[Asia Economy Reporter Kim Hyo-jin] It has been pointed out that the unauthorized use of dormant account passwords by some Woori Bank employees was possible due to a loophole where customer authentication was not required when registering user passwords.
According to the 'Details on Woori Bank's Password Registration' document received by the office of Kim Jong-seok, a member of the National Assembly's Political Affairs Committee from the Liberty Korea Party, from the Financial Supervisory Service on the 16th, Woori Bank first confirmed attempts of unauthorized password registration on July 25-26, 2018.
At that time, Woori Bank's Information Security Department detected attempts by some branch employees to register passwords using the user IDs and temporary passwords of customers who had not used smart banking services for a long time. Customers who do not register the temporary password received when opening a new account as their user password and pass more than one year are classified as inactive customers.
Woori Bank employees checked user IDs and other information from the 'Smart Banking Long-term Inactive Customer Details' data on Woori Bank's internal portal (Woori BI Portal). It is presumed that the 6-digit temporary passwords were relatively easy to find out because, at the time of setting, branch employees often entered specific numbers such as '100400' according to customer requests or delegation.
The employees used branch tablet PCs to change passwords without authorization. The number of unauthorized changes reached about 40,000 cases. This was possible because customers were not required to go through additional authentication procedures such as ARS verification or smart simple authentication when entering temporary passwords to register their passwords.
Woori Bank introduced additional authentication procedures on August 9, 2018, to prevent third-party attempts to register passwords as a measure to prevent recurrence.
It has been pointed out that the misconduct of some Woori Bank employees is closely related to improving performance. Since January 2018, Woori Bank included the reactivation performance of long-term inactive smart banking customers as a detailed item in the core performance indicators (KPI) of sales teams. Woori Bank deducted all KPI performance obtained through unauthorized password use.
Woori Bank stated, "Some branch employees used customers' user IDs and temporary passwords one-time only to achieve performance," and added, "We have taken thorough post-measures such as introducing additional authentication procedures and password resets to prevent customer damage and recurrence."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![User Who Sold Erroneously Deposited Bitcoins to Repay Debt and Fund Entertainment... What Did the Supreme Court Decide in 2021? [Legal Issue Check]](https://cwcontent.asiae.co.kr/asiaresize/183/2026020910431234020_1770601391.png)
