Alarming, cyberfraud in Indonesia

Alarming, cyberfraud in Indonesia

Donny B.U., Coordinator of Information and Communication Technology
(ICT) Watch, Jakarta, donnybu@ictwatch.com

Watch out when using your credit cards. According to the latest
research by Texas-based security company ClearCommerce, Indonesia
ranks second after Ukraine on the list of countries of origin of
cyberfraud (carding).

The research by ClearCommerce (www.clearcommerce.com) -- which
was conducted from mid 2000 until the end of 2001 and involved
1137 merchants, six million transactions and 40,000 customers --
revealed that 20 percent of the total number of credit card
transactions in Indonesia on the Internet were cyberfraud.

Every cyberfraud practice certainly inflicts losses on
cardholders, the merchants, the merchants' banks (acquirers) and,
particularly, card issuers like Visa or Mastercard. Every time a
card issuer legalizes a transaction without realizing that it is
conducted by a carder (the term used to those performing
cyberfraud), the chargeback or loss is borne by this card issuer.

However, if a merchant often resorts to chargeback, the
merchant can also be put on the acquierer's black list. What
carders have done has also troubled many parties in Indonesia
wishing to conduct honest transactions on the Internet because
their credit cards will be rejected.

Today, many merchants on the Internet have indiscriminately
rejected every transaction from and to Indonesia, or the use of
Indonesian credit cards. They have even blocked the Internet
Protocol (IP) number of Indonesia.

A report made by the European Commission (www.europa.eu.int),
issued in July 2000, showed chargeback cases originating from
online transactions in 2000 accounted for 50 percent of the total
online and off-line chargeback cases.

Gartner Inc. (www.gartner.com) reported in early March 2002
that more than US$700 million in transactions through the
Internet was lost in the course of 2001 due to cyberfraud. This
value accounted for 1.14 percent of the total online transaction
value of US$61.8 billion and was 19 times higher than the loss of
offline transaction value.

Rampant practices of cyberfraud have become a potential con
straint to the development of e-commerce. A latest survey
released by UCLA Center for Communication Policy
(www.ccp.ucla.edu) in November 2001 showed that 79.7 percent of
respondents were very concerned about the security of credit card
data in transactions through the Internet.

The survey's result also stressed that 56.5 percent of
respondents using the Internet and 74.5 of respondents not using
the Internet agree that using the Internet poses risks towards
the security of their personal data.

In the case of Indonesia, the result of a survey conducted by
CastleAsia (www.castleasia.com), which was made public in January
2002, showed that only 15 percent of small- and medium-scale
enterprises surveyed agreed to use Internet Banking. Of the
remaining 85 percent, half said they were worried about the
security of Internet transactions.

In fact, relevant authorities in Indonesia do not just sit
idle about rampant practices of local cyberfraud.

In April 2001, Yogyakarta police apprehended five carders in
their boarding house in Bantul. During the raid, police
confiscated a number of items worth millions of rupiah such as
paintings, golf clubs, telescopes and car carburetors.

In the same month, Semarang police nabbed two carders in their
boarding house in Kauman Timur, Semarang. Police confiscated
sunglasses and Oakley backpacks worth tens of millions of rupiah.

The carders caught in Yogyakarta and Semarang share something
in common, they are university students and have conducted their
cyberfraud practices at Internet kiosks known as warung internet
(warnet). These kioks are safe places for these carders to
conduct cyberfraud since the IP number recorded by the merchants
will not refer only to a single computer. As for the delivery of
ordered items, they can be dispatched to a post box, a rented
house or "arranged" with the courier service.

Allegations there is a syndicate of sorts on cyberfraud crime
in Indonesia are not just nonsense. When the writer investigated
several warnet in Yogyakarta and Jakarta in 2001, it was
discovered that some kiosks became a sort of "headquarters" where
these carders met to exchange information or conducted
transactions of items acquired through cyberfraud.

And it turned out many warnets' administrators were involved
in cyberfraud practices: acting as financiers and brokers in the
transactions of goods obtained through cyberfraud and even
offering their visitors valid numbers of credit cards.

Another thing that serves as fertile soil for cyberfraud is
chatrooms for Indonesian carders on the Internet.

During an observation of two chatrooms used by Indonesian
carders throughout June 2002, the writer found the flow of credit
card number exchanges was really stunning.

The chatroom made available a BOT (a program script) with
various functions, like to show valid numbers of credit cards
plus the owners' personal data. This BOT can also reveal the
CVV2, an additional security measure applied on credit cards
issued by Visa and Mastercard in the form of 3 additional digits
after the 16 digits of a credit card number.

This chatroom, which is visited by many surfers, has seen
dozens or even hundreds of credit card numbers pass every day,
including the credit cards owned by Indonesians. So, where is the
source of the credit card data issued by this BOT? Well, the
source is the customers' database of e-commerce sites which have
been penetrated.

Research issued by CyberSource Corp (www.cybersource.com) in
September 2001 showed that about 26 percent of famous merchants
on the Internet did not keep data of their customers' credit
cards in their database, 46 percent kept and encrypted it, while,
unfortunately, the remaining 28 percent did not do any encryption
or simply answered with "I don't know". In March 2001, for
example, an Indonesian group of carders successfully penetrated
database security system of a book shop site owned by
Barnes&Nobles (www.bn.com) and took over all the credit card data
of its customers.

To cut the activities of local carders, some of the steps that
can be taken will be to apply a tight regulation on the use of
computers in warnet, like by taking down the identity of a person
renting a computer and to ensure that kioks' employees must have
a strong sense of responsibility. Then legal enforcers must have
a broad understanding of the "underground" world in the Internet
and, last but not least, there must be a legal basis to arrest,
charge and convict cyberfraud perpetrators.