted RRNs are "vulnerable to almost any adversary." Even third party sources verified Sweeney's deanonymization method.
On Oct. 14, 2014, BBC News also pointed out how the RRNs are easy to be stolen or cracked following the incident that had the ID numbers of over 20 million South Koreans stolen by data theft.
The publication noted that the RRNs still follow the same pattern since the 1960s. Also, the fact that these numbers are used across all sectors makes each ID a master key for thieves and once an ID has been leaked, there is no way for a citizen to change them.
On another perspective, the RAND Corporation researchers are less guarded in terms of the security risks of new federal ID schemes. As an example, in their recent study, they believe that the advantages of the National Health Information Network (NHIN) that uses unique patient finder (UPI) outweighs the possible security risks.
"If the UPI were to facilitate the development of a more efficient national network, any potential negative effects of such a network could be ameliorated directly through other aspects of systems architecture, such as encryption, access controls, and audit trails," explained RAND. "And use of a UPI would actually improve privacy by limiting the transmission of more sensitive identifiers, such as the combination of names, address, date of birth, and Social Security numbers."
