SIM Swap Scam
Cases of illegal SIM card swaps ending in bank account theft have increased in the past year. Allegedly bank employees are involved.
ADRIAN Qamar and his wife, Yuliastriani, hurried to the Kebayoran Baru branch of Bank Rakyat Indonesia (BRI) in Jakarta on Monday, August 24, 2020. The 54-year-old wished to check Yulistriani’s bank balance. A few days prior, Yulistriani coud not access her Indosat Ooredoo cellular phone card number which she had used to register three mobile banking accounts, one of them a BRI Mobile.
What the BRI Bank personnel told them shocked the couple to the core. The Rp570 million in Yuliastriani’s account had disappeared. The bank had registered a series of transactions in a period of 1.5 hours between 3:36AM to 5:52AM through the BRI Mobile application on Thursday, August 20, 2020. “Somebody had breached my wife’s mobile banking account,” said Adrian, a resident of Guntur in Setiabudi, South Jakarta, on Tuesday, January 12.
The time of the illegal transactions coincided with the time Yulistriani lost access to her Indosat phone number. At the time, the Adrian family were on holiday in Solo, Central Java. Yulistriani discovered she could not use her number on her cell phone on Thursday at around 8:30AM. She contacted the Indosat help center to check out the problem. “The call center said her SIM (subscriber identity module) Card had been replaced on Thursday at 1:51AM Western Indonesia Time (WIB),” said Adrian.
Yulistriani tried to block the three bank accounts she had registered with the Indosat number. Two of the three had automatically locked the accounts because a party had failed three times to input the right password as they tried to reset the access to the mobile banking app. The couple only checked their BRI Bank account upon their return from Solo. “Only the BRI account was stolen,” said Adrian.
After realizing they had been robbed and an illegal SIM card swap had occurred, Adrian tried to trace the perpetrators. A person had replaced Yulistriani phone card at an Indosat outlet in a mall in Cakung, East Jakarta, at around 1AM on that Thursday. Yulistriani’s BRI Mobile account was accessed through Internet account 114.125.2x2.xxx located in South Sumatra.
Adrian also found out that Yulistriani’s money in the BRI Bank account had been removed using 32 transactions, some as much as Rp30 million to Rp50 million. Some of the money was used to buy pay-as-you-go phone credits and to shop online. Two of the recipients’ accounts were still active when Tempo checked them out. The two accounts were held by DP with BRI account number 809901x0733xxxx and SAP with Bank BNI under account number 07x494xxxx.
BRI Corporate Secretary Aestika Oryza Gunarto hoped to obtain an official statement from Indosat regarding Yulistriani’s case. “We have not yet received any report from the provider,” she said.
Yulistriani reported both thefts to the Jakarta Raya Metropolitan Police on August 24, 2020. Yet, no light has been shed on the case to date.
Director of the Special Crimes Unit of Polda Metro Jaya, Sr. Comr. Auliansyah Lubis admitted to receiving Yulistriani’s report. He was reluctant to provide details concerning the investigation, including that of calling in witnesses. “In short, it is still under investigation,” he said.
Security camera footage of a man claiming to be Ilham Bintang on the counter of Indosat Mal at Bintaro Exchange, Jakarta, January 3, 2020. Antara/Facebook/Ilham Bintang
A similar incident happened to journalist Ilham Bintang. He could not use his Indosat phone number while in Sydney, Australia, on January 4, 2020. He only knew his money in a Commonwealth Bank account had disappeared two days later. “I lost around Rp300 million,” he said.
The perpetrator allegedly used Ilham’s phone number to conduct a SIM card swap to his Commonwealth mobile banking account. But the thief failed to access two other digital bank accounts when the attempted transactions were detected as irregular.
The SIM card swap conducted using Ilham’s card was carried out one day prior at around 9PM at an Indosat outlet in Bintaro, South Tangerang, Banten. A man and a woman pretended to be Ilham and his wife. The incident was captured on the outlet’s closed-circuit television (CCTV).
Armed with the recording, Ilham reported the incident to the Jakarta Metropolitan Police. One month later, officers caught eight people in the SIM card swap network and their thievery into Ilham’s bank account. Several of them hailed from Palembang, South Sumatra. They admitted to having conducted a similar crime 19 times using the same routine.
Chief of Public Relations of the Jakarta Metropolitan Police, Sr. Comr. Yusri Yunus said, the phone card and bank account thieves ring who broke into Ilham’s account involved a bank employee. He supplied data obtained from the Financial Services Information System of the Financial Services Authority (SLIK OJK). The SLIK contains names of account holders, their ID numbers, and their withdrawal ceilings. “The bank employee allegedly sold this information,” said Yusri.
Armed with this data, said Yusri, perpetrators make a false ID card. The ID card is then used as one of the requirements to register for a new telephone card.
Up to December 16, 2020, OJK Deputy Commissioner for Public Relations and Logistics Anto Prabowo did not respond to Tempo’s request for an interview.
Ilham and Yulistriani were both offered a settlement out of court. Indosat promised to reimburse their losses on condition they annul their report to the police. Both refused the offer.
Ilham instead has put in a lawsuit against Indosat and the Commonwealth Bank at the Central Jakarta District Court for sustained losses. Court hearings have begun in early January.
Commonwealth Bank also has not responded to an interview request. A written list of questions sent to Commonwealth Bank’s Executive Vice President Head of National Sales and Service Aris Dawani has not been replied.
Yulistriani’s attorney, Muhammad Farizi, refused the settlement because it could be considered an act to cover up a crime against his client. He said, closure through criminal court would in fact be beneficial to Indosat and other cellular operators, to help them avoid similar cases in the future. “It would be a saving grace to further guarantee banking system security,” he said.
Fauzi assessed that security at both Indosat and the BRI Mobile app was weak at best. His client had her phone card swapped with no formal verification, such as producing an official ID card and other relevant information. Neither did the BRI Mobile app detect any irregularity in the occurrence which could have prevented a theft into Yulistriani’s account.
Indosat Ooredoo’s Vice President Head Strategic Communication Adrian Prasanto was reluctant to provide confirmation regarding the settlement offer to Ilham and Yulistriani. He said Indosat had repeatedly reported illegal SIM card swap cases to the police. “SIM card swaps are only one in a chain of crimes. I think it is going overboard if the case is used to push a cellular operator into a corner,” he said. “We are also the party sustaining losses.”