People’s digital literacy must also be improved. In other words, in order to fight digital crime, everyone must be involved.
By
KOMPAS TEAM
·4 minutes read
JAKARTA, KOMPAS – Indonesia has no regulation to protect people from online data theft through misusing one-time passwords. Using these codes, victims of theft may suffer from much more than just material losses through a digital app.
AA Wahyu Supriadin, for instance, lost his job as a ride-hailing service driver and the Rp 51,000 (US$3.59) he earned through the ride-hailing service application Gojek. Someone hacked his Gojek account, which has his full name and cellphone number, and used it for scams targeting Gojek customers. Consequently, Wahyu’s work partnership with Gojek was terminated on 31 January 2020.
Such fraud occurs due to lack of protection of digital app users. The police rely only on the Electronic Information and Transactions (ITE) Law to hunt hackers of online accounts and phone numbers. No regulation exists to protect users from data theft.
Consequently, Wahyu’s work partnership with Gojek was terminated on 31 January 2020.
Almost all applications now require users to register their phone numbers. Using these numbers, app managers send users one-time passwords (OTP). No regulation exists on such a mechanism.
Head of Subdirectorate I of cybercrime directorate of the National Police’ Criminal Investigation Department (Bareskrim), Sr. Comr. Reinhard Hutagaol, said on Tuesday (25/2/2020) that some OTPs were not accompanied with a warning for customers not to share the codes with others.
In line with this, to quote application market data and analysis provider App Annie, Indonesia is the third- largest nation of app downloaders after India and China. Between 2016 and 2019, the app download growth rate was 190 percent in India, 80 percent in China and 70 percent in Indonesia.
Targeting mobile banking
Nowadays, cyber criminals are targeting OTPs used in mobile banking applications. These criminals no longer ask merely for the OTP but also steal victims’ cellphone numbers. This was what happened to senior journalist Ilham Bintang, who lost Rp 300 million from his savings. The theft occurred after scammers learned of Ilham’s phone number by asking for a SIM card replacement.
Afterward, the scammers withdrew money from Ilham’s savings account through a mobile banking application. All activities in the banking application use OTP confirmation sent to the cellphone number.
Jakarta Police investigation found that the scammers obtained Ilham’s personal data by purchasing personal data from a bank worker. Ilham said that he alleged the scammers hijacked his cellphone number in order to easily obtain the OTP. Therefore, the scammers can transfer money through the mobile banking app to his own account. “These are the facts,” he said.
No mechanism exists
Bandung Institute of Technology (ITB) telecommunication technology expert Agung Harsoyo, who is also an Indonesian Telecommunications Regulation Body (BRTI) commissioner, said that vulnerabilities existed in the OTP system. Therefore, a mitigation system is required to reduce risks.
“No standardized mechanism exists [to tackle such crimes],” he said.
He further said that he suggested application providers implement two or three layers of security in their apps. Agung said that, after an investigation, it was found that the SIM card replacement was carried out without adhering to standard operational procedures. An employee of the mobile network operator is alleged to have agreed to the scammers’ request for a SIM card replacement by giving them a form and asking them to sign it.
Reflecting on the rampant cases of digital identity theft, University of Indonesia criminologist Adrianus Meliala said that such crimes existed due to the absence of regulation to protect app users. Thefts of app accounts is considered personal data theft as the accounts contain full names and cellphone numbers.
Articles on personal data theft can be found in the Personal Data Protection Draft Bill (RUU PDP) currently under deliberation at the House of Representatives.
Communications and Information Ministry informatics application director general Semual Abrijani Pangerapan said that, in the digital era, users were required to build trust in interacting in digital spaces.
In order to fight digital crime, everyone must be involved.
If the RUU PDP is approved, personal data thieves may face up to 10 years in prison. However, Semuel said that the regulation was just the foundation of data protection. Additional regulations are required to ensure the law’s effectiveness.
Indonesian Consumers Foundation (YLKI) chairman Tulus Abadi said that only app managers were committed to protecting app users. “The system should also be improved,” he said.
People’s digital literacy must also be improved. In other words, in order to fight digital crime, everyone must be involved.