By Debin Gao
Associate Professor of Computer Security at the Singapore Management University (SMU)
Indonesians today do not think twice about buying online, whether it is food, medicine, clothes, or even household items. According to Statista, there were 4.6 billion online transactions in 2020 worth almost USD$14 billion.
Indeed Indonesia is seen as the fastest-growing digital economy in Southeast Asia. The region has one of the fastest-growing internet markets with Indonesia’s internet economy expected to be worth US$146 billion by 2025, representing 20% compounded annual growth, according to a report by Alphabet’s Google, Temasek Holdings, and Bain & Company.
But as the internet economy grows and online transactions increase exponentially, cyber security and data hijacking are also rising in tandem. This is one area where not enough attention has been paid by both end-users as well as corporates.
Cyber attacks on mobile devices are on the rise, with over 100 million attacks reported per year since 2018. Despite this, recent security research shows that most companies have unprotected data and poor cybersecurity practices in place, thus making them vulnerable to potential hacking.
With greater sophistication and malware, cyber attacks are becoming hugely costly for corporations often running into millions of dollars in losses. With work-from-home and workers bringing their own devices into the office, the number of cyberattacks will increase significantly in the coming years.
This is a major challenge facing corporations worldwide, including Indonesia.
From an end-user perspective, people do care about security and privacy but often we do not know what other functions the apps on our handphones are performing. For example, when we order food from an app, the location of the person is often needed to place the order but does the app have hidden functions such as consuming our internet data or even collecting our IMEI numbers?
People are also concerned about privacy as online transactions continue to rise, especially with private data being sold to third parties.
It is clear that apps on our handphones collect such data. We just do not know how this data is used and protected.
From a corporate perspective, there are two main concerns. Firstly, many employees are encouraged to use certain apps for their everyday business activities. In such cases, the organization must make sure that the apps are secure especially if they are developed by third-party contractors.
Secondly, many organizations rely on apps to interact with their customers such as banks and online shopping platforms. Such apps use passwords and customer identities to ensure security.
The key question is therefore how do corporations safeguard customer information such as usernames and passwords?
On 12 April, 2022, the Singapore Management University has collaborated with Synthesis Communications to conduct a virtual roundtable with several Indonesian executives from various industries and sectors, such as banking & security, financial technology, and telecommunications. The event was held from 9 AM – 11 AM Jakarta time via ZOOM with Debin Gao (Singapore Management University) and Deni Kurniawan (Telkomsel) as its main speakers.
In my presentation, I elaborated on how modern technology has continued to power our lives and gathered data on day-to-day occurrences and transactions. And how technology has enabled new businesses and solutions, but can also potentially backfire on us if we do not use said technology in a secure and correct manner.
Debin then continued to explain the three fundamental elements in our technological infrastructure to show just how fragile they are, namely on internet protocol, border gateway protocol, and software vulnerability and exploits.
He then explained just how difficult it is to remove, replace, or upgrade most networking protocols that did not take cyber security into account during its initial creation. Another fragile system is the software we have in our devices. Software and buffer overflow can potentially be overwritten by attackers without us knowing how and when it happened due to the attackers’ concealed origins.
Meanwhile, Deni had elaborated Deni first shared the data service traffic profile within Telkomsel, one of the biggest telecommunication companies in Indonesia and how much it has grown in the last year as a result of the pandemic. “People are growing accustomed to these methods of communication and entertainment (e-commerce, social media, browsing, streaming, messaging and video calling) and this number will keep growing in the future,” said Deni.
Deni then explained how supply chain attacks have compromised many of Telkomsel’s customers and partners. Suppliers normally don’t have sufficient security to protect themselves in order to infiltrate big companies’ systems and steal or compromise their data. Most of these attacks focuses on supplier codes (66%), exploit customer trust (62%), access data (58%) and malware attacks (62%). He later on gives a case study example of the cyber attacks Kaseya received in 2011 before explaining how to properly mitigate such cases
“We can buy programs, equip our people, equip our systems, but all of these attacks may be targeted to your suppliers so it’s important to add cyber security clauses to ensure that suppliers put the right kind of mitigation for their digital data,” said Deni. “We may also apply penalty fees to anyone who disobeys the contract as a form of insurance.”
At Singapore Management University, we have been undertaking research to build new security systems for different types of customers. Our solutions are aimed at both corporations as well as end-users. One such solution is the Dynamic Analysis System for Android apps which helps the organization to perform detailed fine grain as well as low-level analysis of the app. The analysis goes all the way down to the processor level so all actions on the app are captured.
Another system we are developing is for end-users who have numerous apps on their handphones. We can determine exactly what data and information are captured by these apps by using side channels. The advantage of using side channels is that it is non-intrusive so the user can continue to use the app without any disruptions.
In today’s world where apps are commonplace and used for multiple purposes, it is critical that any organization that interacts with its customers uses apps to ensure the privacy and security of the data that is exchanged. While functionality and usability of the apps are important, this must be balanced with security and privacy.
We can expect that cyber-attacks will continue to impact us both at the individual level as well as the corporate level. But we do not have to be victims as we can take the right action to safeguard our data and privacy.
To prepare for the upcoming cyberwar, SMU has the tools for top executives to arm themselves. We can help organizations build a technology roadmap that includes cyber security.
Email: info@emeritus.org