The 13-digit resident registration number or RRN is automatically given to anyone born in Korea and is nearly impossible to change throughout the numberholder’s life. Naturally, RRN is a reliable, trustworthy tool to authenticate one’s identity in Korea. The government maintains a stable database of the RRNs matched to the names and other information about the numberholders, and the number holder is usually warned not to share his or her number with others who may use the numbers for impersonating the number holders. As a result, many companies and agencies relied on RRNs for identification purposes whereby they would religiously require people to produce RRNs alone or RRNs backed by photo identification cards before providing services to them. A happy story? Not quite.
RRN was made for the purpose of identifying spies in 1970’s. The theory was that, if all Koreans receive a number each, whoever does not have it must be from “up North” and can be culled out as spies. In other words, it was supposed to work as an identification scheme for legitimate citizenship. The number was embedded in a card carrying the numberholder’s facial photo, so that people could not produce others’ numbers.
The problem was that, once RRNs were cherished as unique identifiers of people, many government agencies and companies completely unrelated to national security or espionage began to require RRNs as the condition of providing services to or opening up an account for people. In some cases where the card cannot be produced, the number worked as a identification: for instance, if I call customer service, the representative will typically ask for my RRN to confirm my identity. Then, the vogue of requiring RRNs continued for a few decades to a point where so many agencies and companies have RRNs of so many people in their databases. This meant that RRN can no longer work as a surrogate for identity because so many other people have access to others’ RRNs. The logic is the same as if many people have your password, it cannot function as a password. Also, because so many agencies and companies rely on RRNs, RRN becomes the “key data” weaving through many facets of the numberholder’s life: hospitals, schools, libraries, banks, online platforms all have the numbers. Therefore, it becomes a treasure trove for many wishing to commit identity theft because once they have the numbers they are so versatile. As a result, many of those RRN-holding companies and agencies became the target of hacking and RRNs of so many more people fell into the evil hands as well. These days, I hear rumors that one can buy a database of 100 million sets of RRNs matched to Korean names for USD 100 where the entire South Korean population is 50 million!
What should have happened at that point? Since RRN cannot function as a password, the companies and agencies should have stopped requiring the RRNs as the condition of providing services for or conducting business with people or at least should have stopped relying on RRN or RRN Card as the only identification. However, the companies and agencies in Korea still continue to require RRN and RRN Card and rely on them as the singular method of identification. Even where RRN is not the only identification scheme, all other identifying data are built around the RRN as the key link data.
Naturally, the RRNs continue to remain as the Holy Grail of the financial fraudsters who used them to assume others’ identities to withdraw and borrow money as the trust-based companies and agencies continue to rely on RRNs. RRNs became the tool of financial fraud.
Now, if you remember, RRN began as a trustworthy identification system. However, because it was so trustworthy, it was so widely sought for, and it later ended becoming the tool for financial fraud. I would like to call this “Paradox of Trust.”
It is necessary to build a trustworthy identification system. Then, how do you stop it from burning into Paradox of Trust as it was prominent in Korea? Korea, unlike other countries, did not restrict the uses of national unique identifiers.
True, we once prohibited the collection of RRNs through the Internet in 2012 after the 50-million-people country was shocked when SK Communications suffered the data breach of 37 million people in 2011. Also, when January 14, 100 million data sets were breached from 3 card companies, the Personal Data Protection Act Article 24 was passed to ban any collection of any RRN unless expressly allowed or required by statutes or regulations. (The hyper-linked, old version allowing collection of RRNs “upon the data subject’s separate consent” in Article 24(1)2, which was amended in 2014)
However, there are still so many statutes still allowing or requiring the collection of RRNs. According to the last count by the authorities in January 2014, there were 77 statutes, 404 Presidential decrees, and 385 ministerial rules all independently requiring or allowing the collection of RRNs – all together 866 such provisions!
This is not about to change. Even when three credit card companies (Lotte, NH, and KB) suffered the data breach of 104 million data sets of 20 million people in 2014, the government was not willing to change the one provision out of the 866 laws and regulations, that was responsible for the card companies’ collection of RRN, namely Article 3 of the enforcement decree of the Real Name Financial Transactions and Secret Protection Act, and that specified the name and RRN as the singular method of identity verification. Also, the Information Communications Network Act that began to ban collection of RRNs through the Internet in 2012 still allows the telecom companies to collect RRNs in issuing phones, even when one of them suffered the massive data breach of 12 million in February 2014.
The paradox of trust is a paradox because people cannot get out of it: they still feel insecure about identifying themselves with anything other than RRN, especially when it comes to financial transactions. The truth is that banks do not need RRN from you when you open a bank account with them. Instead, they can require your name, BOD, address, birth address, job, mobile phone number, home phone number, etc., any appropriate combination of which can become a unique identifier. That is exactly how Korean banks open accounts for foreigners who do not have RRNs. American banks can open a bank account as long as you have two photographed identifications and address. Banks are required only to make “reasonable efforts“ to require Social Security Numbers or Tax Identification Numbers but not to require it as a condition. Rather, banks requiring SSNs “in violation of federal law“ can be punished up to five (5) years in prison.
What is more important, Korean RRNs are the combinations of DOBs, gender, birth place code, and the number computed from the previous three, all of which the banks, agencies, and companies routinely require anyway in addition to RRNs. One does not have to feel insecure about dealing without RRNs.
People wanting to rely on RRN-centric identification system are afraid of chaos when such system is no longer in use. However, if RRN is not used, the real chaos will dawn upon, not on the users, but the hackers and identity thieves. As banks, companies, and agencies require different sets of credentials from the users, they can no longer use the data illegitimately obtained from one data processor to open an account with the other data processor. Now? They can get the most out of their limited resources because they can focus all the resources on the standardized data sets built around the singular identifier: RRN.