TEMPO.CO, Jakarta - The payment system set up by Bank Indonesia is reported to have vulnerabilities. These have been exploited by cybercriminals to breach banks.
BANK Indonesia must mend the weaknesses in the BI-Fast national retail payment system infrastructure. Vulnerabilities in the fraud detection system have been exploited by hackers to breach banks, particularly small banks. There needs to be an independent body to assess the reliability of the BI-Fast system, given that the central bank plays a dual role: supervisor as well as operator of the payment system.
These vulnerabilities in the security system resulted in the breach of a number of regional banks recently. The police are dealing with the incidents, but the case file has yet to be submitted to the court. The special team tasked by the bank management discovered these weaknesses.
The breach that drew significant public attention occurred on March 29, 2025. Hackers attacked the payment system of Bank Jakarta—then known as Bank DKI—through BI-Fast. This attack resulted in anomalous transactions affecting the current accounts at Bank Negara Indonesia that was used as a settlement account for the BI-Fast service.
A total of 807 anomalous transactions took place, amounting to Rp228.1 billion. If Bank DKI had implemented an adequate fraud detection system at that time, the number of irregular transactions could have been contained. The oversight division only activated the emergency button to prevent further massive fund outflow after realizing their BI-Fast balance had drastically decreased.
On June 22, 2024, Bank Pembangunan Daerah Jawa Timur, or Bank Jatim, was drained, suffering losses of Rp119.9 billion. The loss was revealed after reconciling BI-Fast transaction data, which uncovered 483 unusual transactions. Furthermore, the total value compromised in this “BI-Fast Fraud” scandal is estimated to have reached Rp800 billion between June 2024 and March 2025.
Banks are obliged to have an internal control system in the form of an anti-fraud strategy. This is laid down in Financial Services Authority Regulation No. 12/2024. But not every bank has the capacity to implement a sophisticated safety system. The investment for this requirement is significant, and not every bank has the financial resources.
These banks are typically regional development banks. They do not have systems that connect directly to BI-Fast. Instead, these banks utilize middleware, or software that functions as an intermediary to connect various systems, applications, and different components within the digital banking ecosystem. Consequently, these banks, whose shares are owned by local governments, often become the hackers’ targets.
However, the blame cannot be fully burdened on the banks. Bank Indonesia’s function must be questioned. As the creator and operator of BI-Fast, the central bank should immediately reform its systems. The repeated instances of hacking must serve as a warning. These cases clearly demonstrate a hole in its security system.
But the fact is that Bank Indonesia has a dual role in this case. As well as an operator, Bank Indonesia is also the supervisor of BI-Fast. This dualism means that Bank Indonesia cannot be objective. This is why there is a need for a separate organization that can assess whether Bank Indonesia has implemented detection systems and measures to prevent bank fraud.
Banking is a business based on trust. Strengthening the technology security system is necessary to maintain the trust of account holders. Remember the words of digital security expert Stéphane Nappo: It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.
