[Herald Interview] Why Toss invited hackers to penetrate its system
Popular banking app pours more than 10% of tech spending into security
By Choi Ji-wonPublished : April 22, 2024 - 15:06
In 2022, South Korean fintech app Toss launched the nation’s first bug bounty program by a finance company, inviting attacks on its security system from the outside.
Operating the program for several months in the first two years, Toss has kept the doors open starting last year so that hackers can report whenever they discover a vulnerability in Toss security. White hat -- or ethical -- hackers that make a significant discovery are rewarded up to 30 million won ($22,000).
Toss remains the only financial company operating bug bounty programs regularly, which reflects the firm’s confidence in its security level, according to Lee Jong-ho, a white hat hacker and the leader of Toss’ security tech team.
“As efficient as it is in finding weaknesses, bug bounty programs could expose all the holes, even those that the company itself was unaware of, in its security system. Running the program around the clock goes to show our readiness,” Lee said, speaking to The Korea Herald in a recent interview.
Toss is also the only local financial company that operates a “red team,” a group of cybersecurity officials tasked with simulating attacks to test the effectiveness of security systems or strategies.
Lee, professionally known by his alias, "Hellsonic," leads a team of 10 white hat hackers within the broader security tech team. Collaborating closely with the remaining members of the security team, collectively known as the "blue team," they engage in daily exercises where the Red Team attempts breaches while the Blue Team defends against them.
"Our approach begins with adopting an outsider's perspective on the system. By shedding biases, we uncover vulnerabilities overlooked by the company and try to penetrate its defenses, thus fortifying our resilience against real threats." Lee explained.
Toss elevated its security measures by crafting customized defense programs, like Toss Guard and Phishing Zero, integrating them internally. These measures not only ensure enhanced flexibility and scalability to accommodate the company's growth but also foster a tightly woven defense tailored to Toss's distinctive environment, highlighted Lee.
However, committing to enhancing security isn't a simple choice for companies, given the substantial costs involved. As reported by Viva Republica, Toss' operator, out of the total 83.9 billion won invested in information technology last year, 11.5 percent — 9.6 billion won — was exclusively used on security, marking one of the highest percentages recorded among local tech firms.
Lee emphasized that this commitment to enhancing security was the very reason he chose to join Toss.
After spending a decade at RaonSecure, a prominent security solutions provider in South Korea, Lee was approached by numerous companies, including some of the country's top firms. Toss was among those he had initially rejected.
It was the persuasion of Toss's founder and CEO Lee Seung-gun that changed his mind.
"I had the opportunity to advise Lee as an external expert, and I was truly impressed by his profound knowledge of security. Having consulted for numerous CEOs and executives, I could sense his genuine dedication to defense and the depth of his expertise," the hacker recounted. "I believed that Toss was worth staking everything on."
Aiming to enhance South Korea’s overall security level, each day at Toss is a step closer to realizing that dream, he added.
However, Hellsonic stressed that this doesn't imply Toss' defense system is flawless. In fact, "cybersecurity can never be perfect," he stated. He likened digital defense to warfare.
"We can never fortify a fortress against all attacks. We deploy stronger weapons and more soldiers, making it increasingly difficult for enemies to breach our defenses. Defending against hacking is similar -- it's an ongoing process of enhancing our defenses to make it tougher for malicious attacks to penetrate the system."
As technology advances, ironically, it’s becoming easier for cybercrime to penetrate our daily lives, Lee noted.
According to him, generative artificial intelligence technologies, like Chat GPT and Large Language Models, are providing creative ideas for new hacking methods, lowering the entry barrier for ordinary individuals to attempt hacking.
He also pointed out the significance of serviced ransomware, which enables criminal groups to access hacking packages for monthly fees, as a major contributor to the proliferation of digital hacking.
"It's a burgeoning market. That's why it's crucial for companies to develop their own security systems rather than relying on off-the-shelf solutions," Lee emphasized.
The ethical hacker stressed the necessity of enhancing overall awareness to mitigate hacking risks fundamentally.
"Cybercrime has become more widespread, and it is becoming increasingly challenging for a select few experts to combat it. Individual vigilance must be heightened. Just as we learn about fire safety in schools, cybersecurity should be integrated into mandatory education."