Awas, Beredar Aplikasi Peretas Berkedok Undangan Pernikahan

CNN Indonesia

30 Jan 202311:39

Summary

TLDRThe script discusses a new digital banking scam involving fraudsters using fake wedding invitations sent via WhatsApp to trick victims into downloading malware that intercepts SMS OTPs, facilitating the transfer of mobile banking accounts to the fraudsters. It highlights the importance of public awareness against clicking suspicious links and installing apps from outside the Play Store. The conversation also touches on the need for banks to strengthen security measures, including the implementation of 'What you have' verification methods to prevent unauthorized account transfers.

Takeaways

📲 The script discusses a new mode of banking crime involving digital deception through WhatsApp invitations to weddings, aiming to compromise mobile banking security.
🔒 The criminals require an SMS OTP (One-Time Password) to transfer the victim's mobile banking account to their own account, highlighting the importance of OTP security.
🚫 It is advised not to click on suspicious links or install applications from outside the Play Store, as this could inadvertently grant SMS access to fraudsters.
🔄 The script mentions that the criminals have shifted their tactics from using courier packages to wedding invitations and then to BPJS (Indonesian Health Insurance) bills to trick victims into revealing their OTP.
🤖 The term 'sniffing' is clarified as stealing transactions that pass through communication channels like WhatsApp or the internet, which is different from the current method of SMS forwarding.
🛡️ The need for additional security measures beyond OTP is emphasized, suggesting the use of 'What you have' verification methods, such as requiring a physical item like an ATM card.
👥 The script points out that the data stolen in 2022 has likely spread among fraudsters, indicating that social engineering and profiling of potential victims are common tactics.
🔑 It is suggested that if one's data has been compromised, they should immediately change their mobile banking passwords and PINs to prevent unauthorized access.
🏦 The banking institutions are urged to improve their security systems and consider implementing 'What you have' verification for account transfers to prevent fraud.
📈 There is a call for the OJK (Indonesian Financial Services Authority) to standardize and enforce better security measures for mobile banking services.
🌐 The script highlights the low level of cybersecurity literacy among the general public in Indonesia and the need for better protection and awareness.

Q & A

What is the new method of banking crime discussed in the script?
-The new method of banking crime discussed involves scammers using digital invitations, such as for a wedding, sent via WhatsApp to hack into mobile banking accounts.
How do scammers obtain the SMS OTP needed for transferring mobile banking accounts?
-Scammers send files in Android package or APK format to trick victims into installing applications that forward SMS OTPs to the scammers' devices, allowing them to transfer the banking accounts.
What is the difference between the new scam method and traditional phishing attacks?
-The new scam method is an evolution of phishing where scammers no longer need to send packages or pretend to be couriers; they use digital invitations and other social engineering tactics to trick victims into providing their OTPs.
Is this new scam method considered 'sniffing' or 'RAT' (Remote Access Trojan)?
-No, this method is not considered sniffing or RAT. It is categorized as SMS forwarding, which is less sophisticated but still effective in stealing banking information.
What additional security measures are recommended for banks to prevent such scams?
-Banks are recommended to implement 'What you have' verification methods, such as requiring a physical visit to an ATM or bank with an ATM card or ID for any account number changes, to supplement the OTP security.
Why is the OTP via SMS considered the weakest form of OTP security?
-The OTP via SMS is considered the weakest because it involves a third party and can be intercepted by malicious applications designed to format or steal SMS messages.
What is the role of social engineering in this new scam method?
-Social engineering plays a significant role as scammers impersonate banks or other institutions to trick victims into filling out forms that collect their user IDs, passwords, and PINs.
How can the public protect themselves from falling victim to this scam?
-The public should be cautious about clicking on links or installing apps from outside the Play Store, and always verify requests for OTPs and app permissions before granting them.
What is the importance of 'What you have' verification in the context of mobile banking security?
-'What you have' verification, such as requiring a physical token or card, adds an extra layer of security by ensuring that the person attempting the transaction has a unique, non-transferable item in their possession.
What actions should individuals take if they suspect their banking information has been compromised?
-Individuals should immediately change their passwords and PINs for mobile banking and consider changing their mobile banking accounts if they are unsure of the security measures in place by their bank.
What is the role of the financial regulatory authority in addressing this new scam method?
-The financial regulatory authority, such as OJK in Indonesia, should standardize and enforce strict security measures, including 'What you have' verification, to ensure the safety of mobile banking transactions.