Sun, 11 May 2003

checked by Rich

Indonesia lagging behind world in internet security

Wasis Gunarto Contributor Jakarta

Talking about internet banking leads us to the security aspects. The subject becomes more urgent as, in terms of security for banking transactions via the Internet, Indonesia is now ranked number two from the bottom, only better than the Ukraine, in cyberfraud.

A survey conducted by ClearCommerce Corporation (a company that provides solutions for real-time Internet transaction processing, tracking and reporting) also indicated that about 20 percent of internet banking transactions originated from cyberfraud.

In its survey last year, CastleAsia (a company that specializes in business information and feasibility studies) reported that approximately only 15 percent of middle- and small- sized businesses in Indonesia were willing to use internet banking, as a large portion were worried about its security.

The saddest part is if most businesspeople do not trust online transactions, the country's economy will eventually be affected.

However, business activities have to continue in spite of this "loophole" and illegal entries into websites by ruthless crackers. Just like a house with locked doors and windows plus the state-of-the-art security devices, the possibility of thieves to outsmart them still exists.

For transactions at the personal or individual level, security is also problematic, as viruses and trojan horses can break into almost anyone's computer and the user's data -- Personal Identification (PIN) and Credit Card numbers etc. -- can be easily stolen.

One of my friends, during his college days, boasted about his ability to find out the e-mail passwords of other students. Holding the print-out of the passwords, he explained how easy it was. "Just place a special recording device close to a computer, cleverly hidden, of course, like I did in the campus, sit in the back row and monitor my victims' data," he proudly added.

This type of intruder exists everywhere and the number is growing. With various sophisticated gadgets available on the market, it is really terrifying how easy such valuable data, including our hard-earned money, can be snatched away in seconds.

Another enemy is the virus, for example lovebug and sircam. These viruses disrupted computers throughout the world and created a worldwide panic as vital state secrets and bank data had been plundered. Philip Williams, from the Center of Internet Security Expertise (CERT), confirmed that two major banks in the United States and another in Switzerland were the victims of the merciless virus.

All kinds of illegal access, including theft of subscribers' data, can also occur at Internet Service Providers, as, again, a cracker can outsmart their security system by using a sniffer program.

Fake domains can also be created, causing both the bank and its customers more than panic or headaches. News about ATM PINs that were forged created further havoc and the lowest sense of security for bank customers.

However, advances in security technology, also in leaps and bounds, are making it extremely difficult, almost next to impossible, for the bad guys to succeed. Various tools and layers of protection are used: spyware, firewalls, Security Socker Layer (SSL), public key cryptography and Certificate Authority (CA).

SSL, first developed by Netscape, is like a protective wrapping seal on the internet, making it "leakproof" and can only be opened by a special 128 byte combination "key", which is in fact a password known only by the holder and recognized by the receiver or in this case, the bank's internet system. This special combination key is usually called public key crytography.

Cryptography was born in the days of the Roman empire. Its emperor, Julius Caesar, did not trust his couriers. So, he encrypted his messages, for example every letter 'A' should be read as 'D', 'B' as 'E' and so forth. Only certain receivers of the messages, with prior knowledge of the special code, could read his top secret messages.

In the case of passwords for bank transactions, two kinds are used: private keys and public keys. A public key is sent together with encrypted data and if a hacker gets hold of it, the private key, which is, again only known to both the holder and his bank, provides further security.

To assure us of the authenticity of the key or the password, a digital certificate is required. This certificate contains information that is related to the certificate owner and an authorization statement from a body or institution that recognizes or validates the password user as the authentic certificate owner.

A digital certificate, inserted into a public and private key or password, again makes it harder for any forgery.

The most important aspect after all security actions is the existence of a body or institution that can be relied on to guarantee, validate and consistently monitor every security aspect of a transaction via the Internet, including the digital certificates.

This is where the important role of Certificate Authority (CA) enters, which is a reputable and trusted body or institution that records certificates, stores it in its server and authenticates the certificates whenever required.

For banks in Indonesia that provide e-banking, the prerequisites are registration and accreditation from an international Certificate Authority, like Verisign, GlobalSign and British Telecommunication, for a more secure and reliable internet banking.

To date, Indonesia has no such institution, although its existence is acknowledged to help reduce the country's cybercrime and enhance its e-commerce.

With the upcoming highly advanced Third Generation (G3) communication system that will automatically increase mobile banking, the need for a Certificate Authority in Indonesia is becoming ever greater.

Along with that, of course, cyberlaws must come into force to provide consumers with the maximum sense of security for internet banking plus other transactions through the Internet. This way risk management for any company becomes less of a headache.


Internet banking service has several effective security techniques that we encourage you to implement when you use the Internet banking service:

1. Never reveal your password to anyone or leave your password anywhere that someone else can obtain and use it. 2. Change your password on a regular basis. 3. Use the Exit button to end each Internet banking session. Do not use the Back button to exit the site. 4. Change your session timeout in User Options to a time that meets your needs. 5. Balance your account on a regular basis. Internet Banking makes it easy!