[Financial Essay] Toss Ignites Debate on the Safety of Simple Payment Services
![[Financial Essay] Toss Ignites Debate on the Safety of Simple Payment Services](http://www.asiae.co.kr/news/img_view.htm?img=2020050710153723004_1588814137.jpg)
[Asia Economy Reporter Kim Min-young] An incident occurred on the mobile financial service Toss, operated by Viva Republica, where over 9 million KRW was charged without customers' knowledge, raising concerns about the security of simple payment service providers. Since the discussion on abolishing the public certification system in 2014, the rapid growth of simple payment companies has prompted calls for financial authorities to conduct thorough inspections.
According to the financial sector on the 14th, on the 3rd, unauthorized payments totaling 9.38 million KRW were made multiple times from the accounts of eight Toss users.
After receiving reports of customer damages, Toss investigated the situation and refunded all the losses to the eight affected customers. The victims reported the incident to the police.
Toss explained, "This case is not due to information leakage through Toss, but an issue of unauthorized payments using stolen personal information."
However, such similar unauthorized payment issues could recur anytime in fintech (finance + technology) companies, which are inherently more vulnerable to security risks compared to traditional financial institutions.
The customer information used for the unauthorized payments this time included name, phone number, date of birth, and the five-digit Toss password.
It is presumed that criminals targeted the security vulnerability caused by the omission of biometric authentication procedures such as fingerprint or facial recognition.
![[Financial Essay] Toss Ignites Debate on the Safety of Simple Payment Services](http://www.asiae.co.kr/news/img_view.htm?img=2019042122255372918_1555853153.jpg)
The financial authorities plan to conduct a comprehensive inspection of the security of non-face-to-face financial services such as simple payment systems. They intend to review the overall simple payment financial systems, including Naver Pay and Kakao Pay, to check if similar unauthorized payment incidents have occurred.
The financial authorities explained, "As digital and non-face-to-face electronic financial transactions advance, non-face-to-face financial services are being provided not only by fintech companies but across the entire financial sector," adding, "We will seek institutional measures to prevent situations like the Toss incident."
Although these companies are classified as electronic financial operators under the Electronic Financial Transactions Act and are subject to supervision and inspection by financial authorities, they have been criticized for being less rigorously monitored compared to traditional financial institutions such as banks and card companies. For example, Toss, which experienced the recent incident, has never undergone an inspection by the Financial Supervisory Service (FSS) since registering as an electronic financial operator in 2015.
The FSS has previously conducted inspections on Coupang, which operates Coupang Pay, and Woowa Brothers, the operator of the Baedal Minjok application.
During the Coupang inspection, the FSS pointed out inadequate management of encryption keys for electronic data. The FSS stated, "When providing electronic financial transactions, important information such as payment card tokens, payment account numbers, and member passwords are encrypted using the same encryption algorithm and key, but there is no management system for the encryption key lifecycle, such as operating validity periods for encryption keys, and encryption keys themselves are not encrypted, indicating somewhat insufficient encryption key management."
In the investigation of Woowa Brothers, the possibility of hacking the cloud management system was raised. At that time, the FSS noted, "If login to the cloud management system is not restricted to internal company networks and an attacker steals login information from an IT operator's device outside the company through malware, it poses a security risk that could threaten all information processing systems configured in the cloud environment."
The FSS issued management cautionary measures to Coupang and Woowa Brothers. It is very rare for the FSS to issue such measures to non-financial companies.
Although Toss is currently an electronic financial operator, it is preparing to launch a third internet-only bank. This is why a high-intensity inspection comparable to that of financial institutions is expected.
Hot Picks Today
As Samsung Falters, Chinese DRAM Surges: CXMT Returns to Profit in Just One Year
- "Most Americans Didn't Want This"... Americans Lose 60 Trillion Won to Soaring Fuel Costs
- Man in His 30s Dies After Assaulting Father and Falling from Yongin Apartment
- Samsung Union Member Sparks Controversy With Telegram Post: "Let's Push KOSPI Down to 5,000"
- "Why Make Things Like This?" Foreign Media Highlights Bizarre Phenomenon Spreading in Korea
According to the FSS, as of 2018, the amount used in simple payments reached 80.1453 trillion KRW, with the number of transactions reaching 2.38 billion.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
