THE ’SCRIPLESS’ SYSTEM DEFENSE WEAPON

THE ‘SCRIPLESS’ SYSTEM DEFENSE WEAPON

Investors don’t have to worry about their electronic shares account date being stolen from the KSEI data system, because the KSEI scripless settlement system is equipped with a defense weapon. What is it?

For the investor, shares account data has of course great meaning. For it is here that his portfolio wealth record is kept. Can you imagine how devastated an investor can become having found out that his account data had been intervened?

This would be one of the investor’s concerns in the absence of physical shares. It boils down to the security of safekeeping shares and mobility of securities. In the mobilized system, such account data would be proven in physical scrip. What happens when that sort of data is kept in an electronic account?

What if Ahmad’s shares account in Securities Company A is being browsed by an unauthorized party, while the account reflects Ahmad’s wealth? It’s no wonder that investors are curious about the security of the scripless settlement system.

Investors do not have to worry. KSEI has taken all necessary measures to secure the depository and securities transaction settlement system. This security device is called C-BEST (The Central Depository and Book Entry Settlement).

According to KSEI Management Information System Division Head Arie Coerniadi, the participant – stock exchange members and custodian banks – must undergo a general procedure in order to enter into the C-BEST network. “Security measures must be taken, because the data contained in the C-BEST system is a very sizable capital market asset”, expressed Arie.

The participant must pass several phases of security in order to access C-BEST data; they are identification, data transmission and data processing. Keep in mind that each account is personal; the account position of Securities Company A cannot be browsed by Securities Company Z, and vise versa. Each account data can only be opened by its owner.

The C-BEST system online network connecting the participant’s computer applies internet technology, but does not use a public internet network.

The first step to take is identification. In this step the C-BEST system conducts authentication and verification upon the system user. As a securer, C-BEST will ask "what you know" and "what you have".

Every C-BEST user answers what you know by using a PIN code and password. To answer what you have, the participant must produce the keyfile previously given by KSEI. A keyfile holds identity and security information automatically produced in random by the C-BEST system.

In terms of banking analogy, the steps taken by a participant to open an account at KSEI is similar to that of opening a bank account. After going through a registration process and obtaining such an account, a client would receive an ATM card. Now, the KSEI participant receives a keyfile, which is an electronic file sent by the C-BEST database to the participant’s computer.

With PIN code, password and keyfile security, the non-authorized cannot steal access. One who knows the password but doesn’t have the keyfile will be denied entry into the C-BEST network. The same goes for those who have a keyfile without the PIN code.

Another security measure, PIN codes are given a limited lifetime. Hereby, even if the participant’s keyfile and PIN code fall into the hands of other parties, access will still be denied due to the PIN code’s blocking or expiry. After such initial data is entered, C-BEST will examine or identify the authenticity of incoming data.

Tahap kedua adalah pengiriman data. Setelah identifikasi diketik partisipan dari komputernya, maka partisipan akan mengirimkan perintah ke C-BEST. Misalnya, pemindahan rekening dan informasi saldo. Informasi itu akan menempuh perjalanan melalui jaringan ke pusat data C-BEST di kantor KSEI. Di sepanjang jalan, paket informasi itu harus diamankan. Bisa saja, di tengah jalan kabelnya diputus dan dibelokkan jalurnya (man in the middle attack).

It is possible to break through firewall, for instance, by sending large amounts of packages simultaneously as to exhaust firewall and down its system. In such a condition, firewall can no longer select between worthy and unworthy packages. To avoid this, KSEI has installed two firewalls. Should the first firewall drop, the second firewall will resume its function. “KSEI has prepared a firewall capacity to access 512 connections, and can still be increased”, said Arie.

The third step is processing. Upon arrival at the primary machine, C-BEST will assess data in compliance with a provisioned business rule. This assessment is conducted to assure the conduct of four eyes principles or six eyes principles, which are the differences of access rights between the data input and the verifying parties. Automatically, in the case of deviation – for example, an instruction to transfer shares data owned by an unauthorized person – C-BEST will reject processing.

The auditing facility is yet another security tool that differs to other preventive instruments. Auditing is placed at the end of activities. All transactions occurring between C-BEST and participants are registered in the auditing facility. All instructions such as securities mutation, complete with its date, hour and minute of execution, and executing participant, will be registered in a log book, which will be reviewed by an internal as well as external auditor at any time.

The auditing facility can be used to supervise system users, and as investigation material in the case of misuse of authority by a securities company official, conducting transactions beyond the authority granted by his company.Fasilitas auditing bisa digunakan untuk melakukan pengawasan terhadap pemakai sistem. Dan sebagai bahan investigasi jika ada kasus penyalahgunaan wewenang oleh pegawai perusahaan efek, yang melakukan transaksi di luar batas kewenangan yang diberikan perusahaannya.