June was a rough month for Indonesian human rights activists. At a time when most people were staying home to ride out the COVID-19 pandemic, and hence relying on web-based delivery services to procure groceries, meals, and daily necessities, unknown perpetrators appropriated these channels to intimidate activists in an attempt to cow them into silence. For the people who received these threats, this was a new form of coercion. By hijacking the victims’ on-demand app accounts and sending a slew of drivers to their home or workplace, the underlying message was clear: We know where you are.
One of the victims was Mitha Setiani Asih, the editor-in-chief of Lampung University’s student publication Teknokra. Asih had planned to host an online round table on June 11 about the racial injustice suffered by Papuans in Indonesia. It was a sensitive topic, and she and her guests aimed to discuss and unpack the Indonesian government’s oppression of the indigenous people living in its easternmost province.
One day before the event, Asih was hanging out with two of Teknokra’s editorial staff in their secretariat room. It was just past 7:00 p.m., and she was watching a YouTube video when her phone chimed. A WhatsApp notification from an unknown number appeared on her screen: “What’s the address for the food delivery?”
Heaps of unwanted food
“At first, I thought it was a spam message, so I ignored it,” Asih told KrASIA. “Then, suddenly there was a chat notification from the Gojek app, asking for my address for food delivery.” This caught Asih off guard. Nobody present had ordered anything using the app.
Thinking that there was a glitch in the system, she opened the app to report the problem. To her surprise, there was a long sequence of orders that she did not place. They were all on their way to her, so she couldn’t cancel them. WhatsApp messages and calls from Gojek drivers started flooding in, overloading and then freezing her phone. She realized that someone had hijacked her Gojek account—but it wasn’t for the perpetrator’s own benefit.
Panicked, Asih uninstalled the Gojek app from her phone. That didn’t stop the fake orders, which were sent to multiple locations. It wasn’t long before delivery drivers showed up one by one. Accompanied by her friends, Asih met them and explained the situation.
“Some drivers were mad and didn’t believe that my account had been hijacked. They thought I was pranking them,” she recounted. In the past, there have been cases where Grab and Gojek drivers continually harassed customers who they deemed rude or abusive. Wanting to avoid any sort of conflict, Asih and her friends were moved to a safe house provided by the regional Alliance of Independent Journalists. In all, more than 50 orders had been placed via Gojek under Asih’s name by whoever had stolen her personal details.
Meanwhile, 363 km away, Tantowi Anwari and his wife Salbiyah faced a similar problem at their home in South Jakarta. At 8:53 p.m., Anwari received a WhatsApp message from an unknown number. “Don’t overdo the fake orders. This is just a warning from me. Be careful when you leave your house,” wrote the sender, according to a screenshot that Anwari shared with KrASIA.
Initially, Anwari ignored the message, but then the sender attached a picture of Anwari’s ID card. A few minutes later, around six GrabFood drivers showed up at his house.
“It was really strange as my husband almost never ordered food deliveries, it was usually me,” said Salbiyah. “When I asked if he made those orders, he said no. He didn’t order anything, and we were together in our room, so I knew he was telling the truth.”
She uninstalled Grab’s app from her husband’s phone, and then went out to talk to the drivers. Salbiyah explained that they had not placed those orders and asked the drivers to tell their colleagues not to pick up any more orders placed through his account. She still paid for the delivered food by cash, reasoning that the drivers were also victims of these fraudulent orders.
That was only the beginning. GrabBike drivers started to arrive. Anwari received an e-mail receipt of GoPay transactions amounting to IDR 300,000 (USD 21), even though he didn’t initiate the transfers. By the next morning, Salbiyah’s Gojek account was compromised too. Again, drivers for car and bike rides showed up at the couple’s house, and people were delivering food ordered through her account. Salbiyah’s GoPay balance of IDR 180,000 (USD 13) was drained. In total, the couple lost around IDR 680,000 (USD 48), a significant sum for them.
Despite the physical distance between these cases, Anwari was set to be part of Asih’s round table discussion. Asih said other participants received threats via WhatsApp too.
Speakers at similar events, like one hosted by Amnesty International, have had to deal with spam calls from unknown foreign numbers as well as Zoombombing. And a researcher who has been critical of state affairs on social media said his WhatsApp account was hacked before a message calling for riots was broadcast; the incident led to incitement charges leveled against him.
Blaming the customer
Asih, Anwari, and Salbiyah reached out to Grab and Gojek’s customer service centers to find out what was happening to their accounts and hopefully resolve their issues, but they didn’t find the feedback they received to be particularly helpful. “They only told me to wait an hour until my account is disabled,” said Asih.
Salbiyah felt Gojek’s customer service representative was more focused on blaming her instead of offering assistance. “They kept on insisting that I shared my OTP (one time password) or let other people use my account. They wouldn’t believe that my account is hijacked, claiming that the system is well-protected,” she said.
It took around two hours for the companies to disable the victims’ accounts. Grab told Salbiyah that it couldn’t disable Anwari’s account right away as the company needed to “follow procedures.” Furthermore, when Salbiyah requested a detailed order history, Gojek didn’t give her one. Instead, they only sent a generic e-mail stating that her account had been reset.
Gojek said it covered the charges related to Asih’s case, specifically delivery fees for the drivers involved, and that she did not suffer any financial losses. The company told local media that there was “no hacking” involved and that it has reached out to Asih to follow up on her complaints. Gojek also stated that it maintains a “willingness to cooperate with the police to enforce the legal process.” But Asih said Gojek has not done this and has not provided any information about how her account was exploited by parties with malicious intent.
Salbiyah was less fortunate. Gojek has not provided refunds for the losses she incurred, and still refuses to release the transaction history of her own account to her.
“It was very hard to report our case,” said Anwari. “The companies’ customer data protection system is very weak.”
A Gojek spokesperson told KrASIAthat what happened to Asih was a “prank” and “did not involve any hacking of our system or user data.”
“A perpetrator got hold of Mitha’s delivery details from outside of our ecosystem and used an alternative Gojek account to send her multiple food orders, requesting for cash on delivery,” the spokesperson said in a statement to KrASIA. They also claimed that Asih and the drivers involved didn’t suffer any financial losses.
Gojek has deployed an AI security system called Gojek Shield, which is meant to send notifications to users when they may be victims of fraud. It also includes an emergency button in Gojek’s app for any user who suspects their account’ssecurity has been compromised. Gojek masks phone numbers so that drivers cannot retain customers’ information and contact them later on. It also offers insurance coverage for victims of GoPay fraud.
“We also work closely with authorities and enforce necessary legal processes to help users and partners who have experienced cases of fraud and pranks,” said Gojek’s spokesperson. The company representative did not comment on Anwari and Salbiyah’s depleted balances.
Asih rejected the claim that the ordeal was a prank. “It was like my account was operated from two different devices. I saw a list of orders I didn’t make on the history tab, and messages from the hacker to the drivers confirming the delivery orders. I never wrote those messages,” she said.
When contacted by KrASIA, Grab claimed that they have poured “significant investment” into their anti-fraud functionality, GrabDefence, which the company said reduces fraudulent activities on their platform to below 1% of all transactions. “It includes real-time and early detection measures that use machine learning models crunching millions of [pieces of] booking data in real-time looking for fraudulent patterns,” said a Grab spokesperson. False orders can be detected based on behavioral patterns and how long it takes to complete orders.
This covers GrabFood transactions too. Grab maintains a dedicated line where drivers can report fraudulent orders. A flag will lead to a review of an account’s activity. Problematic accounts are suspended or deactivated.
“Grab will only act if we have full confidence and we also take progressive actions against suspected fraudulent actions. We also try to spread awareness with driver-partners and passengers, to discourage fraud,” said the spokesperson.
Systemic weaknesses
These three cases are unusual in that they show no signs of attempted hacking, such as alerts that flag log-in attempts on different devices or OTP requests. The victims also claimed that their phones were operating normally before the tidal wave of food and rides that they didn’t order.
“If the hacking doesn’t occur on the client-side, it is likely to be done through the system provider itself,” said cybersecurity researcher and consultant Teguh Aprianto.
However, another researcher, Alfons Tanujaya from computer security firm Vaksincom, said that fake orders can be placed without hijacking an account. The perpetrator only needs to create a fake account using the victim’s name and place the orders. However, this method doesn’t match these cases as all victims received notifications on their phones. But Tanujaya pointed out a major flaw in both Gojek’s and Grab’s systems—the inability to detect unusual orders.
“They should have been actively evaluating weaknesses in the system and making improvements to prevent the same loophole from being exploited again,” he told local media outlet Tempo.
Read this: What can we learn from Tokopedia’s alleged 91-million data leak?
Both experts think that Grab and Gojek need to ramp up their security systems to prevent third parties from using their apps for intimidation purposes. Aprianto suggested an alert feature for login attempts from unrecognized devices. For instance, Facebook does this, requiring users to verify logins from a recognized gadget.
Grab and Gojek also need to tighten their user registration processes to prevent fake accounts from joining and using the platforms. Currently, for both companies, a new user only needs to provide an e-mail address and a phone number to create an account. Aprianto said Grab and Gojek should “ask for valid ID [with a selfie] before completing the registration process.”
In previous years, fake accounts and abnormal orders have caused a lot of problems for both companies. In 2019, Instagram influencer Nazla Alifa shared on her Instagram Stories that someone placed multiple fake food delivery orders under her name. She also complained about Gojek’s slowness in handling the situation.
There were also cases where GoFood and GoShop merchants exploited fake accounts to enrich themselves. The merchants used three separate phones pretending to be drivers and customers who placed orders from their store. In February 2020, a restaurant owner managed to con around IDR 400 million (USD 28,000) from Gojek’s bonus point system using this fraudulent order tactic. He reportedly managed 41 fake driver accounts, 30 fake restaurant accounts, and several customer accounts.
Moving forward with no resolution
For now, neither Gojek nor Grab have a new strategy for tighter security, even though their current setups are riddled with flaws and have left some of their users unguarded against targeted fraud and intimidation.
Mitha Setiani Asih, Tantowi Anwari, and Salbiyah have been left traumatized. Asih and Anwari no longer use any ride-hailing or food delivery apps on their phones. After ditching Gojek, Salbiyah now uses Grab. It’s a matter of necessity because she needs transportation for her daily commutes. Even so, she is still spooked by the sight of online app drivers who hang around in her neighborhood.