IND | ENG
Tokopedia, Bukalapak, and Bhinneka Leaks Data: Who Cares?

Photo illustration

ZUHRI MAHRUS
Tokopedia, Bukalapak, and Bhinneka Leaks Data: Who Cares?
Zuhri Mahrus Diposting : Minggu, 24 Mei 2020 - 10:10 WIB

If Tokopedia, Bukalapak and Bhinneka operated in Europe and it is proven that their user data has been leaked, under the General Data Protection Regulation (GDPR), this company can be fined a maximum of £17.5 million or around Rp 300 billion rupiah or 4% of their annual revenue.

In Indonesia? The government has not yet stepped in to investigate the alleged violations of the three big e-commerce sites. The stumbling block is just in front of Tokopedia in the form of a lawsuit valued at Rp 100 billion filed by the Indonesian Consumer Community (KKI) to the Indonesian Minister of Communication and Information and PT Tokopedia.

News about the leakage of Tokopedia users, Indonesia's first decacorn, entered mainstream online media last May 1. A total of 91 million data reported as Tokopedia user data were on offer for US $ 5,000 on the hacker forum. Five days later, on May 6, 12.9 million Bukalapak user data were traded again. This data is thought to be data that leaked in March 2019. Then on May 10 2020, as many as 1.2 million data that allegedly users of Bhinneka online store data were known to be leaked and offered for sale on the online black market forum (dark web).

In its official release, Tokopedia stated that they "discovered an attempt to steal data from Tokopedia users." While Bukalapak admitted there was unauthorized access to their cold storage (stated in an official release). Bhinneka said it was still investigating the alleged leak. The three companies also stated that no transaction data was compromised and financial data remained secure; that the user's account password remains well protected.

The sample data offered by hackers (for example on RaidForums) shows that the user's account password has been hashed with one-way encryption. However, the user's personal data such as date of birth, e-mail address, telephone number, even full address appear as bare text, without encryption. This includes personal identifiable information (PII). Or according to Article 1 paragraph 2 Permenkominfo Number 20/2016 concerning Protection of Personal Data in Electronic Systems, the data is Certain Personal Data, i.e. "every true and real information that is inherent and can be identified, both directly and indirectly, on each individual." This data must be protected confidentially

Data leakage has become a real threat in recent years. Risk Based Data Breach issued a report at the end of 2019 that until the 3rd quarter of last year there were 5,183 cases of data leakage and 7.9 billion of data were exposed.

This is a 33.3% increase over the same period in 2018. Indonesian e-commerce should be able to anticipate and prevent theft and protect personal data in case the database is broken. Unfortunately, anticipatory steps were not taken even though Bukalapak was hacked last year.

The following are some interesting notes from the data leakage cases of several large e-commerce sites.

Hashing, Salt & Pepper

Tokopedia, Bukalapak, and Bhinneka have protected their user accounts by hashing passwords. From a sample of user databases leaked by hackers, Tokopedia allegedly used SHA384 while Bukalapak used the SHA512 algorithm and salt or Bcrypt.

What's interesting is Bhinneka, where user passwords are encoded using Base64 encryption text or two-way encryption. It is not a good practice to use two-way encoding or encryption of passwords because the results can be reversed into plain text.

Something else worth noting is that neither Tokopedia nor Bhinneka used “salt.” “Salt” is a term when encryptions “sprinkle” added letters to the user's password before being hashed.

For instance, If you have the password "jakarta2020,” the application will add salt, such as "x45Cgg" so that the password becomes "jakarta2020x45Cgg" or any variation. If another user uses the password "jakarta2020", the addition of random "salt" (for example "Tg43rd") will produce a different password so the hashing result will be different.

Salt is used to prevent brute force tactics such as dictionary attacks. This is an attempt to enter a user's account by guessing the password using words in the dictionary. To attack passwords with word changes like "p4ssw0rd" or the word "'w1r3l3$$" (for the word wireless), hackers have the Leetspeak Dictionary. Therefore, longer, “saltier” passwords have less chances of getting hacked.

Salt is stored in a database next to a password that has been hashed. If the data is leaked, the salt will be seen with the password. Hackers usually use a "rainbow table,” which is a database of billions of passwords that has been hashed to find a suitable password. "Rainbow table" generally contains short passwords under 8 characters.

A long password and salt (above 8 characters) will make the "rainbow table" less useful. Hackers can make a combination of several "rainbow tables" to break long unique passwords, but the uniqueness of salt will make the password beyond the scope of the combination.

If you don't have salt, it is possible that Tokopedia or Bhinneka use "pepper,” Unlike salt, pepper is not stored in a database but is written in the application code (hardcoded). If the database is leaked, pepper remains unknown as long as the application is not compromised. Most cases of data leakage occur in the database, not the application system.

The disadvantage is that passwords with the same word will be the same when they are hashed because pepper is generally not unique per user. It is not yet known whether Tokopedia and Bhinneka add pepper or do not consider salt as an important factor in account protection.

Recommendation that users change passwords is very useful to prevent hackers from entering user accounts if a password is successfully broken.

This is an important point considering that hackers now have computers with processors that are able to conduct billions attempts per second. If the hacker successfully dehashed the password, the account that is likely to break is a user account that is not active or does not immediately change the password.

Unfortunately, even with passwords that are still protected, user data is still sold. What hackers are after is private data that appears bare, such as telephone numbers, e-mails, birth dates, addresses, and especially financial data such as credit or debit card numbers.

When they only focused on the security of user accounts and passwords, it is apparent that our e-commerce platforms do not deem personal data to be important enough to encrypt.

Bare Personal Data

This begs the question; Why did these e-commerce sites keep personal data in plaintext format, without encryption? This is bad practice and will display bare personal data, without any packaging or protection in the database.

Take a look at this sample of the leaked data, it is clear that the email address, telephone number, date of birth, even full address are on full display in the sample data that is suspected to be Bhinneka user data.

In Europe, the GDPR regulations recommend that personal data be encrypted both during data communication or when stored. But encryption is not an obligation. Out of 260 GDPR pages, the word encryption only appears 4 times and all of them are recommendations (pages 51, 121, 160 and 163). The GDPR also does not consider encrypted data as personal data.

That is, if the leaked data is encrypted data so that it cannot be used to identify individuals, violations of the data leakage are not as severe if without encryption (although the Electronic System Provider / PSE still has to account for the protection of its user data).

Indonesian regulations are actually more "advanced;” Permenkominfo Number 20/2016 concerning Protection of Personal Data in the Electronic System, in Article 15 paragraph 2, states "Personal Data stored in the Electronic System must be in the form of encrypted data." PSE is welcome to choose the encryption algorithm.

The European Union's cyber security agency (ENISA) recommends the Advanced Encryption Standard (AES) algorithm as a method of encrypting personal data. This is the most popular encryption method in the world today. The United States National Security Agency (NSA) transmits high-level confidential data using AES. Globally, about 50% of data is encrypted with AES.

This algorithm has 128, 192, 256 bits encryption key variants. Experts claim that AES 128 and 192 are safe enough to protect data. Super computers are estimated to take 1 billion billion years (yes billion billion, there are 18 zeros) to break a 128-bit AES key with a brute force attack.

Personal Data without encryption taken from the sample data from an alleged Tokopedia user

Let us look at the data if it were encrypted

The same personal data sample from Tokopedia if it were hashed using AES encryption algorithms.

Encrypted data will appear as gibberish text that cannot be read by humans. Hackers are less interested in data like this. It will take a very long time to recover the data so that it can be read and used (unless the hacker gets the encryption key stored on the server). Bare personal data will sell far more. Emails, names and telephone numbers are ammunition for hackers, phishers, spammers, scammers, phone bombers, telemarketers to attack potential victims.

The password is very likely to change (users are advised to change the password at least once every 3 months), especially after a data breach incident. But the date of birth, full name, full address, and cellular telephone number (the latter is still possible to change) are all identifiers attached to the user.

If it leaks and is in the hands of cyber criminals, your data will circulate forever and move from one hand to the other. Sold repeatedly. That is why it is very important to encrypt personal data so that if a data breach occurs, personal data will remain illegible.

There are several myths on why companies avoid data encryption. For example, data encryption increases costs, reduces application performance, and is not easy to use. Concerning database performance, out of the many factors that  may reduce performance, encryption is but one.

Encryption at the application level will have a large effect but partial data encryption in the database has no major effect. Also, personal data is not often accessed like one’s ID or Username. Separating personal data into separate tables that are related to user tables can be a good idea.

The costs and technical difficulties that arise - if this is the reason to avoid encryption - are only relevant for small e-commerce businesses. Should this be an issue for decacorn class companies, unicorns, unicorn candidates who earn hundreds of billions to two hundred trillion rupiahs a year?

Indonesian-style regulations

Permenkominfo Number 20/2016 states that the stored personal data must be encrypted. But try to look at the law enforcement section in Article 36, there are only administrative sanctions and "not sanctions" in the list.

"... be subjected to administrative sanctions in accordance with the provisions of the legislation in the form of:

a. verbal warning;

b. written warning;

c. temporary suspension of activities; and / or

d. announcements on sites in the network (website

on line)."

What kind of sanctions are there in point "d"?

The encryption obligation from Permenkominfo was not included in the Draft Law on Personal Data Protection (RUU PDP). Clause on failure of personal data protection or data leakage only exists in Article 42 of the Bill. Sanctions for this failure are regulated in Article 48.

"Administrative sanctions referred to in paragraph (1) in the form of:

a. temporary suspension of activities;

b. deletion or destruction of personal data;

c. compensation; and / or

d. administrative fines. "

There is no further detail about the sanctions, such as how much the maximum fine is. It is different from other sanctions that clearly state maximum fines, for example acts that intentionally move data abroad or sell and buy personal data or process Personal Data for commercial and / or profiling purposes without approval.

This latest violation was fined Rp 100 billion. Cases on the leakage of Tokopedia, Bukalapak, or Bhinneka users' data will be difficult to be charged under the PDP Act if the failure of personal data protection is still absent from the current legal architecture.

Forget the PDP Bill first. Maybe it is still too early to review how much the PDP Bill regulates the protection of personal data considering that this bill will still be discussed by the DPR. Currently the government has Permenkominfo Number 20/2016 and Permenkominfo Number 4/2016 regarding Information Security Management Systems to regulate e-commerce.

Permenkominfo 4/2016 emphasizes the importance of Information Security Management which refers to SNI / ISO IEC 27001 standards. ISO / IEC 27001 is a certification of Information Security Management System standards created to ensure high levels of information security in products, services, and technological processes. ISO 27001 also recommends encryption as a tool to reduce risk.

The level of information security of the Electronic System Provider will be assessed based on the Information Security index (KAMI) developed by Indonesia's ICT Ministry.

Interestingly, on December 18, 2018, the National Cyber and Crypto Agency (BSSN) submitted the results of the KAMI index assessment to 13 PSE companies. The company has passed the assessment stage conducted by the KAMI Index Assessors with ISO 27001 Lead Auditor competency certified. Tokopedia, Bukalapak, and Bhinneka are among the companies that received the KAMI index on that day.

Despite getting the KAMI index, e-commerce companies are not necessarily considered to have qualified in protecting the personal data of users. Be advised, personal data protection is only a "small" part in the KAMI index. According to the KAMI index at BSSN (Read here), protection of personal data is only a sub-assessment in the "Supplements" category, one of 6 indexes assessed.

It's too much to assume that Tokopedia, Bukalapak, and Bhinneka will be immune from attacks and data leaks based on the KAMI index given a year and a half ago. The company's ability to secure information must be re-audited every year. And in fact, world-class companies such as Google, Yahoo, Marriott, and Facebook alone can experience leaks.

Of course there is a difference with the Tokopedia, Bukalapak and Bhinneka cases. Google paid a fine of US $7.5 million, Yahoo paid a fine of US $50 million, Marriot paid US $ 100 million, and Facebook paid US $5 billion.

Did the companies voluntarily plead guilty and pay fines? Certainly not. In Europe and the United States, there are strict rules about protecting personal data and sanctions for violators. There is a legal authority that ensures violators receive punishment.

How about Indonesia? Although it seems less encouraging, the KKI lawsuit against the Government and Tokopedia which will be heard on June 10, 2020 brings a glimmer of hope: there are still those who care about protecting personal data. Unfortunately, that concern arises not from the government.

Zuhri Mahrus is Cyberthreat.id's Senior Editor

 

#Lawsuit   #Tokopedia   #Leaks   #Data   #Hacker   #Forums   #Bhinneka   #Bukalapak   #Zuhri   #Mahrus   #BSSN

Share:

BACA JUGA
Ruby Alamsyah: 500,000 Accounts in Tokopedia Hacking Case Had Weak Encryptions
BSSN: Small and Medium Businesses Need to Up Their Cybersecurity Awareness
Government Bodies to Start Implementing E-signatures
Ravio Patra's Attorney Requests Swift Action by the Police Similar to Denny Siregar Case
The Importance of Having a National Malware Center