TEMPO.CO, Jakarta - A new method of stealing money from bank accounts by hijacking customers' telephone numbers is on the rise. Banks cannot avoid responsibility.
THE government and the banking industry must anticipate the rise of a new way of stealing from customers' bank accounts using applications on cellular phones. These digital thieves are now smarter at stealing customers' telephone number data, then using it to hijack the banking applications on their devices. Without a satisfactory early detection system, bank accounts can be emptied in a short time without the need for the thief to be physically present at the bank.
Therefore, it is time that all banks that have digital apps improved their customer data protection systems. If not, thefts from bank accounts using this method will continue. One major weakness of digital banking applications is the weak customer identity verification process in their systems. It is this shortcoming that the thieves use to take over the mobile banking applications of their victims.
At the end of last August, Yulistriani fell victim to this digital theft. Her Indosat Ooredoo card was hacked at around 1 a.m. at a mobile phone repair shop in Cakung, East Jakarta. After discovering that Yulistriani used the telephone number for her Bank Rakyat Indonesia (BRI) Mobile account, the thieves hacked this account and emptied it. They were able to hijack Yulistriani's bank application easily because the bank linked the password change verification process with the number of her phone that had already been stolen.
A similar thing happened to senior journalist Ilham Bintang, who filed a police report in January this year after his Commonwealth Bank account was emptied. Investigations revealed that Ilham's Indosat number had been hacked a few weeks previously and had been used to access his banking app. Fortunately, his two other bank accounts were untouched. In contrast to Commonwealth, the mobile banking apps of those two banks were able to detect the unusual activity by the thieves when they tried to access Ilham's accounts. This is why the use of the two-factor authentication security feature is important for customers.
The theft from the bank accounts was preceded by cloning of the phone card number, or subscriber identity module (SIM) card swap, of the victims. This is a new and dangerous criminal practice. It is not easy to steal money from bank accounts using this method. It needs expertise and experience. There are also indications that the victims were not chosen randomly. In other words, the thieves already had access to their victims' financial records.
It is time the Financial Services Authority intervened. The regulator must evaluate the digital systems of all banks operating in Indonesia. Law No. 10/1998 on banking obliges all banks to protect the secrecy of customers' data and transactions. This regulation must be upheld in order to maintain public trust in the banks.
And neither can cellular telephone service providers avoid responsibility. Although it has ISO 27001:2013 certification on consumer information security, Indosat must not be complacent. The cloning of Yulistriani and Ilham Bintang's telephone numbers would not have happened if the Indosat system had asked for official identification when verifying the owners' identities. The communication and informatics ministry must ensure that all telecommunications service providers adhere to consumer data protection standards.
This digital crime involves an organized network of people with good technological knowledge. It is believed that many more people have been affected because not every victim is prepared to file a report. Without fundamental improvements, people will continue to fall victim.