Beware of Digital Scammers
One-time verification passcodes, also called one-time passwords (OTPs) have become the target of scammers in the digital realm for hijacking an individual’s messaging or ride-hailing accounts.
One-time verification passcodes, also called one-time passwords (OTPs) have become the target of scammers in the digital realm for hijacking an individual’s messaging or ride-hailing accounts.
JAKARTA, KOMPAS —Many scammers are targeting messaging or ride-hailing accounts in Indonesia that come with electronic wallets (e-wallets). Instead of using advanced technology, these digital fraudsters simply rely on deception to steal the OTPs that the service provider sends to the account holder during a transaction.
From January to February, Kompas investigations revealed that it was extremely easy to hijack ride-hailing and messaging accounts like WhatsApp (WA), with victims coming from a variety of backgrounds.
The perpetrators steal money from the e-wallet of one ride-hailing account, and then go on to hijack the accounts of other victims. Meanwhile, the perpetrator uses the hijacked WhatsApp account to commit fraud against the members of the original user’s WhatsApp group, asking them to transfer some money.
Hanny, 39, an employee of an insurance company, said that her Gojek ride-hailing account was nearly hijacked at the end of January. She said that she ordered a Gojek from Blok M, South Jakarta, to Depok, West Java, at around 11 p.m. on 17 Jan. and intended to pay for the ride using her Gopay digital wallet.
The app showed that the account of Gojek driver “A.A. Wahyu Supriadin” had picked up her order, but the A.A. Wahyu Supriadin was in Bandung, West Java. Scammers had hacked Wahyu\'s Gojek at around 7:30 p.m. that day, about three hours before Hanny’s order.
Responding to the case, Gojek senior corporate affairs manager Teuku Pravinanda explained that the company had applied the PIN system for all Gopay transactions. Gojek would also issue additional warnings of any suspicious activity.
Account hijacking
How could a Gojek driver account like Wahyu’s be stolen? Wahyu, during an interview at his residence in West Bandung, said that he had received an order on 17 Jan. with a designated pickup location at Muara Ciwidey in Bandung. The customer had contacted Wahyu via a cellphone number that began with +91, the country code for India. Indonesia’s country code is +62.
On arriving at the pickup location, Wahyu was contacted by the fraudster, who pretended to be a Gojek customer service officer. The scammer, who was using the cellphone number 085783276711, informed Wahyu that the order was fictitious.
Wahyu said he believed the explanation. Then, a few moments later, the scammer used a different phone number to contacted Wahyu and told him to sign out of the Gojek Driver app. Since then, Wahyu has been unable to sign in to his account.
The scammer who hacked Wahyu\'s account then tried to scam Hanny. Using yet another number, the man contacted Hanny and told her that her location did not appear on the map of the Gojek app. He then asked Hanny to provide the four-digit OTP she had received via SMS, under the pretext that he needed the code to pinpoint her location on the Gojek map.
Fortunately, Hanny realized she was being scammed, and did not tell the perpetrator her OTP.
Transfer request
The WhatsApp scam works in a similar way. As long as the perpetrator can obtain an OTP from an account holder, they can gain access to and use the victim\'s WhatsApp account. This is what House of Representatives lawmaker Andreas Hugo Pareira experienced in December 2019.
Andreas said the he was initially contacted by the perpetrators via his Instagram account. Claiming to be a travel agency, the perpetrators promised huge discounts on overseas travel.
The perpetrator was actually using Andreas\' cell number to open a new WhatsApp account, and the app had automatically sent an OTP to register the new account to Andreas’ phone.
The perpetrators asked for Andreas’ WhatsApp number, after which they asked for the OTP that Andreas should have received via SMS, saying that they needed the code for registration and verification. The perpetrator was actually using Andreas\' cell number to open a new WhatsApp account, and the app had automatically sent an OTP to register the new account to Andreas’ phone.
Unaware that he was being scammed, Andreas provided the OTP code to the perpetrators. "[After that], I received many phone calls asking if I had financial problems, because I asked them to transfer money," he recalled. Andreas, of course, had never mead the request.
One of Andreas\'s staffers became a victim when they fell for the scam and transferred money to the specified bank account, which turned out to belong to the perpetrator, Ali Budin Baso.
Security quality
Gojek and WhatsApp said that, as service providers, they always tried to improve the quality of the app’s security through various features. WhatsApp Asia-Pacific communications director Sravanthi Dev said that WhatsApp provided two-layer security so that user’s accounts could not be easily hacked.
"We provide the two-step verification feature. Through this feature, users install a six-digit password or PIN for their account. This feature can protect accounts from hacking," said Dev.
Meanwhile, Teuku Pravianda said that the OTPs Gojek sent to users was valid only for 30 seconds, and was also accompanied by a warning not to share the code with anyone. "Gojek has also been implementing a phone number disguising feature in stages to maintain the confidentiality of data in the form of telephone numbers," he said.
The perpetrators relied on their state of urgency, which made the victims predisposed to making quick decisions.
According to University of Indonesia criminologist Adrianus Meliala, account hijacking was a common crime. The perpetrator tricked the victim using psychological manipulation, employing a scenario that sounded logical so that the victim would believe it. The perpetrators also targeted their victims deliberately during rush hour, so users were already distracted and more likely to be unaware that they were sharing the OTPs. The perpetrators relied on their state of urgency, which made the victims predisposed to making quick decisions.
Psychologist Ratih Ibrahim said that constant vigilance was needed to ward off this crime. (MDN/SPW/MTK/DVD)