It's not just about the best hardware and software
Phil Leifermann, Insight Consulting, phil.leifermann@insight.co.id
Ask a bank customer about security for the technology they use in their bank, and the usual reply will be something like this: "I don't know about those things, that is the bank's responsibility!"
Then ask the managers responsible for security in the banks about what causes the majority of security problems and they will point their finger at the customers, bank employees and external parties -- in that order.
Therefore we have the possibility that one group of people can take advantage of the actions of another group to compromise security, often with external parties taking advantage of the actions of customers and bank employees.
What we have here is the human factor! Security is not just about using the best hardware and software, it is also about people and their actions.
If you go to the website of most international and large local banks, they usually provide guidelines to their customers about what they should do to secure their banking activities -- whether it be corporate or personal banking.
These banks also distribute the guidelines when you open a new account. But how many people read these guidelines? From my experience, only a small percentage of customers actually read these guidelines.
Why? The reason is lack of awareness of the importance of security and the attitude that security problems will never happen to them.
The result is that customers continue to do things that allow security to be compromised. The classic example is your ATM card. Access to your account via an ATM requires the ATM card itself and the associated personal identification number (PIN).
One without the other is useless, but together it means access to a convenient delivery channel for the customer or in the wrong hands, it means losing your hard earned money.
But how many people still write down their PIN and keep it in their wallet and purse together with their ATM card? Too many. And the risk is if they lose their wallet or purse, they often lose money from their accounts too.
Today, more technology-based delivery channels are being offered to bank customers, including phone, Internet and mobile banking.
Therefore, banks will need to continue to educate their customers about the importance of security so that these customers feel more comfortable and safe when using this technology.
Equally important is PIN or password selection.
Now, most banks offer their customers the facility to choose their own PIN or password, but often people select ones which are easy to guess and therefore easy to compromise.
Never choose a PIN or password that can be associated with you, for example names, birth dates or even your favorite food or sporting team. If someone knows you or wants to learn about you, then they may also be able to guess your PIN or password.
Also, never choose a PIN or password that is a common word. Always choose a PIN or password that is difficult to guess but easy for you to remember.
For example with password selection, select a phrase that is easy to remember like "Jack and Jill went to get water" which then becomes your password "J&Jw2gh2o". This looks like a group of random characters and numbers, but in fact it is a password that is difficult to guess but easy for you to remember.
Also, change your PIN or password on a regular basis and never share your ATM card, PIN or password with anyone!
Banks must also take similar measures to educate their employees about the importance of security and ensure that each employee understands their roles and responsibilities.
This is done through a formally documented security policy, awareness sessions and training courses.
Of course, they also need specialized security hardware and software and a system to monitor compliance with the security policy, reward compliance and penalize non-compliance. Remember, a chain is only as strong as its weakest link and security can be compromised because of the actions of just one person.
Recently, a number of IT security professionals established the Information Systems Security Association (ISSA) Indonesia Chapter whose objective is to raise awareness about the importance of security and provide opportunities for education and training.
Hopefully, such initiatives will help make security stronger for all Indonesian organizations, including our banks.
If customers and banks fulfill their responsibilities, it will make it much more difficult for external parties such as hackers and other criminals to steal money from our accounts!