ASIA NEWS NETWORK
WE KNOW ASIA BETTER
Indonesian banks, regulator gear up for potential security breach
Publication Date : 26-05-2014
Indonesia's major lenders and banking regulator are introducing tighter security measures in a bid to foil future scam attempts following a recent skimming attack, that targeted customers’ bank accounts with state-run Bank Mandiri.
According to Bank Mandiri’s electronic banking head, Rahmat Broto Triaji, the state lender had launched new automated teller machines (ATMs) fitted with jamming devices.
“The jammer will block electromagnetic waves that are transmitted by a skimming device. Once the waves are blocked, the device will not function,” he said.
Rahmat said the bank’s ATMs were equipped with a light sensor that would automatically shut the machines down in the event of suspicious activity.
“A skimming device placed inside the card reader obstructs the lighting. The lack of proper lighting will then be detected by the sensor,” he explained.
He acknowledged there would always be a technology battle between lenders and criminals or fraudsters, and to cope with that, he said Mandiri engaged an independent third party to test and attempt to penetrate its system at least twice a year.
As previously reported, Mandiri was recently forced to freeze a number of its customers’ bank accounts and replace their debit cards following indications of ATM skimming.
The number of cards affected in the skimming case exceeded 1,000, most of which were used in overseas transactions, Rahmat said.
In a separate case, a man in Surakarta, Central Java, managed to steal 21 billion rupiah (US$1.82 million) in April from a private bank that was reportedly carrying out a software upgrade.
The case is now being handled by the National Police’s Criminal Investigations Directorate (Bareskrim) in Jakarta.
Meanwhile in March, six Malaysians were arrested for allegedly breaking into ATMs and stealing 1.24 billion rupiah from 112 customers of private lender Bank Central Asia (BCA).
Commenting on the latest incidents, Bank Indonesia (BI) Deputy Governor Ronald Waas, who oversees the banking industry’s payment systems, said the central bank would
step up its supervision of the lenders’ risk-management mechanisms.
“We are authorised to check their SOPs [standard operating procedures],” he said, adding that BI would meet with teams from the Association of Payment Systems of
Indonesia (ASPI) and the Communications and Information Ministry to review exiting guidelines and regulations.
BI, according to Ronald, had no plan to change the deadline for all debit cards to incorporate chip technology from the current magnetic strips, even though the use of chips would significantly reduce the risk of skimming. The deadline is still set for Dec. 31, 2015.
Meanwhile, Bank Negara Indonesia (BNI) has taken a new step in security by introducing a virtual card number (VCN) to enable its customers to shop online without having to submit their actual credit or debit card numbers.
That way, according to BNI’s information technology head, Henrisa Lubis, customers’ data would remain confidential and secure.
“Customers are required to register first. They will be given a different VCN for each transaction,” he said, adding that VCNs were accepted by various online retailers, both domestic and overseas.
Besides the VCN, Henrisa said that BNI had implemented a two-factor authentication (TFA) system for its electronic banking transactions. He explained that the TFA,
which requires customers to input two verification codes when conducting transactions, had so far provided airtight security for its customers.
Separately, BCA’s chief manager of enterprise security, Jeffrey Sukardi, said that in addition to its own security system, the bank was paying special attention to those of its partners as well.
“In general, banking security has become harder to penetrate. So, what criminals are doing at the moment is to attack banking partners, such as retailers and merchants,” he said, citing the “Target” case as an example.
Target, which is the US’ second-largest retailer after Walmart, was hacked last year and the incident led to some 40 million shoppers’ credit card data being stolen.
The company reportedly sustained direct costs of $60 million due to the incident.
Jeffrey said the BCA regularly monitored its partners’ systems for any anomalies, using the payment card industry data security standard (PCI-DSS).
However, despite the bankers’ claims, Tulus Abadi, chairman of the Indonesian Consumers Foundation (YLKI), said the latest cases were proof that Indonesia’s banks and regulator still had a great deal to do.
“If their systems were truly secure, we would not be hearing of these fraud cases, and yet they keep on happening,” he said.
He insisted that BI and the Financial Services Authority (OJK) should carry out thorough audits of each lender, and ensure that each bank had adequate customer-data backups.
Contacted via phone, digital forensics expert Ruby Alamsyah echoed Tulus’ view, saying that cases of skimming were still occurring, partly because banks and the police had not provided optimal protection.
“Banks can continue to improve their systems and educate their customers about transaction security, but the police should be taking down the mastermind [behind these attacks].
It’s been the same group since 2009. The police have already identified it and they know where it’s located,” he said.