Tue, 13 Jan 2004

Public's lack of trust poses big challenge to online banking

Rudijanto, Contributor, Jakarta

Transferring funds to one's bank account by a few clicks of the computer mouse or some touches on a mobile phone's buttons using today's sophisticated IT and cellular network system, with its layers of security protection, sounds like a practical solution for modern people, but what if things go wrong and the funds are diverted to the incorrect bank account?

That is the most common concern among people who are still traumatized by unfavorable events in cyberworld, especially the emergence of increasingly sophisticated hackers who seem to have very sharp eyes for any minor weakness in the internet system, as well as various cybercrimes that have already inflicted financial losses on numerous internet banking users.

The cellular world of mobile phones has its own crimes that have also caused major losses to some mobile phone users. The media has frequently reported about people who have obediently, as if under a hypnotic spell, transferred their money via the ATM to swindlers who have cheated by sending misleading SMSs, like, "Transfer this amount as an advance for your prize," and so forth.

With all of those disheartening events in both the cyber as well as the cellular worlds, many people have their own legitimate reasons to question their safety, as many aspects still remain obscure to most laymen.

While both the internet and mobile banking systems in most banks have significantly improved, bankers admit that they have difficulty changing this negative perception among a significant portion of customers.

Citibank's vice president for e-Business, Rico Usthavia Frans, compares the current doubt of people on the security of internet and mobile banking with the same hesitancy toward using the ATM in the 1980s.

"But I do believe that in the not-too-distant future the internet and mobile banking service will be acceptable here just like in advanced countries where the infrastructure is already good. In Indonesia, the infrastructure is improving," said Rico.

Citibank has been among the pioneers in internet banking in Indonesia since the bank started this service in November 2001. However, the bank seems very cautious in promoting their internet banking services.

"We have not really launched the internet banking services. As of now, we only offer it to our existing customers because we are still enriching our experience," said Rico.

This learning process of Citibank's personnel on the internet banking services reflects the bank's care in safeguarding and developing its internet banking system.

"For every system that we are developing, we submit it to the Ethical Hacking Test by a group of professional hackers in the United States to make sure that the system is secure enough. And we pay between US$20,000 and $30,000 for such security test," said Rico.

Other banks have their own standard security systems such as Secure Socket Layer (SSL) 128 bit Encryption to process and safeguard data into secret codes.

To give more security to internet banking users, Bank Mandiri also offers Token PIN (Personal Identification Number), which functions to generate a new PIN for each financial transaction by every user of the bank's internet banking services.

These PINs, often called dynamic PINs, make it almost impossible for those with bad intentions to find out the PIN for individual users since the PIN keeps on changing in every transaction and each customer's ID number has a link only to one TOKEN PIN series number.

"To protect our internet banking users we also limit the internet banking transaction to Rp 10 million per day," said Kostaman Thayib, Bank Mandiri's senior vice president group head for consumer liabilities.

In mobile banking, this bank's tight security system is backed with another sophisticated security system belonging to major cellular phone operators like Telkomsel, Excelcomindo Pratama and Satelindo.

Aside from the bank's own security system, cellular phone operators still provide mobile banking users with a security key in their SIM card. The key functions to encrypt data that is uploaded by mobile banking users.

"We provide a system in our SIM card that can encrypt data being sent via cellular phone to the bank. Only the bank, not even us, can open this data. Therefore, transactions via our network are end-to-end secure," said Reyhan, Telkomsel's mobile banking manager.

These two layers of security systems from the bank and cellular phone operators lead some people to believe that mobile banking is more secure than internet banking. Multimedia expert Roy Suryo is among those who believe in the security of mobile banking due to this double security systems.

Internet expert Onno Purbo said that the level of encryption applied by cellular operators was equal to or higher than Wired Equivalent Privacy that makes mobile banking already secure.

However, Citibank's vice president Rico believes that internet banking and mobile banking have the same level of security since there is practically no technological defect in either system, especially the ones used by Citibank.

He said that although technologically it is difficult to break the security system in both its internet and mobile banking, he emphasized that the human factor or the users themselves play an important role in safeguarding the transactions.

"Therefore, we should pay attention not only to the technology but also enhance the level of customer awareness of the technology," said Rico.

Based on a number of media reports, human error rather than technological defect has trapped some internet users. Spoofing is a part of this trap that can lead people to reveal their data to unauthorized persons.

"Usually, users receive emails that ask them to update their data. This email has a hyperlink to a typo site. Once people update their data, they automatically give away their most confidential data," said Rico.

Another human error is lending one's cellular phone to others, and some of them may well be ill-intentioned people or some borrowers may unknowingly let other people find out one's PIN. This will lead to the phone owner's to suffer financial losses.

The rapid growth of cellular phone users that constitutes a potential market for mobile banking should at the same time raise the vigilance on the danger of crimes through Short Message Services (SMS). PT Telkomsel's Reyhan said that his company cannot do much to prevent such crimes except by providing education to its users.

The Indonesia Cellular Telecommunication Association recently reported the number of cellular phone users has reached 18.5 million in 2003. The association predicted that the number may increase to 25 or 27 million within this year.

This steady growth of cellular phone users has exceeded that of internet users which is estimated between three and four million in 2003. Not only this figure provides a big opportunity for mobile banking but certainly opportunities for evil doers as well.

Technologically, both the internet and mobile banking systems applied by banks and cellular phone operators have improved to such a sophisticated level that creates major headache for the criminals. But human carelessness remains as a crucial factor for the effective implementation.

That is why continuous education by both banks and cellular operators become critical in protecting their customers from swindlers. Without this the promise of easy and practical transactions may prove to be as easy for evil people to enrich themselves at the cost of internet and mobile banking users.