Technology has become a double-edged sword for Indonesia’s banking industry. It accelerates the growth of digital banking, yet it also brings new challenges for data security. The automation trend itself has multiplied the number of digital banking transactions. As a consequence of the seamless banking experience, digital banking has a higher vulnerability to the access of customers’ confidential information. Ever since the ATM skimming cases of BRI in Indonesia, the bank began launching a digital signature verification method for mobile banking transactions to secure the safety of transactions from any cyber threats in digital banking. In this article, we will discuss how banks adapted with these cybersecurity challenges and develop the innovation further, through several questions below.
How can digital signatures be an effective alternative for data security in digital transactions?
With the Banking Everywhere slogan, common in modern banking nowadays, digital banking should have a strong and resilient capability in facing disruptive cyber-attacks. The series of ATM skimming cases were proof that Indonesia's digital banking still lacks resistance towards cyber-attacks, and that Indonesian banks need to urgently address a solution towards this matter.
On April 2018, BRI partnered with BSSN (Badan Siber dan Sandi Negara/National Cyber and Encryption Agency) to implement a digital signature verification system in its mobile banking transaction to provide a more secure digital banking experience. Digital signatures work as a verification system to give authentication on a customer’s personal and finance data by encrypting the signature data into a public and private key, which later the customer get an electronic certificate authorized legally by BSSN.[i] As an early stage, the digital signature will be used as a validation proof when opening an account in BRI Mobile Banking. The digital signature technology has a higher level of security as the signature will be sealed by an embedded private code that would prevent unauthorized parties to trace the bank account’s password.[ii]
Besides Indonesia, Malaysia has already used digital signatures two decades earlier for their digital transactions. After implementing this verification method, it was found that Malaysian banks mostly used it for authentication towards corporations’ internet banking transaction, rather than for regular customers’ transactions. It is caused by a rigid nature of digital signature's law enforcement that required additional internal experts to justify the transactions.[iii] In the end, there are more user-friendly alternatives for customers to choose from, such as Transaction Authentication Code and Vasco Token. In the case of Indonesia, we still need to see how the authentication system's trend will direct in the future.
How have other banks adapted to the current cybersecurity challenges?
From the banking industry’s perspective, it is believed that as the trend of digital banking is rising, cyber threats have become a top risk. According to PwC Indonesia Banking Survey 2018, cyber risk will be viewed as the most concerning risk for the banking industry over the next 2 to 3 years.[iv]
Beside BRI, there are BCA and Mandiri – two banks in Indonesia with a big number of digital transactions – that have already prepared their information technology infrastructures for future cybersecurity issues. Both BCA and Mandiri’s entire transactions are mostly comprised of digital transactions, with 97% and 94% respectively.[v][vi]
In 2017, BCA begun a partnership with Cisco and applied the Application Centric Infrastructure[vii] to strengthen the security of their mobile banking application, as BCA tries to answer the shifting trend from internet banking to mobile banking.
Compared with BRI that took digital signatures as their solution in securing its digital banking, Bank Mandiri instead viewed digital signatures as one of the cybersecurity services that can be offered to other companies. With Mandiri Capital, the firm under Bank Mandiri, they launched the digital signature provider called Privy ID in 2016.[viii]
How does the government ensure secure digital banking and mitigate fraud?
As an effort to keep up with the vast growth of digital banking, the government urged to take strategic steps sooner or later, as digital banking could affect the fiscal and financial stability of the state itself. BRI, as a state-owned bank, has followed the strategy of the Finance Ministry of Indonesia which established a cooperation in digital signatures technology with BSSN a month earlier.[ix] Besides establishing BSSN’s role in financial cybersecurity, the government’s steps were also followed by comprehensive cybersecurity regulations. It was shown by one of OJK’s (Otoritas Jasa Keuangan/Financial Services Authority) regulation that urged banks with digital banking services to set up digital branch offices immediately. Under the name of ‘Guidelines for Commercial Banks on Establishment of Digital Branches 2016,’ OJK ensured that banks should have a proper digital banking leadership and risk management system to ensure customers’ data protection.[x]
One of the indicators that banks already have a solid cybersecurity strategy is whether the banks has a Chief of Information Security Officer, which will be placed under the digital branch offices itself. In 2018, only one-third of Indonesian banks have a Chief of Information Security Officer.[xi] The crucial role played by cybersecurity experts in financial institutions would affect how customers perceive and trust banks in managing and preventing financial data breaches.
Cybersecurity shouldn’t narrow itself only on technological perspectives but also on how it would be beneficial to the business and customer data protection. Many emerging banks in Indonesia have already invested in IT Infrastructure, including digital signatures as an innovation. Hopefully, the cybersecurity awareness will also proliferate not only through the bank itself, but also around digital banking users so the innovation will lead to more user-friendly security features.
[i] Aldin, U. (2018). Cegah Pemalsuan Data, BRI Gandeng BSSN Gunakan Sertifikat Elektronik. [Online] Katadata.co.id. Available at https://katadata.co.id/berita/2018/04/20/cegah-skimming-bri-gandeng-bssn-gunakan-sertifikat-elektronik [Accessed on 27 June 2018]
[ii] Thakkar, D. (n.d). Digital Signatures in the World of Banking Security. [Online] Bayometric.com. Available at https://www.bayometric.com/digital-signatures-in-the-world-of-banking-security/ [Accessed on 27 June 2018]
[iii] Saripan, H and Hamin, Z. (2011). The application of the digital signature law in securing internet banking: Some preliminary evidence from Malaysia. Procedia Computer Science. p. 250-252. 3. 248-253. 10.1016/j.procs.2010.12.042. [Online] Available at https://www.researchgate.net/profile/Zaiton_Hamin/publication/220308704_The_application_of_the_digital_signature_law_in_securing_internet_banking_Some_preliminary_evidence_from_Malaysia/links/0c96053c7365410028000000/The-application-of-the-digital-signature-law-in-securing-internet-banking-Some-preliminary-evidence-from-Malaysia.pdf?origin=publication_detail [Accessed on 28 June 2018]
[iv] Wake, D and Suhenda, L. (2018). 2018 Indonesia Banking Survey: Technology shift in Indonesia is Underway. p.34 [Online] Available at https://www.pwc.com/id/en/publications/assets/financialservices/2018-indonesia-banking-survey.pdf [Accessed on 28 June 2018]
[v] Nordiansyah, E. (2018). 97% Transaksi di BCA Menggunakan Layanan Digital Banking. [Online]. Metrotvnews.com. Available at: http://ekonomi.metrotvnews.com/mikro/ybJMpWWN-97-transaksi-di-bca-menggunakan-layanan-digital-banking [Accessed on 2 July 2018]
[vi] Kompas, (2018). Transformasi Digital Ala Bank Mandiri. [Online] Kompas.com. Available at https://biz.kompas.com/read/2018/02/03/104346328/transformasi-digital-ala-bank-mandiri [Accessed on 2 July 2018].
[vii] The Network – Cisco Newsroom. (2017). Bank Central Asia selects Cisco ACI, ignites IT collaboration. Newsroom.cisco.com. Available at: https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1878503 [Accessed on 3 July 2018]
[viii] Mandiri Capital. (2016). Privy ID. [Online] Mandiri-capital.co.id. Available at http://mandiri-capital.co.id/id/?portfolio=privyid-2 [Accessed on 3 July 2018]
[ix] Kementrian Keuangan Republik Indonesia. (2018). Pentingnya Data, Kemenkeu Menjalin Kerjasama dengan BPS dan BSSN. [Online] kemenekeu.go.id. Available at https://www.kemenkeu.go.id/publikasi/berita/pentingnya-data-kemenkeu-menjalin-mou-dengan-bps-dan-bssn/ [Accessed on 2 July 2018]
[x] Otoritas Jasa Keuangan. (2017). OJK Issues Digital Office Guideline toward Digital Banking in Indonesia. [Online] Ojk.go.id. Available at https://www.ojk.go.id/en/berita-dan-kegiatan/siaran-pers/Documents/Pages/Press-Release-OJK-Issues-Digital-Office-Guidelines,-Toward-Digital-Banking-in-Indonesia/SP%2005%20DKNS%20OJK%201%202017-ENGLISH.pdf [Accesed on 27 June 2018]
[xi] Wake, D and Suhenda, L. (2018). 2018 Indonesia Banking Survey: Technology shift in Indonesia is Underway. p. 38 [Online] Available at https://www.pwc.com/id/en/publications/assets/financialservices/2018-indonesia-banking-survey.pdf [Accessed on 28 June 2018]