Scammers used Grab-owned O2O commerce app Kudo to skim money from Indonesian state-owned bank

Kudo said the robbery wasn’t caused by security errors on its app.

Photo by Shutterstocks

Fraud in the form of transaction manipulation via digital platforms is an emerging threat.

In Indonesia, a recent case involved an app called Kudo, which is part of ride-hailing platform Grab. It was reportedly misused to steal money from a state-owned bank. The transaction fraud cost the bank a total of IDR 16 billion (USD 1,1 million).

Kudo is an app that empowers traditional retailers such as kiosks to sell digital and physical goods through its app. It was acquired by Grab in 2017.

Not much is known about how exactly the scammers operated and the case is still under investigation by the Indonesian police’s cybercrime unit.

What police have revealed so far is that the defrauded side is a state-owned bank and that the scheme involved suspects making a number of transactions through the Kudo app that were paid into that bank’s virtual account. However, this balance was not deducted from the Kudo balance in the corresponding transaction, which left the bank to foot the bill.

Several media reports mentioned that police said the fraud might have been caused by a security gap at the bank and Kudo’s app, thus allowing the perpetrators to hack their system.

However, co-founder and CEO of Kudo Agung Nugroho rejects the allegation.

“We have checked with the police and they confirmed that there was no statement from them that mentioned security problems  with the Kudo app,” he told KrASIA.

He ensured that Kudo is continuously takes maximum effort in order to provide a safe and reliable system to support small businesses in Indonesia. Kudo will continue to work closely with the police and other parties related to this case, Nugroho said.

The police have arrested two suspects and are still looking for other accomplices.

Digital platforms and digital banking services are becoming targets for financial crime facilitated by manipulative users. Some cases do not necessarily involve a technical breach of the system but instead are based on coordination among different actors on the platform, such as triggering fake orders on a ride-hailing platform–a common fraud scheme.

Earlier this year, e-commerce Tokopedia became the victim of cashback fraud that involved fake transactions between merchants and employees to make undue gains from cashback offers on its platform.

Last year, Tokopedia’s competitor Bukalapak also suffered from a similar fraud case. Fraudsters on both platforms were arrested by the police and the e-commerce platforms said they would continue improving security systems to prevent potential fraud in the future.