Online fraud is rife in Indonesia — here’s some ways to fix it


Indonesia’s e-commerce sector has attracted a lot of attention in recent years. With a population of 250 million people and a growing middle-class powered by consumption, the Ministry of Communications Technology and Informatics predicts that the country’s online retail market will be worth $130 billion by 2020.

That said, e-commerce data security and user protection are unsophisticated at best in countries like Indonesia. Experts say better encryption is the way forward for local e-stores in the archipelago, a nation in which web fraud is rife.

Encryption helps user data stay protected against fraudsters who aim to steal customers’ personal information. “Login information should be properly protected using salting and hashing,” says Frank Wang, Massachusetts Institute of Technology (MIT) PhD in computer security and co-founder at Cybersecurity Factory in Cambridge.

For those who are unfamiliar with cybersecurity, there is terminology to get acquainted with. According to Microsoft, the practice known as “hashing” is often employed to keep data safe. Essentially, it means modifying a variable-length password into a cryptic, fixed-length password. This is done by generating a “salt” value, which is a random number used to generate the hashed password (to those who’ve never researched tech security, it all sounds like jibberish).

Currently, there are a few commercial softwares on the market to help e-commerce enterprises protect data. Names like ESET, F-Secure, Kaspersky Lab, and Juniper Networks come up. But when asked what kind of new solutions are being developed at MIT to combat things like fraud and identity theft via e-commerce — ones which might be useful in emerging markets like Indonesia — Wang tells Borderless that the solutions they’re working on at MIT are mostly research-oriented, and not ready for commercial use.

“Databases should never store the usernames unencrypted […] This prevents someone from stealing login information and logging in as a user,” says Wang, adding that third-party payment systems such as PayPal, Stripe, Visa, Checkout, and Shopify help smaller companies handle these kinds of security issues.

However, larger e-commerce firms looking to do their own payment processing should follow what’s known as the Payment Card Industry Data Security Standard (PCI DSS). It is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. However, Wang concedes that full compliance with PCI DSS can indeed be difficult and expensive.

In cash dominant emerging markets like Indonesia, where less than 5% of the population own credit cards and most people are unbanked, the PCI DSS becomes far less relevant. Instead, Indonesian e-commerce firms are forced to explore more creative ways to get paid, which inevitably mean accepting ATM transfers from less reputable banks. For these reasons, the payoff for Jakarta’s online retailers to comply with security standards in the West basically becomes moot.

Wang says, “One of the biggest challenges with fraud and cybersecurity is that it’s hard to win all the battles [..] especially with fraud. It’s about detecting fraud as quickly as possible and managing the fraud risk. However, it’s extremely difficult to eliminate all fraud. As with all markets that face security issues, the attackers become more clever as more players enter the market and quickly adapt to defenses.”

Rendra Perdana, head of IT Infrastructure and security at Jakarta-based e-commerce firm MatahariMall, points out that e-commerce platforms in Indonesia generally use firewalls, like a stateful and intrusion prevention system (IPS), security information and event management (SIEM), and data loss prevention (DLP) on their IT infrastructure.

“Stateful firewalls track connections, thereby differentiating which packets can or cannot go through,” Perdana tells Borderless. “Meanwhile, IPS firewalls carry out deep packet inspection on the content of packets and connection characteristics. This firewall is the one which blocks exploit codes, or malware.” Perdana adds that SIEM provides real-time analysis of security conditions while DLP safeguards the site from data leakages.

Utuh Wibowo, executive chairman at Indojasa Technology Solution and veteran cybersecurity consultant in Jakarta, says that some local e-commerce firms have adopted payment security standards that now comply with PCI DSS, such as Verisign. In addition, these platforms use transport layer security to secure comms through cryptography. However, smaller e-commerce platforms only use this in their data transfer. “Most small e-commerce platforms use OsCommerce, WordPress, Magento, and encryption plugins that are widely available in the market,” explains Wibowo.

But despite progress in Indonesia’s e-commerce security sector, merchant and consumer fraud remains a plague.

A recent study by fraud prevention software maker Forter named Indonesia the riskiest country in which to deal in e-commerce. The overarching reason was the archipelago’s weak security infrastructure. Over one third of the e-commerce transactions in the nation are registered as fraudulent, an amount surpassing those in high-risk markets like Venezuela, South Africa, Brazil, and Romania.

In recent years, Lazada Indonesia, the country’s largest business-to-consumer e-commerce platform, was hit by fraud after hackers used stolen email addresses to steal customer accounts on the website. This forced Lazada to cancel orders and refund affected customers. Lazada Group, a company originally built by Germany’s famous venture builder Rocket Internet, all but runs the e-commerce game in Southeast Asia. Apart from Indonesia, Lazada operates in Malaysia, the Philippines, Singapore, Thailand, and Vietnam.

Oscar Darmawan, CEO of Bitcoin Indonesia, says fraudsters in Indonesia typically execute what’s known as a “triangle scam” by setting up fictitious businesses on an e-commerce platform. If a customer walks into the trap and purchases an item from the make-believe seller, fraudsters may then steal that user’s identity, and signal the platform to process more transactions.
“The two victims here are the customer and the platform. The fraudsters are usually untraceable, despite having an address,” says Darmawan.

Donald Wihardja, partner at investment fund Convergence Ventures and former country manager and chief information officer at 2C2P, one of Southeast Asia’s most well-known e-commerce payment processors, further points out that that e-commerce fraud is an intricate security issue.
“Platforms could implement 3D secure protocols that do not rely on sending a password verification through text messages, given that text telecommunication networks are less reliable,” explains Wihardja. “Additionally, platforms could install transaction systems that save credit card details to make the customer’s next transactions easier.”

Darmawan notes that e-commerce startups tend to depend on bank transfers, which “is quite vulnerable to fraud.” He adds that e-commerce companies currently do not pay enough attention to strengthening their server securities, which includes the safety of backup data. He says, “As we know, servers are one of the key assets that e-commerce platforms must keep secure.”

According to Wang, the advantage of emerging markets is that they can look at the experience and history of more established markets like the US and Europe to see what defenses have worked and failed. This can tell them what kinds of threats to expect. The bottleneck, however, is establishing common framework and best practices that suit the idiosyncrasies of unique markets like Indonesia.

He says, “In emerging markets, as they develop quickly, it’s worth figuring out some basic regulations so that firms all have some baseline security.”

Photo credit: Pixabay

No material may be fully re-printed or re-broadcast without the written permission of Borderless News Online.