Marco regulatorio del dinero móvil y principios comunes internacionales

According to the CPSS, fraud incidents in banks are also of concern to the banking supervisor for three reasons:

On a large scale, it may threaten the solvency of banks and the integrity and soundness of the financial system. Second, it may be indicative of weak internal controls that will require supervisory attention. Thirdly, there are potential reputational and confidence implications, which may also spread from a particular institution to the system.658

In accordance with these concerns, the CPSS urged banks to take greater action. In addition to enhancing their internal fraud mitigation, banks were urged to report suspicious activities and significant incidents of fraud to the banking supervisor. Consequently, the banking supervisor (in Indonesia, Bank Indonesia) does need to ensure that appropriate authorities and stakeholders have been alerted to raise awareness so that the spread to other banks or repetition of new and various types of fraud activity elsewhere can be prevented.659

Anderson et al in their work have concluded that there are at least five economic barriers to network and information security, one of which barriers is information asymmetries. They note that asymmetric information ‘where one party to a transaction has better information than other … can be a strong impediment to effective security’. In general, the public has very little information about the effectiveness of many security products and services employed by institutions.660

Included in the instances of information asymmetries that are often found in the information security market is a dearth of data sharing concerning vulnerabilities and attacks. Anderson et al believe that publishing quantitative metrics of fraudulent activities to the public or wider community is crucial for reducing information asymmetries. Further, they contend that the main justification for government agencies to collect and publish statistical data regarding companies’ security breaches ‘is the mitigation of information asymmetries by generating useful signals for economic decision making, whether by policymakers, firms, or individuals’.661 Sullivan (in his

658 _{Committee on Payment and Settlement Systems (CPSS), Bank for International Settlements, 'Core}

Principles for Effective Banking Supervision (Basel Core Principles) ' (Bank for International Settlements, 1997) 31.

659 _Ibid.

660 _{Anderson et al, above n 338, 1824.}

661 _{Ibid 18, 278. Individuals and organisations benefit from data on security properties when making}

152 work on payment fraud statistics for the United States) argues that a lack of fraud statistics undermines any ‘war against fraud’ because of the difficulties that authorities endure trying to gauge the dimension of the fraud problem. A lack of accuracy could lead them to target unimportant causes, lead to misdirected efforts, prevent effective coordination among stakeholders, and result in a failure to notice liability shift.662

However, companies tend to be reluctant to expose the incidence and nature of attack events (which would reveal their vulnerabilities) and instead hide such events, even though the attacks can be mitigated more rapidly and effectively if information is shared in a coordinated manner with the wider community.663 Several companies provided reasons for their reluctance to share security breach data, namely: ‘loss of reputation and trust; risk of liability and indemnification claims; negative effects on financial markets; signal of weakness to adversaries; job security and individual career goals.’664

Until now, there has been no comprehensive ATM/Debit Card Fraud Report or Payment Card Fraud Report publicly available in Indonesia to raise public awareness about fraudulent activities in e-banking, and smaller rather than larger banks were far more likely to report.665 Bank Indonesia, as the banking industry supervisor, has indeed collected fraud reports from banks, but seems reluctant to publish comprehensive data.

and implement appropriate protection and to react to current levels of threat. Accurate statistics can support policy evolution to fight frauds. While consistent, comparable metrics enable greater transparency, better data will bring further rewards in the form of deeper understanding that will in turn lead to better policies in the long term.

662 _{Richard J Sullivan, The Benefits of Collecting and Reporting Payment Fraud Statistics for the United}

States (Federal Reserve Bank of Kansas City, 2009) 1.

663 _{Anderson et al, above n 338, 18–24. In the USA, fraud information sharing has been tackled by}

information-sharing associations, security-breach disclosure laws and vulnerability markets. An instance of security-breach disclosure laws to be enacted in the United States was California’s A.B.700 in September 2002, which came into force as Cal Civil Code § 1798.29 in July 2003. It applies to public and private entities that conduct business in California, and requires them to notify affected individuals if personal data under their control is believed to have been acquired by an unauthorised person. A specific instance of the application of this law is where an ATM is fitted by criminals with a skimmer that then steals card details. The bank would be required to notify every customer who had used that machine during the period in which the skimmer could possibly have been in use, regardless of whether they were one of that bank’s customers or not.

664 _{Anderson et al, above n 338, 40–1.}

665 _{Payment card fraud figures were never revealed on the Bank IndonesiaPayment System Department}

website <http://www.bi.go.id/web/en/Sistem+Pembayaran/> nor in any Bank Indonesia printed materials, such reports like the Bank Indonesia Annual Report or Bank Indonesia Payment System Report. In contrast, BI has published data related to counterfeiting and fraud in cheque account withdrawals. This can be found in many Bank Indonesia publications. The most disturbing aspect of the fraud reports that has been published is material concerning the presence of unreliable fraud data. An investigation of the raw data that has been sourced has revealed that for years such data had only been submitted by less than one fifth of reporting banks. Most of the banks that reported were small banks; whereas most of big ten banks — that contributed more than 75% of the volume of payment card transactions in Indonesia and

153 Unlike many other countries such as Australia666 and United States,667 Bank Indonesia does not publish a fraud report as one aspect within its official report in various Bank Indonesia publications concerning facts related to the country’s payment system. The only Bank Indonesia publications in regard to figures for payment card fraud — and such figures are general (that is, without detailed descriptions of the taxonomy of fraud) — are found in Bank Indonesia Payment System Reports or in statements issued by high ranking officers of the Payment System Department in payment system press releases or in statements made at various relevant public occasions, such as seminars on the payment system or for payment system institutional stakeholders such as issuing banks and so on. For instance, the 2011 Bank Indonesia Payment System Report supplied the total number of occurrences of payment card related fraud (for October 2011), which was 1,954 cases of fraud with a total loss of IDR3.08 billion (the report for 2012 revealed 11,468 cases with the value of total losses reaching IDR1.4 billion); but although the reports segregated the data on the basis of various popular fraud modus operandi (methods), this tended to confuse the stakeholders since it did not properly follow accepted or common definitions and/or a commonly recognised fraud taxonomy.668

commonly also are prominent targets of fraudulent activities — never sent fraud reports to Bank Indonesia for years. Hence the total figure for fraud that is released by Bank Indonesia (as the sole authority in payment system in Indonesia) definitely does not reflect the real level of fraud occurring in payment card operations in Indonesia. This unreliable figure is also exacerbated by the ‘dark figure’ phenomenon and different interpretations of fraud typology between banks and the central bank. Hence, the available incomplete fraud data are definitely insufficient, fragmented, incomparable and lacking a good metric standard that make it difficult to use as a basis for specific fraud mitigation activities.

666 _{For payment system fraud figures in Australia (most recent and historical data), see Australian}

Payments Clearing Association (APCA), Fraud Statistics <http://www.apca.com.au/payment- statistics/fraud-statistics>. The APCA is the self-regulatory body for Australia’s payment industry. It has 90 members, including Australia’s leading financial institutions, major retailers and other principal payments service providers. In regard to fraud statistics, APCA has been publishing cheque and card fraud statistics since November 2006 as part of the payment industry’s commitment to improve disclosure. APCA believes that the fraud figures help consumers and business in Australia understand how fraud occurs so that they can take steps to minimise the risks when using cheques and cards, and allows the industry to monitor fraud trends and develop targeted mitigating strategies.

667 _{See Anderson et al, above n 338, 18, 26. In the US, lack of data sharing about vulnerabilities and}

fraud attacks has been tackled by information-sharing associations, security-breach disclosure laws and vulnerability markets. Further Anderson et al argue that the point of security breach notification is to provide encouragement or supply incentives for firms to improve the protection of personal data. Competent firms have nothing to fear from breach notification, and should welcome a situation where incompetent firms who ‘cut corners’ to save money will be exposed (naming and shaming), incur costs, and lose customers. This levels the playing field and prevents the competent being penalised for taking protection seriously.

668 _{For instance, see Herdaru Purnomo, Duh! Pembobolan Transaksi Kartu Hampir Capai 16.000 Kasus}

[Ouch! Payment Card Fraud Almost Reaches 16.000 Cases] (2 January 2012) detik.com <http://finance.detik.com/read/2012/01/02/144723/1804731/5/duh-pembobolan-transaksi-kartu-hampir-

154 One way to reduce fraud is by limiting the opportunity for fraudsters to commit fraud. Toughening security has become one of the most popular anti fraud methods to restrain or reduce fraud. However, Bank Indonesia fraud reports do not exhaustively enumerate the types of fraud. Hence, it is impossible to know what sorts of identity theft fraud methods are being employed by fraudsters in Indonesia, resulting in the use of that information to later create a counterfeit card for unauthorised ATM/debit card transactions. Thus the specific types of payment card system frauds that are supposed to be tackled with an appropriate anti fraud tools are hard to identify in the first place. It is difficult to ‘fight a war’ on fraud if the location, actions and nature of the enemy are unknown.

As a consequence, the poor and unpublicised fraud data in Indonesia not only fails to give accurate (and therefore valuable) input for payment system stakeholders to act promptly and accurately to restrain fraud, but could also misdirect fraud policy adopted by the payment system authority. This is because the fraud figures compared to payment card transactions become very sparse and insignificant in terms of special risk mitigation action. From a consumer viewpoint, lack of fraud data — especially for individual bank fraud figures — might create more difficulties for victims of fraud who hope to obtain redress in the court or other alternative dispute settlement body. As Bolton and Hand assert, failure to provide fraud data with reliable figures always makes them difficult to evaluate.669 The lack of data sharing concerning vulnerabilities and attacks also creates information asymmetry in terms of the information security industry.670 This can lead to create a market failure in the payment system industries. Such information asymmetry can also affect not only the information security industry associated with the banking industry, but also government policy makers, and the public.

A market failure can occur when market participants such as banks do not have incentives to provide a good and timely e-security that prevents or detects breaches and

capai-16000-kasus?f9911023>. In this article, popular fraud methods enumerated are: fraudulent applications, account takeovers, unauthorised use of account numbers, counterfeit cards and skimming, ATM scams, not received items, and identity theft. Payment card fraud figures are derived from the Indonesia Payment System yearly reports for 2011 and 2012.

669 _{Bolton and Hand, above n 257, 236. See also Anderson et al, above n 338, 27. According to Anderson}

et al, ‘the primary value of statistical data, and the main justification for its collection by government agencies, is to mitigate information asymmetries by generating useful signals for economic decision making, whether by policymakers, firms or individuals’.

155 issues fraud reports. Reasons given for failing to disclose this kind of information is to avoid damage to their reputation and public confidence. Hence, it is obvious that regulators of the payment system can correct this market failure by requiring timely and accurate reporting of e-security breaches/fraud to the authority, and process them meticulously in order to provide valuable information to the payment system industry. This will also help determine appropriate fraud risk mitigation in the country. As Anderson et al have observed, ‘a coordinated view of attacks could prompt faster mitigation to everyone’s benefit’.671

4.4. Conclusion

A payment card system that uses magnetic stripe cards as a means of data storage combined with a PIN as an authentication tool remains as one of the most widely used payment card technologies today. Nonetheless, it is also notoriously vulnerable to identity theft and fraud. Criminals know that if they are able to obtain consumer data from the magnetic stripe card and its associated PIN (identity theft), they can easily create fake or counterfeit cards that can be used to make unauthorised ATM/debit card withdrawals.

So, as in other jurisdictions, the proliferation of payment card transactions in Indonesia has been followed by a rise in unauthorised ATM/debit card transactions. ATMs and EFTPOS machines along with their networks and data storage systems have become the most frequently used avenues for fraudsters to compromise consumers’ card and PIN data. Inherent vulnerabilities in the ATM/debit card payment system are also exaggerated by the dearth of accurate data and unreliability of the data that is available in ATM/debit card fraud reports.

Identity theft in payment card transactions can be conducted passively or actively — by insider or outsider perpetrator/s. Nevertheless, to identify the fraudsters involved, the fraud methods used and the party or parties that are responsible for fraud prevention/liability for damages, it is necessary to know about the point of compromise for the identity theft. From the type of attack (those perpetrated on ATM/debit card transactions), the point of compromise for identity theft can be divided into three

671 _Ibid.

156 ‘locations’: cardholders themselves; bank ATM/debit card activated terminals and cardholder; and the bank and/or its agent’s network or system.

In situations where the cardholder alone is the point of compromise, fraudsters have attacked and stolen or swapped a consumer’s genuine ATM/debit card and used it to make unauthorised purchases or withdrawals of funds from the consumer’s account (active attack). Fraudsters can determine the consumer’s PIN associated with the stolen ATM/debit card by guessing, ‘cracking’, or extracting it from the consumer identity (such as date of birth), or by social engineering. In addition to situations involving outsider fraudsters, dishonest cardholders themselves can also defraud banks by making fraudulent claims or transaction reversals. This type of identity theft and fraud, however, is not significant in terms of number.

Meanwhile, in situations where the bank consumer activated terminals and cardholders are the point of compromise, the use of skimming devices and the card-trapping fraud method is prominent. Identity theft using skimming devices at ATMs is probably the most popular method employed by fraudsters in Indonesia. Its effectiveness in harvesting hundreds or even thousands of numbers of ATM/debit consumer cards in Indonesia was demonstrated by various identity theft incidents (such as in the late 2010 ATM fraud in Bali, or the Bank BCA and Mandiri skimming fraud of late 2013 / early 2014). All these huge cases of identity theft and fraud in Indonesia, apparently involved international syndicates. Most of the unauthorised withdrawals occurred in outside of Indonesia, in countries such as Canada, Australia, Bulgaria, Malaysia and so on.

Where consumer activated terminals/systems and/or communication networks are the point of compromise, it should be noted that the proliferation of ATMs/EFTPOS machines open a wide doorway for fraudulent activities (as well as benefits for consumers). Relatively unguarded consumer activated terminals and their communication networks make these more vulnerable to fraud attacks. Card skimming, eavesdropping, EFTPOS tampering and malware (to name a few) are some commonly adopted fraud methods at this point (passive attack). Meanwhile, consumer PINs remain able to be easily stolen by the use of installed a pinhole camera, pin-pad overlay, or shoulder surfing method.

157 In dealing with fraud, enhancement of prevention measures to prevent the occurrence of fraudulent activities — such as by the implementation of cardholder identification and authentication using more advanced technology (such as: ICC/chip card, better encryption tools, stronger PIN and so on) — is very important. However, almost all the (often physical) anti-fraud tools which are ultimately computer-based programs can be circumvented by fraudsters (who use anti jitter, fraudulent anti-skimmer devices, malware, card trapping, and so on). There needs to be implemented additional fraud mitigation methods to avoid more damage to banks and/or consumers, such as neural networks, ‘out of band’ alert, and so on.

Overall, in order to succeed in reducing or neutralising fraud, every fraud prevention, detection and mitigating effort in payment cards (their creation, transaction processing, data storage and so on) should always involve a synergy between banks and their third party affiliates, and consumers. As a payment system owner and/or developer, banks should always improve and update their security features, deliver high quality education material to their consumers concerning payment system risks and fraud methods, and implement good quality neural networks and issue timely consumer transaction reports.

158