WanHart Blog

March 28, 2008

Perbedaan Online Banking dan Online Payment Gateway. Amankah transaksi kartu kredit melalui internet?

Satu tahun yang lalu (Agustus 2007) saya menelpon hampir semua bank di Indonesia untuk menanyakan apakah mereka memiliki jasa online payment gateway? Hampir semua menjawab ya kami ada online banking pak, bapak bisa bertransaksi melalui internet. Dan hanya satu bank yang menjawab dengan benar yaitu BNI 46. Mereka menjawab: “Ya, kami memiliki online payment gateway“, mereka langsung memberikan saya nomor telpon NsiaPay.Mungkin dari pembaca disini juga belum mengerti apa perbedaan antara online banking dan online payment gateway?

Mari kita lihat perbedaan dasar antara online banking dan online payment gateway:

Perbedaan

Online Banking

Online Payment Gateway

Hanya dapat di akses melalui situs bank tersebut dan hanya dapat di akses oleh nasabah bank tersebut

Dapat di akses dan di implementasikan di situs mechant (pedagang) mana saja yang memiliki online store

Pembelian atau transaksi terbatas hanya dengan apa yang ditawarkan oleh bank tersebut

Semua pemegang jenis kartu kredit dan tidak terbatas oleh satu bank saja dapat bertransaksi

Dapat memeriksa neraca (balance) rekening anda

Tidak dapat memeriksa neraca (balance) rekening anda

Persamaan

Online Banking

Online Payment Gateway

Keamanan (security) kunci enkripsi 128 bit atau 256 bit

Keamanan (security) kunci enkripsi 128 bit atau 256 bit

Internet Banking

Internet banking tidak memiliki shopping card dan hanya tersedia dengan menjadi nasabah bank tersebut. Tawaran pembelian barang-barang hanya terbatas dengan vendor / supplier yang sudah bekerja sama dengan bank tersebut.

hsbc1.gif

bca1.gif

Online Payment Gateway

Online payment gateway ini dapat di aplikasikan hampir di semua online store. Ciri khas nya adalah memiliki shopping cart dan check out page. Online payment gateway ini dapat menggunakan hampir semua kartu kredit dan tidak terbatas oleh nasabah atau jenis kartu kredit tertentu.

amzon1.gif

Penggunaan Online Payment Gateway di Indonesia sangat kurang.

Jaringan pita lebar (bandwidth) di Indonesia sedang meningkat, perusahaan seperti FirstMedia, BizNet dan TelkomSpeedy. Semakin banyak rumah rumah dan kantor yang mendapatkan akses jaringan pita lebar. ini baik untuk pertumbuhan globalisasi. Tetapi Indonesia masih jauh di belakang untuk aplikasi teknologi transaksi. Di luar negeri transaksi finansial melalui internet adalah hal yang biasa.

Seharusnya bangsa Indonesia mengoptimalkan jaringan pita lebar untuk koneksi intenet ini dengan baik, mengingat macetnya kota Jakarta. Dengan berbelanja dengan online payment gateway, pembeli dapat dengan nyaman dan aman melakukan transaksi.

Amankah transaksi kartu kredit melalui internet?

Ini ada artikel saduran mengenai keamanan internet security dari http://www.inet2000.com/public/encryption.htm. Maaf, saya tidak sempat untuk menerjemahkannya ke Bahasa Indonesia. Ada yang mau bantu? Mohon kirimkan terjemahanya ke blog@WanHart.com. Terima kasih atas bantuannya. Salam, WanHart.

Q: How secure is the encryption used by SSL?A: It would take significantly longer than the age of the universe to crack a 128-bit key.

SSL uses public-key encryption to exchange a session key between the client and server; this session key is used to encrypt the http transaction (both request and response). Each transaction uses a different session key so that even if someone did manage to decrypt a transaction, that would not mean that they would have found the server’s secret key; if they wanted to decrypt another transaction, they’d need to spend as much time and effort on the second transaction as they did on the first. Of course, they would have first have to have figured out some method of intercepting the transaction data in the first place, which is in itself extremely difficult. It would be significantly easier to tap your phone, or to intercept your mail to acquire your credit card number than to somehow intercept and decode Internet Data.

Q: How secure is the encryption used by SSL?A: It would take significantly longer than the age of the universe to crack a 128-bit key.

SSL uses public-key encryption to exchange a session key between the client and server; this session key is used to encrypt the http transaction (both request and response). Each transaction uses a different session key so that even if someone did manage to decrypt a transaction, that would not mean that they would have found the server’s secret key; if they wanted to decrypt another transaction, they’d need to spend as much time and effort on the second transaction as they did on the first. Of course, they would have first have to have figured out some method of intercepting the transaction data in the first place, which is in itself extremely difficult. It would be significantly easier to tap your phone, or to intercept your mail to acquire your credit card number than to somehow intercept and decode Internet Data.

Servers and browsers do encryption ranging from a 40-bit secretkey to a 128-bit secret key, that is to say ‘2 to the 40th power’ or ‘2 to the 128th power’. Many people have heard that 40-bit is insecure and that you need 128-bit to keep your credit card info safe. They feel that using a 40-bit key is insecure because it’s vulnerable to a “brute force” attack (basically trying each of the 2^40 possible keys until you find the one that decrypts the message). This was in fact demonstrated when a French researcher used a network of fast workstations to crack a 40-bit encrypted message in a little over a week. Of course, even this ‘vulnerability’ is not really applicable to applications like an online credit card transaction, since the transaction is completed in a few moments. If a network of fast computers takes a week to crack a 40-bit key, you’d be completed your transaction and long gone before the hacker even got started.

Of course, using a 128-bit key eliminates any problem at all because there are 2^128 instead of 2^40 possible keys. Using the same method (a networked of fast workstations) to crack a message encrypted with such a key would take significantly longer than the age of the universe using conventional technology. Remember that 128-bit is not just ‘three times’ as powerful as 40-bit encryption. 2^128 is ‘two times two, times two, times two…’ with 128 two’s. That is two, doubled on itself 128 times. 2^40 is already a HUGE number, about a trillion (that’s a million, million!). Therefor 2^128 is that number (a trillion), doubled over and over on itself another 88 times. Again, it would take significantly longer than the age of the universe to crack a 128-bit key.

Key Size

Possible Key Combinations
2-bit 2^2 2×2 = 4
3-bit 2^3 2×2×2 = 8
4-bit 2^4 2×2×2×2 = 16
5-bit 2^5 2×2×2×2×2 = 32
6-bit 2^6 2×2×2×2×2×2 = 64
7-bit 2^7 2×2×2×2×2×2×2 = 128
8-bit 2^8 2×2×2×2×2×2×2×2 = 256
9-bit 2^9 2×2×2×2×2×2×2×2×2 = 512
10-bit 2^10 2×2×2×2×2×2×2×2×2×2 = 1024
11-bit 2^11 2×2×2×2×2×2×2×2×2×2… = 2048
12-bit 2^12 2×2×2×2×2×2×2×2×2×2… = 4096
16-bit 2^16 2×2×2×2×2×2×2×2×2×2… = 65536
24-bit 2^24 2×2×2×2×2×2×2×2×2×2… = 16.7 million
30-bit 2^30 2×2×2×2×2×2×2×2×2×2… = 1 billion (1,073,741,800)
40-bit 2^40 2×2×2×2×2×2×2×2×2×2… = 1 trillion (1,097,728,000,000)
56-bit 2^56 2×2×2×2×2×2×2×2×2×2…. = 72 thousand quadrillion (71,892,000,000,000,000)
128-bit 2^128 2 multiplied by 2128 times over. = 339,000,000,000,000,000,000,000,000,000,000,000(give or take a couple trillion…)

Doing the math, you can see that using the same method that was used to break 40-bit encryption in a week, it would take about 72 million weeks (about 1.4 million years) to even break ‘56-bit medium’ encryption and significantly longer than the age of the universe to crack a 128-bit key. Of course the argument is that computers will keep getting faster, about doubling in power every 18 months. That is true, but even when computers are a million times faster than they are now (about 20 years from now if they double in speed every year), it would then still take about 6 thousand, trillion years, which is about a million times longer than the Earth has been around. Plus, simply upgrading to 129-bit encryption would take twice as long, and 130-bit would take twice as long again. As you can see, it’s far easier for the encryption to keep well ahead of the technology in this case. Simply put, 128-bit encryption is totally secure.

Q: How do I know if encryption is enabled or not?A: Your Browser (Netscape or Internet Explorer) will tell you.

In Netscape versions 3.X and earlier you can tell what kind of encryption is in use for a particular document by looking at the “document” information” screen accessible from the file menu. The little key in the lower left-hand corner of the Netscape window also indicates this information. A solid key with three teeth means 128-bit encryption, a solid key with two teeth means 40-bit encryption, and a broken key means no encryption. Even if your browser supports 128-bit encryption, it may use 40-bit encryption when talking to other servers or to servers outside the U.S. and Canada. In Netscape versions 4.X and higher, click on the “Security” button to determine whether the current page is encrypted, and, if so, what level of encryption is in use. In Microsoft Internet Explorer, a solid padlock will appear on the bottom right of the screen when encryption is in use. To determine whether 40-bit or 128-bit encryption is in effect, open the document information page using File->Properties. This will indicate whether “weak” or “strong” encryption is in use.

Q: What about warnings or errors about the Secure Certificate?A: Your personal Security settings will determine what warnings you see.

Depending on how your security settings are setup in your Browser, you may also see information about our Certificate when you enter the secure directories. This information will usually include the Dates that the Certificate is valid for, the site name that the Certificate has been issued to, and the Certificate Authority (or ‘CA’) that issued the Certificate. You can also usually view the Certificate to see information about the various parties, including Inet2000 and our CA.The most common warning is that you have not previously chosen to Trust the authority. This is a normal warning if you haven’t already purchased anything online from a Merchant who’s certificate was issued by a Certificate Authority that you haven’t told your browser to trust from now on. Of course, you may well have no errors, warnings or information screens at all – again, largely depending on the way you’ve got your security settings set in your Browser.In any case, the encryption level and the security is the same whether you’ve got your settings low (don’t warn me about anything) or very high (warn and inform me about everything). Either way, your data is still encrypted and still secure.

Q: What happens when the Credit Card is actually processed.A: The transaction is totally secure.

At Inet2000, the security of your personal information is paramount. All Credit Card Transactions are completed using a 128 Bit SSL Encrypted Secure Transaction. As we transmit the information to the Bank’s Secure SSL Server, they require a 128-bit transaction and will not process a transaction without one. Even though 40 or 56 Bit transactions are very secure, our Bank’s insistence on 128 Bit SSL means that there is never any chance of your information every being intercepted or decoded. Again, your security is of paramount importance for us.If you have any questions or concerns, please email them to info@inet2000.com and we’ll be pleased to help you out. -)

4 Comments »

  1. Tulisan artikel di blog Anda bagus-bagus. Agar lebih bermanfaat lagi, Anda bisa lebih mempromosikan dan mempopulerkan artikel Anda di infoGue.com ke semua pembaca di seluruh Indonesia. Salam Blogger!
    http://www.infogue.com/
    http://www.infogue.com/bisnis_keuangan/perbedaan_online_banking_dan_online_payment_gateway_amankah_transaksi_kartu_kredit_melalui_internet_/

    Comment by kaitokid724 — March 28, 2008 @ 08:42 | Reply

  2. komentar dikit pak…

    memang enkripsi yang ada sangat luar biasa kalau mau di crack dgn kemampuan CPU saat ini…
    sayangnya masalah pengamanan beyond dari sekedar enkripsi…

    tim IT security yg canggih akan menggali lebih dalam pada aspek manusia…
    seperti cara pembuatan password… penggunaan domain yang mirip seperti kilkbca bukan klikbca…
    nah kasus2 seperti ini jauh lebih sederhana dengan pendekatan sosial…

    berikutnya yg paling kacau adalah internal hacker yg bisa mencapai 80% dari infiltrasi sistem.. kasus terkahir adalah IT manager suatu bank swasta divisi kartu kredit yg sengaja menjual data kartu kredit…
    yg begini nggak perlu enkripsi…

    teng yu ach

    rchatab

    Comment by rudi chatab — May 14, 2008 @ 06:09 | Reply

  3. Setuju. Untuk pendekatan sosial atau yang dikenal sebagai SOCIAL ENGINEERING yang bersifat negatif dan tujuan menipu), silahkan pelajari lebih lanjut dengan membaca buku “The Art of Deception: Controlling the Human Element of Security”.

    The Art of Deception: Controlling the Human Element of Security
    Ref: http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/076454280X/ref=pd_bbs_1?ie=UTF8&s=books&qid=1210771090&sr=1-1

    Comment by wanhart — May 14, 2008 @ 13:19 | Reply

  4. […] Perbedaan online banking dan online payment gateway. Ini memperjelas salah satu kalimat dalam poin #3 […]

    Pingback by Online Payment Gayeway, who can serve it? : Geek Building The Bridge Part 2 — May 25, 2008 @ 02:21 | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: