Why are we still using key generator devices for Internet banking?

One of the barriers to Internet banking in Indonesia is the compulsory requirement to use a physical key generator as an additional security measure to prevent unauthorized access to your bank account. While it may make it more difficult for someone to try and break into bank accounts, the inconvenience of it becomes a price to pay for consumers to engage in safe internet banking.

Inconvenient because every time you need to perform an online transaction session, you would need to enter a set of numbers produced by the key generator. This means you have to carry this small calculator-like device with you at all times among a collection of your other gadgets that you carry on a daily basis.

What’s the big deal, it’s just another small gadget, you probably are asking. The big deal is that if you lose it you’ll need to request another one from the bank and it’s not that convenient if it happens to be at five in the afternoon or you’re in an area without a branch of that bank, for example overseas.

Additionally if you’re overseas for an extended period of time and the battery in your key generator runs out. You’re pretty much prevented from any online transaction using your Indonesian bank account.

These days people carry all different kinds of smartphones and they do all sort of different things like playing music, watching movies, buy and sell shares, draw buildings and parks, play games, email, browse websites, and so on. Everything converges into a single device, so why not internet banking?

Overseas, people do internet banking from their phones or mobile devices. They pay for airfares, buy presents, transfer funds, all through their handhelds, all through integrated apps without having to use a separate key generator, so why do we have to use it here?

Internet banking in this country has been around for just over a decade. Back then smartphones did not exist, although they weren’t using key generators either, but of course they later added them to improve security.

Since today’s devices are able to perform so many functions, coming up with a secure key generator app shouldn’t be too difficult. Google for example has its own app called Google Authenticator to provide two step authentication process for access to its services where available.

Banks could hire application developers to come up with their own key generator app for each of the major mobile platforms. Since adoption of these advanced devices are on the rise, it shouldn’t be too much of an issue in delivering such apps for Symbian, BlackBerry, Android, iOS and perhaps Windows Phone platforms.

Or they could go all the way and make an app for all Internet banking activities which would make things that much easier and more convenient for customers.

Of course, the majority of bank account holders in Indonesia still use java-based phones, and since there are many who do not understand the utility of applications, the demand for key generators would remain large.

For the sake of customer service and making it that much more convenient for the tens of millions of Indonesian smartphone owners to engage in internet banking, it certainly would be worth the cost to develop those apps.

[image by @BrettMcGuire]

10 thoughts on “Why are we still using key generator devices for Internet banking?

  1. the new permata internet banking is already using a java app token generator. using J2ME for android 2.0, i can run this app on android phones, sadly this is not the case with iOS.

  2. My work uses a similar system for its VPN. You can use the toggle device or an app (which comes in iOS or BB). The banks must be able to do the same without too much trouble.

  3. most banks in Indonesia are using token from Vasco. Vasco itself has already given solution for mobile http://www.vasco.com/products/digipass/digipass_software/digipass_for_mobile.aspx

  4. That was the hot topic since 2002. The main issue: how to harden Mobile Banking without creating another hassle to mobile customer, but also comply with standard banking security.

    Using token like Vasco as depicted above, is the cheapest solution for OTP (One Time Password) Challenge. It will only cost Bank as low as $5 each for 1000units. 

    Compare to VIP Access from Verisign, http://itunes.apple.com/us/app/vip-access/id307658513?mt=8 this app is free for customer, but for Bank, the investment of $250k for software license is inevitable. Let alone the cost of redundant yet clustered hardware server for the software itself. For another 50 users, the price will increase eventually. 

    Why not using SMS? Well, just like @nataliardianto:disqus said: Plain dumb and simple. But that was from the perspective of end user. Don’t forget that SMS has no encryption at all. Anything sent from and to users’ mobile phone will be easily seen by operator. It only plain text on their database, tho’.

    Using java technology will limit end users’ device. Previous version of Danamon Online using Java Applet, which limit only high end mobile gadget to run the system. No Tablet can run Java Applet, AFAIK. Using Java Mobile (previously J2ME) will also prohibit iPhone/iPad user to use that kind of system. Even some bank still using SMS as the media. J2ME App from Panin using encrypted SMS, whilst J2ME App from Bank Syariah Mandiri using GPRS and not allowing user to use WiFi network.

    So, the choice is Bank’s now, whether they want to use less secure but hassle-free, or more secure with hassle. Not to mention their investment to harden the infrastructure. 

  5. SMS is bad news. I have 5 years of experience using SMS for remote control, and it is (1) not reliable (delayed for hours or not being sent at all) (2) not secure because it is plain text and there is a possibility of man in the middle attack.

  6. Well let’s take it this way. All your online account uses only username and password. Google had two step authentication and rarely nobody uses it.

    M-banking survive, so why not sms verification? Hacker had to have both side to be able to hack the account. And if the hacker knows the mobile phone where the SMS is delivered to, then the bank is already compromised.

  7. Even though we have to use this tiny gadget for internet bank transaction but it really helps me to make my account secure so there is no problem at all

  8. As we know that the the online banking is becoming more and more popular thus people are trying to get these facilities in more use. Customers used to do even transaction through the e-banking or with the newly launched technology that is payment by the mobile phones. Thanks for the post. I really liked it.

Leave a Reply

Your email address will not be published.