Tue, 11 Jun 2002

A guard dog in the virtual crowd

Jonminofri Nazir, Contributor, Jakarta

"Where there's a crowd, a pickpocket is always around."

This may not be a popular saying, but still it is a fact of life. Crowded places like markets, transportation terminals, congested streets and entertainment venues are frequently gold mines for pickpockets and snatchers.

Today, another crowded spot, though virtual, is the Internet. Likewise the pickpockets who operate here are also virtual and their victims are bank customers who use the Internet for various banking services.

How do these virtual thieves go about their job and how do banks prevent them?

It is worthwhile to take a look at Bank Central Asia's (BCA) efforts to ward them off, as its Internet banking system is one of the busiest due to the eight million customers the bank is currently serving.

"Our team of twenty experts have been working for the past nine months to find the best security system for Internet banking," said Aswin Wirjadi, vice president of BCA.

Aswin said that every type of customer had suffered this crime: from those not familiar with the Internet up to those who were very much used to it.

One of the methods used by the thieves is stealing the customer's personal identification number (PIN) through a cellular phone scam. This happens to those most easily fooled, people who have never even touched a computer, let alone used the Internet.

The intended victims receive a text message on their phones with the promise of a certain prize. They are also asked to register for Internet banking at an automated teller machine (ATM) and return the results, including their ATM password, to the thief.

This may seem unbelievable and highly impossible, but in fact it occurs in Indonesia.

Those familiar with the Internet have also become victims. In these cases the bad guys create a presentation much similar to the first page of BCA's Internet banking website - called KlikBCA - which makes the would-be victims feel that they have correctly logged on to the real Klik BCA. This page is specially designed to steal the customer's user identification and password.

With the most sophisticated users of the Internet, the thieves use more advanced techniques by stealing their user identification and passwords through the computer networks at offices or telecommunications centers.

Aswin further explained that the modus operandi of such crimes targeting BCA Internet banking customers was based on stealing user identification and passwords.

Often passwords are found out through guesswork, like relating them with the customers' birth dates or car license numbers. However BCA's Internet banking system has never been broken into up till now.

Compared with the huge number of transactions at Klik BCA the occurrence of this type of crime is quite small, the Internet can quickly spread the bad news all over the world and thereby give the impression that transactions through the Internet are not safe. This is what BCA fears most.

When one takes a look at the data on the number of customers using Internet banking for purchasing or money transfers, this fear seems unreasonable.

The past 16 months have seen a consistent increase of transactions at Klik BCA both in volume and value. While the transactions for January 2001 were less than 50,000, April 2002 recorded a much higher number -- close to 100,000.

The trend of using Internet banking is on the increase, though most of BCA's customers (44 percent) only check the balance in their accounts or browse through past transactions, 16 percent transfer funds and only two percent conduct direct purchases.

It is only natural for BCA or any other bank to prefer increasing the frequency of Internet banking used by their customers, because its cost per transaction is only 13 U.S. cents, far lower than US$1.07 for each transaction at the bank's office.

This clearly means that Internet banking, besides greatly saving costs, can serve a large number of customers very fast and at the same time increase the bank's fee-based income. These are three important aspects for customer banking.

With these in mind, BCA's team of twenty employees racked their brains to create the feeling of safety and security for its customers. The results of their hard work is a product called KeyBCA, which is a small computer that is capable of issuing a different personal identification number (PIN) for each transaction.

The gadget, resembling a calculator, is smaller than a business card and only as thick as a pile of 15 business cards. Before handing it over to the customer, BCA installs a program that is related with the customer's data at its computer. This program is capable of functioning for five years. Every time KeyBCA is used, a different PIN appears on its screen. Each PIN is to be used for each different Internet banking transaction. KeyBCA cannot be transferred from one customer to another, because again each KeyBCA produces entirely different sets of PIN numbers.

KeyBCA has certainly made it impossible for pickpockets to steal user identification and passwords for any transactions on the Internet, even if the customers choose to conduct Internet banking transactions at telecommunication centers, Local Area Network (LAN) or anywhere else.

Having taken care of the "safety and security" aspect, BCA has now raised the ceiling of transactions through its Internet banking, called Klik BCA, to Rp 50 million ($5,600) per day for each account. As KeyBCA can be used by a customer who has five accounts with different User IDs, a second-hand car dealer, for instance, can easily make transactions on the Internet.

The safe-and-secure feeling for the customers does not come free. Besides costing them Rp 100,000 per unit - BCA produces each for $10 - they have to go through a certain degree of inconvenience every time they make a transaction by punching in different numbers as instructed by KeyBCA.

So, for the customers, using KeyBCA is very much like having a guard dog in a virtual crowd. However, one must not forget that thieves also do their best to outsmart even the most sophisticated security system.

Hence, don't lose your KeyBCA and worse don't ever lose the PIN number to KeyBCA.