Not long ago, 13 criminal gangs using m-banking using APK Courier online delivery of goods which resulted in a loss of Rp. 12 billion were caught by Bareskrim Polri. Now another group of fraudsters has emerged that is carrying out similar actions but with a different theme.
They sent a wedding invitation letter that actually contains an APK from outside the Play Store. Once installed it will steal OTP credentials from the victim's device.
When this dangerous Android APK is run, a number of warnings will appear, such as installing applications from outside the Play Store, which is very dangerous and not recommended. And when this warning is ignored, another warning still appears when giving SMS access to the application you want to install, including document data and device photos for the installed malicious application.
But most likely because people are not used to paying attention to warnings when installing applications and easily give approval without reading carefully
and understand the consequences of the approval given, this malicious data stealing application will still be installed and carry out its actions.
Requires credential data
Actually, installing this malicious application is not enough to access the victim's mobile banking account, because accessing a mobile banking account requires a User ID, Mobile Banking Password, transaction approval PIN and OTP (One Time Password) obtained through this malicious APK.
So the big question is where can these criminals get their victims' mobile banking credentials because this malicious APK can only steal OTP SMS.
Was it because these criminal organizations shared databases to be targeted or was there a database of banks using m-banking that was leaking.
As we know, in the previous phishing activity in mid-2022, many victims of m-banking users were tricked into giving m-banking credentials to fraudsters because they were threatened with a monthly transfer fee of Rp. 150.000,- https://www.vacsin.com/aksi-phishing-mobile-banking-bri.
False announcement of increased transfer fees aimed at stealing victims' m-banking credentials Photo: doc Alfons Tanujaya
Anticipation and prevention
Assuming that m-banking user data has been leaked, one of the emergency things that must be done by m-banking users who experience data leaks is to immediately change their Password and PIN for transaction approval. If you are still unsure, consider changing your m-banking account or choosing an m-banking provider that provides better security. In fact, if the bank implements systems and procedures properly and cleverly, criminals will have difficulty taking over m-banking accounts even if they manage to get all the credentials and OTP for transaction approval.
For banks providing m-banking services, Lilincom recommends implementing What You Have verification for moving m-banking accounts to a new cell phone or a new cell phone number. So don't rely on What You Know verification alone to move your m-banking account to a new cellphone or cellphone number.
This What You have verification, for example, is verification of an ATM card, original KTP, physical account owner. While verification of What You Know is a User ID, Password, transaction approval PIN and OTP code.
The government and regulators that regulate financial institutions are expected to determine strict and safe digital financial transaction security standards such as m-banking so that they are not easily exploited. This is very important because the many cases of m-banking breaches will reduce public trust in the digital financial sector and will avoid using digital channels. Even though the government is very interested in digitization in the financial sector because it will have a multiplier effect on Indonesia's economic development.