APSN Banner

At Indonesia's biggest bank, customers' savings can vanish with a click

Source
Al Jazeera - April 5, 2024

Bali and Jakarta, Indonesia – Late last year, Balinese woman Nih Lu Putu Rustini got the shock of her life when she tried to withdraw cash from an ATM to complete a renovation project at her ancestral home.

Working as a cleaner during the day and a nanny by night, Rustini had saved 37 million Indonesian rupiahs ($2,340) in an account at Bank Rakyat Indonesia, Indonesia's largest bank.

But the ATM showed a balance of almost zero.

When she visited her local BRI branch, a teller informed her that her money was gone.

"They said a hacker had stolen my money and they could not return it to me," Rustini told Al Jazeera.

"It's not fair because it took me a long time to earn that money but the hackers took it in seconds. I was shocked."

I Made Rai Dwi Ada Diatmika, a leather goods manufacturer in Bali, had a similar experience last August when he tried to make his first withdrawal in years.

A hacker had cleared out his savings of 72 million rupiahs ($4,650) the previous May.

As in Rustini's case, BRI refused to accept responsibility for the loss.

"When I opened the account at BRI three years ago, they asked me to download their app onto my phone. They said it was safer because I would get daily reports. But I never used it as I forgot the password," Diatmika told Al Jazeera.

"We put our money in the bank for security. But if hackers can get in so easily and find all our data, BRI must have a big problem with their security."

Rustini and Diatmika are among numerous BRI customers whose savings were stolen by hackers via the bank's mobile app.

As Southeast Asia's largest economy, with the fourth-highest number of internet users and the fifth-largest e-commerce sector in the world, Indonesia is an attractive target for cybercriminals.

Data published by Indonesia's National Cyber and Encryption Agency shows there were 361 million online traffic anomalies between January 1 and October 26 in the country last year.

Attacks on email accounts in Indonesia rose by 85 percent in the third quarter of 2023, even as breaches in countries such as the US and Russia declined, according to data collected by Netherlands-based cybersecurity firm Surfshark.

Meanwhile, Indonesia ranks third from last among G20 countries for preventing and managing cyber threats, according to Estonia's National Cyber Security Index.

"There's a lot of information out there indicating Indonesia is one the world's largest sources and targets for cybercrime," Gatra Priyandita, an analyst with the Australian Strategic Policy Institute's Cyber Policy Centre in Sydney, told Al Jazeera.

"Indonesians are more vulnerable in a way because of their poor digital hygiene. They are becoming more aware of the problem but when you have 200 million people suddenly jumping online, they will always be more vulnerable."

Government websites are the number one target of cyberhackers in Indonesia, followed by the energy and financial sectors, according to the Mandiant M-Trends 2023 survey.

"Banks are targets because banks are where the money is," BRI's head of information Muharto, who like many Indonesians goes by only one name, said at a forum in Jakarta in June.

"Cybercriminals are now collaborating with each other and operating as a group with combined capabilities," he said, adding: "Banks cannot fight cybercrime alone and must synergise [their efforts] with the government and regulators."

BRI does not publicly share data on how many of its customers' accounts have been hacked and did not respond to Al Jazeera's requests for comment.

However, the bank claims it has "taken steps to fight cybercrime" as "a pillar" of its mission, citing its work with the police and investments in cutting-edge cybersecurity software sold by companies like Elastic Security in the US.

"Its features and capabilities on top of our data make it the perfect fit for our operational needs," Tri Danarto, BRI's security operation department head, was quoted as saying in a news release last year.

In February of last year, BRI permanently closed the website version of its e-banking services and diverted all online transactions to its new mobile banking app BRImo, claiming it was "safer" and "easier for customers to access".

BRI also maintains that it strives to educate customers about the dangers of installing mystery apps and opening suspicious links and emails.

In July, a BRI customer in the city of Malang in East Java reported that she had 1.4 billion rupiahs ($90,330) stolen from her account, which the bank discovered she had enabled by clicking on a fake wedding invitation sent on WhatsApp.

"This incident occurred because the victim had leaked personal and secret banking transaction data to irresponsible parties," BRI Malang branch manager Sutoyo Akhmad Fajar said in a statement at the time, adding that while the bank sympathised with the victim, it could only pay compensation when at fault.

Ardi Sutedja Kartawidjaya, chairperson of the Indonesian Cyber Security Forum in Jakarta, said that in "90 percent of cyberattacks against bank accounts, the fault lies within the customer because of their negligence and fraud schemes that are becoming more and more sophisticated".

But if it can be proven that the victim did not enable the breach, the missing funds can be replaced under the Indonesian government's deposit guarantee scheme.

"First the victim must file a police report, who are required to investigate according to the Personal Data Protection Law of 2022. But bear in mind that this process takes quite some time as it requires complex forensic digital investigative skills," Kartawidjaya told Al Jazeera.

ASPI's Priyandita said that Indonesian authorities' capacity to investigate such crimes is limited due to a limited number of digital forensics specialists.

"The National Cyber and Encryption Agency had its budget cut from 2 trillion [rupiahs] in 2019 to 100 billion [rupiahs] during the pandemic – a time when arguably more funding was needed. The budget is now 600 billion [rupiahs], but it still isn't enough," he said.

In Bali, cybercrime victim Diatmika has experienced the problem of under-resourcing firsthand.

"I provided the police with all the details, including the name and account number of the person in Java who stole my money. But they said they didn't have any budget to travel to Java and investigate, and that if I wanted a refund, I had to fight the bank. But to do that I needed a lawyer. I have no more money, so I was forced to give up," he said.

Like Diatmika, Rustini, who insists she did not download any suspicious apps or clink on suspect links, initially did not intend on fighting BRI, considering the cost of hiring a lawyer to be out of reach.

But after Balinese law firm Malekat Hukum offered to represent her pro-bono, she filed a complaint with the police.In addition to filing a suit against BRI, Malekat Hukum has lodged a case with Indonesia's Alternative Dispute Resolution Institution in the hope of settling the matter through mediation.

BRI has so far failed to respond to requests for mediation.

"BRI Bank is notorious for cyberattacks. I have heard of many passing cases where their customers lost everything, and we need to do something about it," she told Al Jazeera.

"They're supposed to be serving their customers and protecting their customers' money. Their argument that they are not responsible just doesn't stand. They're the ones who need better security, not their customers. And if they cannot offer secure online banking, they shouldn't be offering it – period."

Diatmika said he knows other BRI customers who have been similarly scammed.

"There was a man who lived only three minutes from my house. He had a stroke and died after 1 billion rupiahs [$64,500] was stolen from his account. His family had to sell their house," he said.

Cybersecurity expert Kartawidjaya said the phenomenon is not unique to BRI.

"Almost all financial service providers in Indonesia are experiencing constant cyberattacks. But most don't report such events for reputation management reasons," he said.

Priyandita said he fears that cybersecurity in the country will get worse before it improves.

"Indonesia is banking on digital technology as a key driver of growth, but cyber security is simply not the priority it should be," he said.

"Efforts are being made to respond to the problem, but again these are limited by resourcing."

Source: https://www.aljazeera.com/economy/2024/4/5/at-indonesias-biggest-bank-customers-life-savings-vanish-with-a-clic

Country