Internet Banking Security, the BCA story
By Kostaman Thayib
JAKARTA (JP): The Internet is inevitably becoming more popular and exerting a greater influence in our daily life.
The Internet makes life easier.
With the Internet, we can now quickly and easily search for information all over the world. It also makes communication around the world faster, easier and cheaper.
Internet has developed into a powerful medium of information, communication and human interaction in a relatively short period of time.
Banks have also embraced Internet technology to make banking easier, more convenient and available anywhere and anytime.
With the Internet, banking transactions are only a click away.
Several banks in Indonesia have introduced Internet Banking (IB).
Among these banks, BCA -- although not the first bank to launch Internet banking -- has recorded some remarkable results. Since its introduction on Aug. 17, 2000, after its grand launch on March 30, 2001, more than 200,000 customers have registered for Internet banking services (KLIK BCA), and 70 percent of them have logged in and performed banking transactions at its website (www.klikbca.com).
In Internet banking, the main concern is security. Customers are not asking about the conveniences of IB, they are asking about the security of IB transactions. Security remains one of the biggest barriers to consumer acceptance of IB.
Customers have heard of the attacks on several websites, including bank websites by hackers. Sometimes the hackers breach the security of Internet systems and deface the front page of the websites. Actually in cases like this, customers' accounts are safe and not affected.
In Indonesia, over 70 percent of credit card transactions done through the Internet are fraudulent. Credit card transactions via the Internet require customers to divulge their credit card number and its expiry date.
These information is not secure because it is even printed on the credit card and transaction receipt. In most cases, carders who steal the credit card information do not hack the website. The carders steal the data from conventional transactions such as payments at hotels, restaurants, etc, by working with the service providers.
BCA realizes that the security of Internet banking transactions is an issue of utmost importance for customers. Therefore the bank has protected its Internet banking system to ensure a high level of security.
From the very first step in Internet banking, i.e. the registration, BCA has taken security into consideration.
Customers should register through ATM BCA to ensure the person registering is the account holder.
After inserting the ATM Card (Paspor BCA), enter the correct ATM PIN and select the Internet registration menu. The customer is asked to enter his IB PIN, and his user ID will be given right away.
This user ID and IB PIN can be used immediately to log into the website. IB registration through ATM is secure and yet very fast, easy and convenient.
To access an account through IB, the customer is verified through his user ID and IB PIN. This identification and authentication process makes on-line transactions very secure.
Unlike credit card numbers and expiry dates, user IDs and IB PINs are not printed on the card nor on transaction receipts.
No one should have knowledge of this information. For this reason, customers should be careful when making IB transactions in public areas. Make sure there is no one behind you peeking at your user ID and PIN. If you are doubtful of the confidentiality of your PIN, you can change it at KLIKBCA's website.
To protect the security of data during its transmission from the user's computer to the IB server, Klik BCA is secured with 128 bits SSL (Secure Socket Layer) 3.0, verified by Verisign.
If someone taps the transmitted data, the data would look meaningless, and if he tries to decrypt the encrypted data, according to Onno Purbo, he would need 12,710,204,652,610 trillion years to do so. The URL address of the website secured by SSL will begin with https instead of http.
Klik BCA servers are also protected by Firewall to prevent illegal access by unauthorized users.
Customers should make sure they log out of the IB website after they have completed their transactions. They should not leave their computers in a login state as others can then access their bank accounts.
To prevent financial loss when customers are careless in this respect, Klik BCA automatically logs out if no transaction is made in 10 minutes.
For every financial transaction, Klik BCA will ask the user to enter his IB PIN. Although this procedure seems repetitive, it will prevent others from making transactions from your account if you forget to log out.
To monitor the usage of your IB account, Klik BCA provides the last login information on the main menu every time customers login to the website. Every transaction done through Klik BCA will also be reported, through an automatic e-mail notification, to the customer's e-mail address.
Actually IB has provided enough security for online transactions. To breach the IB security is very expensive and very difficult, if not impossible.
Sometimes people who do not understand IB are fooled into revealing their user ID and IB PIN.
With the your user ID and PIN, others can make a transaction from your account. Off course, this is faster, cheaper and easier than breaching the IB security system!
Customers should be aware that the user ID and PIN are keys to their banking account. Therefore they should keep them confidential.
To protect customers who do not understand IB or who are careless, especially during the early stages of IB in Indonesia, Klik BCA has set the limit for transfers at Rp 3 million.
If IB users need to transfer more than Rp 3 million, Klik BCA will provide a security token called Key BCA. Key BCA is a security device, which looks like a calculator, for authorization.
If the transaction amount exceeds Rp 3 million, IB will display a challenge code.
IB users could activate Key BCA by entering the Key BCA PIN and then entering the challenge code seen on the screen on Key BCA.
Key BCA will then generate the response code. Users should enter this response code on the IB screen. If it is matches the number in the IB Server, the transaction will be authorized.
The response code generated by Key BCA will be different every time. In other words, Key BCA is a device to generate dynamic PINs or a One Time Password (OTP). Key BCA helps make customers feel secure in using Klik BCA.
IB offers a lot of conveniences for customers.
Like other conveniences, it is also vulnerable to misuse and crime. Klik BCA offers an up-to-date system and the tools to ensure the security of its IB.
Customers, on their part, should keep their user ID and IB PIN confidential, and conduct their transactions discreetly.
The writer is deputy chief of BCA's Consumers Banking Division.