Caso especial BITCOIN: Moneda digital vigente en 2017

Apart from those fraud reports, the sporadic incidents of fraud in the ATM/debit card industry in Indonesia has long been acknowledged and reported to the central bank on a case-by-case basis.653 These incidents mostly were never revealed to the public. Hence the public and payment system authority always have difficulty in gauging the real level of payment system risk exposure, either on a national basis or for a specific bank.

The rash of ATM/debit card skimming that occurred across several cities at the end of 2010 in Indonesia (and widely covered by national mass media) was a revelation as to the pervasiveness and serious impact of identity theft that had facilitated fraud to be perpetrated across the payment system industry in Indonesia. To overcome the problem, Bank Indonesia as payment system authority in Indonesia, has a clear policy that urges banks to tighten their ATM security. Bank Indonesia has enacted several regulations to improve bank security systems. It has instructed banks to take several actions to reduce ATM and debit card fraud. These include forming a task force to exchange information about fraud and find the way to circumvent it. Bank Indonesia also encourages banks to increase surveillance in public access terminal more frequently, install anti-skimmer devices, add ATM pin-pad shield and continue to roll out consumer education programme about the importance of keeping ATM/debit card PINs secret. 654

653 _{Indonesia, ATM skimmer fraud has long been acknowledged. In 2003, John Petrus, an Indonesian}

citizen, and Eng Kim Hook, a Malaysian citizen, both ATM fraudsters, were convicted of a criminal offence by Jakarta District Court and sentenced to imprisonment of six and three years respectively (verdict No. 532/PID.B/2003/PH.JKT.PST dated 4 June 2003 and No. 427/PID.B/2003/PN.JKT.PST dated 12 June 2003). Both fraudsters were prosecuted according to articles 263(2) (forgery in writings), 65(1) (conjunction) or 362 (theft) and 65(1) of Indonesia’s Penal Code (KUHP).

654 _{Financial System Stability Bureau Directorate of Banking Research and Regulation, 'Financial}

Stability Review No. 14, March 2010' (Bank Indonesia, 2010)

<http://www.bi.go.id/NR/rdonlyres/9379845A-3B22-488D-A5BA-

6D08321BAD03/20251/FSR14March2010.pdf>, 57. In this report, Bank Indonesia’s policy to reduce fraud in ATM/debit card transactions can be seen from Box 3.2: ATM and Debit Card Fraud, as follows:

Realizing the importance of security in the card based payment industry, Bank Indonesia has introduced a number of acquirer and principal requirements in order to improve security technology, manage operational risk and regulate reporting. These aspects are legislated by Bank Indonesia Regulation No. 11/ 11/PBI/2009 and Bank Indonesia Circular No.11/10/ DASP dated 13 April 2009 regarding Card Based Payment Instruments.

At the outset of 2010 Bank Indonesia implemented a number of measures to help prevent the spread of fraudulent ATM and ATM/Debit card activity including, among others, forming a task force made up of banks that had been affected by skimming cases as well as switching companies. The task force is mandated with facilitating the banking industry in terms of simplifying the identification and introduction of preventative measures against fraudulent activities. In addition, a technical forum will be established involving the Police Department, Bank Indonesia and other related parties. The technical forum will facilitate an exchange of information pertaining to

147 While the 2010 ATM skimming cited above employed a ‘conventional identity theft/fraud method, in contrast,’ the Body Shop fraud of 2013 (also widely covered by the media) employed one of the most sophisticated and advanced identity theft methods, that is, malicious software (malware). Before the Body Shop fraud, none of the bank management staff in Indonesia who became the author’s respondents had been aware of the possibility of malware attack either in ATMs or EFTPOS machines. Many of the bank officers did not even know that their payment card system could actually be compromised by malware.655 Hence, it is not surprising that banks’ payment card systems were vulnerable to malware attack, since none of them had installed anti- malware programs in their payment card system, including on ATMs and EFTPOS terminals. Therefore, similar to the 2010 skimming deluge fraud in Indonesia, the Body Shop fraud could also be considered ‘a key opener’ for (an indicator of) the fact that ‘high technology’ fraud was already in existence in Indonesia. The Body Shop fraud in the payment card industry in Indonesia that employed malware as its mode of operation has opened the possibility that many unrevealed ‘phantom withdrawals’ in the ATM/debit card transactions may actually have been caused by malware that had been implanted by fraudsters in the ATM/debit card or EFTPOS systems.

Whilst lacking reliable fraud data, it appears that the most prominent ATM/debit card fraud methods based on its frequency of occurrence in the mass media and occasional fraud incident reported to Bank Indonesia are ATM/debit card skimming in ATMs/EFTPOS machines and card trapping in ATMs.

criminal activity, counterfeiting and non-cash payment system related crime, to expedite the treatment and prosecution of criminal activity.

Bank Indonesia has appealed to banks to continually improve their physical surveillance of ATM machines, in particular those that are located outside branch offices, to ensure that no suspicious equipment is installed as well as monitor unusual transactions. Furthermore, Bank Indonesia has also reminded banks to apply risk mitigation measures against fraudulent activity including formulating an adequate Standard Operating Procedure (SOP), settling transactions according to the SOP, as well as monitoring and applying prudential principles when evaluating and accepting new merchants. Meanwhile, preventive, anti-fraud measures that can be introduced by banks include installing anti-skimmers, CCTV cameras and PIN covers, as well as monitoring the security and cleanliness of their ATM machines.

Of equal importance is for banks to continue rolling out customer education programs regarding the importance of PIN security, regularly changing PIN numbers, and keeping PIN numbers private. Bank customers are also encouraged to pay attention to the physical condition of ATM and EDC machines and report anything suspicious immediately to their nearest branch or authorized personnel.

655 _{See, eg, interview with an ATM Operation Division’s team in one of the major state banks (Jakarta, 17}

August 2012) (BO-2). It is difficult to believe that employees of one of most prominent banks in Indonesia who are in charge in the ATM operations were unaware of the risk of malware in ATMs/EFTPOS machines. See also BO-1; BO-3; and BO-5.

148 Nevertheless, many of the ‘phantom withdrawals’ from consumer bank accounts were not revealed until now. In the absence of incentives for banks to equip themselves with various sophisticated devices for crime/fraud prevention, monitoring and detection, revealing a fraud incident is sometimes not easy for banks. Without ATM CCTV records or CCTV records with a good quality picture, neural network, the state-of-the- art anti malware programs, experienced fraud auditor staff, and good will from banks to exhaustively investigate the possibility of the occurrence of fraud, it is very difficult for banks to detect and reveal a typology of any particular ATM/debit card fraud incident. From interviews with various banks’ officers in Jakarta in 2012, it is known that banks are reluctant to expand the fraud investigation to the ‘next’ level, such as involving the Indonesian Police Department, and/or tracing the transactions trails to reveal and catch the genuine perpetrators. The most popular reasons given not for not expanding the investigation were to limit the cost of investigation (involving the police means banks have to provide police with ‘operational costs’ for the investigation) and to avoid reputation risk and ‘hassle’ regarding court litigation. Nonetheless, with the change of shareholders in one of the biggest retail banks, the new management urged the fraud department to exhaustively investigate all occurrences of fraud and bring the perpetrators to justice. Even though the goal was to give the message to all the ATM/Debit card fraudsters ‘don’t mess with us’, the effect for consumers was also good. Besides some successfully apprehensions of some ATM/debit card fraudsters that it was claimed had reduced fraud incidents, some previously unrevealed phantom withdrawal cases could also finally be solved. Previous to that investigation, a bank officer admitted that the phantom withdrawal claimed by a consumer was rejected on the basis that consumer must be negligent in some way and this enabled the fraud to occur. The investigation then revealed that the fraudster, using skimming and pin-hole camera device implanted in the bank’s ATM, was the real cause of the consumer’s loss. As result, an arrangement was made with the affected consumer.656

656 _{For reasons for bank reluctance to not expand investigations, see eg, BO-2; BO-3; BO-4 and BO-5. In}

terms of the good will of bank management being very important in contributing to their willingness to reveal fraud incidents, see also interview with Wani Sabu, Division Head Halo BCA, PT Bank Central Asia, Tbk (Jakarta, 14 August 2012).

149