Find Article by Date
Mon, 22 Jul 2002

JP/Alarming, cyberfraud in Indonesia

Alarming, cyberfraud in Indonesia

Donny B.U., Coordinator of Information and Communication Technology (ICT) Watch, Jakarta, donnybu@ictwatch.com

Watch out when using your credit cards. According to the latest research by Texas-based security company ClearCommerce, Indonesia ranks second after Ukraine on the list of countries of origin of cyberfraud (carding).

The research by ClearCommerce (www.clearcommerce.com) -- which was conducted from mid 2000 until the end of 2001 and involved 1137 merchants, six million transactions and 40,000 customers -- revealed that 20 percent of the total number of credit card transactions in Indonesia on the Internet were cyberfraud.

Every cyberfraud practice certainly inflicts losses on cardholders, the merchants, the merchants' banks (acquirers) and, particularly, card issuers like Visa or Mastercard. Every time a card issuer legalizes a transaction without realizing that it is conducted by a carder (the term used to those performing cyberfraud), the chargeback or loss is borne by this card issuer.

However, if a merchant often resorts to chargeback, the merchant can also be put on the acquierer's black list. What carders have done has also troubled many parties in Indonesia wishing to conduct honest transactions on the Internet because their credit cards will be rejected.

Today, many merchants on the Internet have indiscriminately rejected every transaction from and to Indonesia, or the use of Indonesian credit cards. They have even blocked the Internet Protocol (IP) number of Indonesia.

A report made by the European Commission (www.europa.eu.int), issued in July 2000, showed chargeback cases originating from online transactions in 2000 accounted for 50 percent of the total online and off-line chargeback cases.

Gartner Inc. (www.gartner.com) reported in early March 2002 that more than US$700 million in transactions through the Internet was lost in the course of 2001 due to cyberfraud. This value accounted for 1.14 percent of the total online transaction value of US$61.8 billion and was 19 times higher than the loss of offline transaction value.

Rampant practices of cyberfraud have become a potential con straint to the development of e-commerce. A latest survey released by UCLA Center for Communication Policy (www.ccp.ucla.edu) in November 2001 showed that 79.7 percent of respondents were very concerned about the security of credit card data in transactions through the Internet.

The survey's result also stressed that 56.5 percent of respondents using the Internet and 74.5 of respondents not using the Internet agree that using the Internet poses risks towards the security of their personal data.

In the case of Indonesia, the result of a survey conducted by CastleAsia (www.castleasia.com), which was made public in January 2002, showed that only 15 percent of small- and medium-scale enterprises surveyed agreed to use Internet Banking. Of the remaining 85 percent, half said they were worried about the security of Internet transactions.

In fact, relevant authorities in Indonesia do not just sit idle about rampant practices of local cyberfraud.

In April 2001, Yogyakarta police apprehended five carders in their boarding house in Bantul. During the raid, police confiscated a number of items worth millions of rupiah such as paintings, golf clubs, telescopes and car carburetors.

In the same month, Semarang police nabbed two carders in their boarding house in Kauman Timur, Semarang. Police confiscated sunglasses and Oakley backpacks worth tens of millions of rupiah.

The carders caught in Yogyakarta and Semarang share something in common, they are university students and have conducted their cyberfraud practices at Internet kiosks known as warung internet (warnet). These kioks are safe places for these carders to conduct cyberfraud since the IP number recorded by the merchants will not refer only to a single computer. As for the delivery of ordered items, they can be dispatched to a post box, a rented house or "arranged" with the courier service.

Allegations there is a syndicate of sorts on cyberfraud crime in Indonesia are not just nonsense. When the writer investigated several warnet in Yogyakarta and Jakarta in 2001, it was discovered that some kiosks became a sort of "headquarters" where these carders met to exchange information or conducted transactions of items acquired through cyberfraud.

And it turned out many warnets' administrators were involved in cyberfraud practices: acting as financiers and brokers in the transactions of goods obtained through cyberfraud and even offering their visitors valid numbers of credit cards.

Another thing that serves as fertile soil for cyberfraud is chatrooms for Indonesian carders on the Internet.

During an observation of two chatrooms used by Indonesian carders throughout June 2002, the writer found the flow of credit card number exchanges was really stunning.

The chatroom made available a BOT (a program script) with various functions, like to show valid numbers of credit cards plus the owners' personal data. This BOT can also reveal the CVV2, an additional security measure applied on credit cards issued by Visa and Mastercard in the form of 3 additional digits after the 16 digits of a credit card number.

This chatroom, which is visited by many surfers, has seen dozens or even hundreds of credit card numbers pass every day, including the credit cards owned by Indonesians. So, where is the source of the credit card data issued by this BOT? Well, the source is the customers' database of e-commerce sites which have been penetrated.

Research issued by CyberSource Corp (www.cybersource.com) in September 2001 showed that about 26 percent of famous merchants on the Internet did not keep data of their customers' credit cards in their database, 46 percent kept and encrypted it, while, unfortunately, the remaining 28 percent did not do any encryption or simply answered with "I don't know". In March 2001, for example, an Indonesian group of carders successfully penetrated database security system of a book shop site owned by Barnes&Nobles (www.bn.com) and took over all the credit card data of its customers.

To cut the activities of local carders, some of the steps that can be taken will be to apply a tight regulation on the use of computers in warnet, like by taking down the identity of a person renting a computer and to ensure that kioks' employees must have a strong sense of responsibility. Then legal enforcers must have a broad understanding of the "underground" world in the Internet and, last but not least, there must be a legal basis to arrest, charge and convict cyberfraud perpetrators.