Some additional details that the article doesn't mention:<p>1. Technically, the law doesn't require that you use Internet Explorer. The law merely requires that you use a bunch of technologies, ranging from 128-bit encryption to government-issued client certificates to government-mandated antivirus to (craziest of all) an anti-keylogger utility. Conveniently, the spec was written with Windows & IE in mind, so it's very difficult to write alternative implementations for other platforms.<p>2. This is not a matter of being stuck with older versions of IE like many corporate intranets in the West. In fact, most banks in Korea work perfectly well in IE11 as long as you don't try to use the Modern UI (Metro) version. Because this is not so much about IE as it is about the WIN32 environment.<p>3. The proliferation of phones and tablets has motivated banks and payment gateways to write iOS and Android implementations of the spec. This was the first time anybody tried to implement the spec outside of Windows & IE. But once you have one alternative implementation, it's much easier to port it to other platforms like Mac, Linux, and FF/Chrome on Windows. This is happening slowly.<p>4. Despite the appearance of these alternative implementations, the spec itself is still very problematic. For example, the antivirus and anti-keylogger requirements cannot be met unless the programs in question have root privileges on your device. It feels insane when you browse to a bank's home page in Linux and it tells you to download a bunch of apps and execute them as root. And of course those apps are only designed for specific versions of specific Linux distributions, so they break as soon as a new Ubuntu release comes out. No thanks! Even in Windows, the Firefox & Chrome plugins are not packaged as proper extensions, but as standalone programs that integrate loosely with the browser like Flash and Java, Because you can't meet the spec within the confines of a browser's sandbox.<p>5. Okay so why not just run Windows in a VM? Actually that's exactly what I do. But it's not a perfect solution. Some of the Korean "security" apps have begun to detect when the user is in a VM, and refuse to work in a VM. There is no technical reason for this policy, they just don't like people getting around the rules. My bank refuses to whitelist my VM as a trusted device. I've encountered at least one government agency that won't offer online services to a VM. The last time I bought a bus ticket online, the e-ticket wouldn't print because the printer port was virtualized and therefore could be used to produce duplicates or whatever.<p>6. Even mobile apps, which the article mentions, are very pesky about their environment. The app for my bank won't run on my phone because it's rooted and therefore can't be trusted. Fuck that shit. This affects everyone who uses CyanogenMod. (What's even more ridiculous is that the same bank <i>requires</i> root on my PC.)<p>7. <i>Therefore, porting the spec to non-IE platforms and/or writing compatibility layers is not the answer. The spec needs to be fixed, period. No website should have the right to demand the use of any software other than a standards-compliant web browser. No website should require root, or even want to know anything about the environment (virtualized or not, rooted or not) in which it is being visited, except what the browser exposes to it by default.</i><p>8. Of course this isn't going to happen any time soon, because removing even one of the requirements on the current spec will be seen as a decrease of security, and nobody wants to take the blame the next time 10 million people get their account information stolen. Wait a second, every Korean citizen has had his or her personal information stolen multiple times in the last several years anyway. All the banks and merchants have desensitized users to the point that anytime any website ask them to install some app and run it as Administrator, they do. All the security theater of the last 14 years has done is to decrease the security of the entire country. It has also hurt the rest of the Web. Because it's so much more convenient to write a Windows Forms app than to write a website that works in both IE6 and IE11, lots of interactive and media-heavy websites in Korea (especially gaming and file-sharing websites) have become mere landing pages where you download the actual app. After all, the banks are doing it, so why shouldn't everyone else do the same?<p>9. One move in the right direction is that since this September, every large (over ~$3000) online transaction requires two-factor authentication. They've been handing out one-time password generators like candy lately. The ubiquity of mobile phones also means that you can even choose to use three-factor authentication (login + one-time password + SMS token) for certain types of transactions. Hopefully this will eliminate the justification for the anti-keylogger utility, since the passwords and SMS tokens can't be reused anyway.<p>[Edit] 10. Another positive development is that the Korean government has finally begun to pay attention to accessibility on the Internet. At the moment, among Korean web developers, accessibility is an even hotter topic than standards compliance, because lack of accessibility can get you into nasty lawsuits and hefty fines. Everyone's busy adding "alt" attributes to <img> tags. But hopefully, in the long term, focusing on accessibility will also bring people to care about standards compliance.