The recent case of fake QRIS codes installed in charity boxes presents a major hurdle amid Bank Indonesia’s efforts to develop a digital, tech-based payment system.
Moreover, the fact that the suspect, Mohammad Iman Mahlil, is a former bank employee means that “insiders” pose a great risk to the implementation of tampered QRIS codes.
In relation to the finding, cybersecurity expert Kaspersky has pointed out that there are quite a few vulnerabilities in QRIS that can be exploited by cybercriminals or hackers to do harmful actions. This is largely due to the fact that users cannot easily read the QRIS or verify the scanning process, making it easier for attackers to exploit these weaknesses.
The QRIS code created by criminals may lead to phishing sites that look like legitimate login pages for online banking or social networks. That’s why Kaspersky advises users to always check the link before tapping or clicking on it.
Kaspersky also noted that hackers often use shortened links, making it more difficult for users to identify fake QRIS code when prompted for confirmation on their smartphones. This type of scheme can also trick users into downloading malicious software, instead of the intended game or tool, leading to potential security breaches.
In addition, QRIS code can also contain instructions to certain actions, such as adding contacts, making phone calls, drafting email and collecting recipient and subject lines, sending texts, sharing locations, and many more.
It turns out that, despite all safety claims, QRIS can still be manipulated and breached. Therefore, to prevent this case from happening again, Bank Indonesia can only take precautions by pressing the payment service provider (PJP) to protect the system they are using.
Bank Indonesia is also tightening the registration process of merchants who will use QRIS as their payment option. The central bank is coordinating with the Payment System Association (ASPI), payment system infrastructure providers, and PT Penyelesaian Transaksi Elektronik (PTEN) to investigate the risk of QRIS leaks.
Regarding PJP, ASPI has issued guidelines for merchants and users to improve the security of QRIS transactions.
To ensure safe transactions, Bank Indonesia also encourages users to carefully check the information displayed within the payment application when scanning the code. This includes verifying the name of the merchant listed in the application and ensuring that it matches the correct merchant, and following the payment instructions provided by the merchant.
Merchants are also expected to regularly check their QRIS codes to ensure that they are indeed their own and have not been changed by unauthorized parties.