[Editor's note] Unauthorized micro-payment losses among KT subscribers continue. Caused by a newly identified hacking method, an unregistered base station connected to the network and induced payments. We examine the structural vulnerabilities in telecom infrastructure security that led to this incident and consumer responses to prevent additional damage.
"278 cases of damage, 170 million won in losses"
The Ministry of Science and ICT said this on the 10th regarding the scale of recent unauthorized micro-payment losses involving KT in Seoul and Gyeonggi Province. According to KT, most of the unauthorized micro-payment records were purchases on gift card websites that can be converted into cash. It was also confirmed that the personal information of 5,561 subscribers was leaked.
It remains unconfirmed how an unregistered wireless communication device (presumed femtocell) connected to the core network and how it bypassed authentication, key values, and encryption procedures such as the International Mobile Subscriber Identity (IMSI). The Ministry of Science and ICT and KT are offering only the basic line that "an investigation is needed."
What has been confirmed so far is only that a "non-registered base station (an illegal ultra-small base station not installed by KT, commonly called a ghost base station)" connected to KT's network. Ryu Je-myung, the second vice minister at the Ministry of Science and ICT, said, "A precise investigation is needed into the technical mechanism from the core network access path through to the linkage to payment."
According to the Ministry of Science and ICT, KT confirmed on the 8th in the course of analyzing victims' call records that an unregistered base station had connected, and officially reported a cyber intrusion to the ministry that evening. It is known that KT reported the intrusion to the ministry only after it built multi-layer blocking logic within the micro-payment system from the 5th to the 7th and fully restricted new connections of small base stations.
KT's slow response is under fire. According to the industry and police, the first report of damage stating that mobile phone micro-payments were made without the user's knowledge was received on the 27th of last month. Similar reports followed, and police are said to have passed related information to KT on the 1st of this month. However, KT did not begin blocking abnormal traffic patterns and micro-payments until the early morning of the 5th, drawing criticism for a delayed response. A notice to all customers was posted only on the 6th on the website. KT has not yet sent a text message notice to all customers.
Under current law, upon recognizing a cyber intrusion, it must be reported within 24 hours to the Ministry of Science and ICT or the Korea Internet & Security Agency (KISA). A personal information leak must be reported to the Personal Information Protection Commission within 72 hours. KT recognized the intrusion on the 5th and took measures such as blocking abnormal traffic patterns and micro-payments. It then reported the matter to the Ministry of Science and ICT on the 8th, three days later. It completed the report to the Personal Information Protection Commission on the 11th.
To prevent further spread, the Ministry of Science and ICT is checking nationwide for the presence of unregistered base stations. KT reported to KISA and the Ministry of Science and ICT on the 9th that, based on a full inspection of base stations in operation, there were no other unregistered base stations. As a precaution, the ministry fully restricted network access by new ultra-small base stations for all three telecom operators and conducted an emergency inspection. So far, no unregistered base stations have been found at SK Telecom or LG Uplus.
Jang Hang-bae, a professor in the Department of Industrial Security at Chung-Ang University, said, "A completely new type of hacking that did not exist before has occurred," and noted, "It appears to be the work of a group with highly specialized knowledge of domestic telecom infrastructure."