On Gojek's Efforts Against Social Engineering
Education becomes the key factor to fight this social engineering attacks
Bintoro Agung - 27 October 2020
Starting in the Slack's chat room, a hacking act succeeded to penetrate Twitter's layered security in mid-July. The attack took over a number of large profile Twitter accounts such as Elon Musk, Bill Gates, Barack Obama, and many more. As well as humiliating Twitter's reputation as one of the world's leading technology companies, billions of rupiah have vanished in the form of bitcoin due to the attack.
Saying the attack as hacking is quite inaccurate because the perpetrator did not attack the platform's security holes. What happened to Twitter in that attack was social engineering. This social engineering attacks human negligence in quite a variety of ways. The perpetrator deceptively managed to earn the trust earned from Twitter employees and used the information he obtained to bypass the platform's security system. In the ISACA State of Cybersecurity 2020 report, Part 2: Threat and Landscape Security Practices, social engineering is called the number one digital security threat in the world. This encourages the belief that humans are the weakest chain in a digital security system.
Identifying social engineering
What happened to Twitter is also common in other digital platforms, including in Indonesia. If the attack makes employees a foothold to jump over the platform's security system, there are many cases that attack platform users. In general, user literacy levels are much more diverse than those working in technology companies. Therefore, it is not surprising that social engineering attacks happen to common people. Domestically, this attack trend is increasingly evident. As one of the largest digital platforms in Indonesia, these happen a few times with Gojek users.
The Center for Digital Society (CfDS) from Gadjah Mada University considers social engineering techniques as fraud which is performed by penetrating security networks through user manipulation to obtain classified information. Indeed, the mechanism is not as complicated as a hacking attack. However, as previously stated, this method is widely used because it takes advantage of the victim's ignorance of the digital ecosystem.
CfDS researcher Tony Seno Hartono revealed some concepts used in social engineering techniques. Phishing is the most common cause. In this case, the perpetrator uses telephone, email, or other media to gather information about the target of the attack. The next mode is SMShing, which mechanism is similar to phishing but using SMS. Furthermore, there is pretexting which relies on a narrative that convinces the victim to retrieve information. Lastly, there is an impersonation. This mode is done by pretending to be someone to collect information from the target victim.
Seizing the victim's trust is the red thread of all these cases. Making victims off guard and gaining important information regarding personal data, one-time passwords (OTP), and other sensitive data makes it easier for them to penetrate the platform's security system. For perpetrators, these social engineering techniques are more practical than hacking into security systems. In the context of the digital ecosystem in Indonesia, the threats these social engineering techniques pose can have a huge impact.
Fungus in the rainy season
The form of crime always adapts and develops from time to time with the conditions of society. The fertility of this social engineering method of deception. Indonesia is currently home to Southeast Asia's largest digital business ecosystem. The We are Social 2020 report shows that there are more than 175 million internet users, thousands of digital startups, and six unicorns in Indonesia. Temasek and Google's research stated that the value of the digital economy in Indonesia has reached US$40 billion last year and potentially to double to US$133 billion by 2025.
Although, digital literacy in the country is quite far from sufficient. CfDS stated that digital technology security competence in Indonesia is quite basic and still in middle categories. This is directly proportional to cyberattacks targeting internet users in the region.
The Covid-19 outbreak has become a catalyst that accelerates society's adaptation to the digital economy. The situation that requires most people to do activities from home forces them to adapt to using all kinds of digital services. This large migration can certainly be interpreted as an opportunity for cybercriminals. The large number of new users who are yet to understand much about digital solutions is an easy target for users of social engineering.
Gojek acts against social engineering
Of the many digital businesses in Indonesia, Gojek is one of the driving forces. Gojek is a decacorn with 20 different services with 3 super apps for customers, driver-partners, and merchant partners. They have also expanded to other countries in the region such as Vietnam, Singapore, the Philippines, and Thailand. By the end of the second quarter of this year, their application has been downloaded more than 190 million times, with more than 2 million drivers, and 500,000 GoFood partners. A study by the Demographic Institute of the Faculty of Economics and Business, Universitas Indonesia in 2019 found that Gojek's contribution to the national economy has reached IDR 104.6 trillion.
Imagine millions of rotating transactions in one day is enough to convince digital bandits to aim at Gojek users as targets. Gojek acknowledged the threat was real. In fact, Gojek makes three approaches to protect its service ecosystem: technology, protection, and education. The technological approach is the foundation of the security system. They added some innovations such as number masking, two-factor authentication, chat intervention, fingerprint features, face verification, and piracy prevention. GoPay's SVP IT Governance, Risk & Compliance, Genesha Nara Saputra explained their team always keeps an eye behind the scenes on the latest attack trends and improves the capabilities of the security infrastructure. However, Ganesha believes that all the technical sophistication they provide can be useless when the perpetrators of social engineering attacks target their common users.
"In the case of social engineering, there is only one effective way, it is education. It has been recognized by the world that this human is the weakest chain. That's why the key is practical education,” Genesha explained.
Regarding this educational approach, Gojek emphasizes four things for its users. Those are including not to transact outside of the application, secure personal data, use a PIN for every transaction, and immediately complain to customer service or the police when there is something suspicious. This is indeed targeting Gojek driver-partners and merchants too. Of the social engineering cases that happened to Gojek, the perpetrators often target the victim's electronic wallet.
One of the significant improvements Gojek managed in maintaining the security of its ecosystem is the ability to detect fictional orders. In the past few years, fictitious orders have become a scourge for driver-partners. Another thing is the use of illegal applications such as Fake GPS or most popular among drivers with the term "tuyul". The illegal application allows rogue drivers to manipulate their location. Gojek's Head of Driver Operations Trust & Safety, Kevin Timotius said the progress came from the use of machine learning and artificial intelligence that they developed in the Gojek SHIELD technology.
“We have utilized machine learning and artificial intelligence technology to detect and crack down on various fraudulent acts that harm driver-partners, including fictitious orders and the use of illegal devices. Previously, similar technology has also helped improve partner security through face verification and phone number disguise," said Kevin.
Regardless, social engineering scam remains a latent danger that lurks any user of digital services. This technique is less affected by the sophisticated security infrastructure used by digital startups like Gojek as this act targets a person's psychology. This problem can be suppressed only with qualified digital literacy.
However, digital platforms cannot run solely. They need a helping hand from industry, government, non-governmental organizations, and the community to prevent the proliferation of cases of social engineering in Indonesia.
–Original article is in Indonesian, translated by Kristin Siagian