[1mm Financial Talk] Multiple Parties Troubled by 'Payco Signature Key Leak' News

[Asia Economy Reporter Minwoo Lee] The signature key of the simple payment service 'Payco,' used by 2.9 million people monthly, was leaked externally. More than 5,000 malicious apps disguised as legitimate applications exploited this signature key. A security company discovered this and informed financial institutions, putting not only Payco but also the banks mentioned as clients in an uncomfortable situation.

According to the financial and IT industries on the 6th, NHN Payco, the developer of Payco, detected malicious apps exploiting its 'signature key' in early August. These apps were designed to be recognized as official apps created by Payco, avoiding detection by antivirus or financial app malware scanners. The signature key is a certification tool used by app stores like Google and Apple to verify that an app was developed by a specific developer. Hackers distributed malicious apps using the Payco signature key not through official app stores but via text messages and KakaoTalk.

This fact was revealed when the domestic security company Everspin sent warning letters last month to dozens of financial clients. From August 1 to the end of last month, 5,144 malicious apps using the Payco signature key were detected over four months, urging caution.

Payco, the owner of the signature key, faced criticism for not disclosing this fact even after detecting the malicious apps. However, they explained that they did not remain inactive. Since replacing a signature key typically takes several months, they immediately began the process. An NHN Payco official stated, "We started replacing the signature key immediately after detecting the malicious apps exploiting it and simultaneously checked for any customer damage. So far, there have been no cases of damage, and the signature key replacement is complete. We plan to update the app next week."

Financial institutions such as banks and card companies, clients of Everspin, are also in a difficult position. They feel uncomfortable being mentioned as if there were problems despite no damage occurring. A representative from a financial institution that is an Everspin client said, "We are not directly Payco’s clients, and no related issues have occurred so far, so it is uncomfortable even to be mentioned. It seems the security company is excessively promoting this."

Meanwhile, authorities have recognized the situation and are responding. The Financial Supervisory Service is currently assessing Payco’s status and discussing future response measures. The Financial Security Institute is analyzing the malicious apps and sharing related information with financial institutions, security solution providers, and related organizations such as the Korea Internet & Security Agency to help detect malicious apps quickly.

However, since this is not much different from simple 'smishing' using text messages or KakaoTalk, some believe the damage will not be significant. A Financial Security Institute official explained, "Information about malicious apps using the Payco signature key has already been shared, and it has been confirmed that mobile antivirus and financial institutions can detect them. If users exercise the usual caution against smishing, such as not clicking on links in unsolicited messages and not installing apps recklessly, damage can be almost entirely prevented."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.