Universitas Airlangga Official Website

ABOUT UNAIR
EDUCATION
RESEARCH
COMM. SERVICE

Fake BTS and digital security threat: Insights from UNAIR expert

Cybersecurity and fake OTP threats illustration
Cybersecurity and fake OTP threats illustration (Photo: Kompas Tekno)

UNAIR NEWS – As digital technology continues to advance at an unprecedented rate, cybersecurity threats have become more sophisticated and difficult to detect. One particularly concerning threat is Fake BTS (Base Transceiver Station), also known as an IMSI Catcher—a device that impersonates legitimate cellular towers to intercept data from nearby mobile phones.

More advanced technology, greater risk

Dr. Maryamah S. Kom, a lecturer at UNAIR’s Faculty of Advanced Technology and Multidiscipline, explained that Fake BTS operates by tricking mobile devices into connecting to a counterfeit network. Because phones automatically seek the strongest signal, they can unknowingly latch onto a Fake BTS tower. “Once a device is connected, hackers can intercept user communications, including phone calls, text messages (SMS), and even OTP codes sent for authentication,” she stated.

While this form of cyberattack is not new, public awareness remains critically low. Similar incidents have been reported since 2019, and international research on detecting Fake BTS networks dates back to 2017. However, in Indonesia, protective measures are still inadequate, and no reliable detection system has been established.

Security risk of OTP SMS

Despite its widespread use, SMS-based One-Time Passwords (OTP) are no longer considered a secure authentication method, especially for financial transactions. “Tech giants like Apple, Microsoft, and Google abandoned SMS OTP authentication in 2021, switching to the more secure passkey technology,” Dr. Maryamah noted.

However, many banks and financial institutions continue to rely on SMS OTP due to its convenience and ease of implementation. She stressed that multi-layered security measures—such as biometric authentication or passkeys—offer significantly better protection against cyber threats.

Dr. Maryamah S. Kom, Lecturer at UNAIR’s Faculty of Advanced Technology and Multidiscipline, Cybersecurity expert (Photo: Personal archive)
What to do if you fall victim to fake BTS

If an individual falls victim to a Fake BTS attack and loses access to their bank account or personal funds, their first step should be immediately updating all passwords and PINs. If hackers have already seized control of an account, users must contact their bank’s customer service immediately to request a security reset.

Dr. Maryamah also urged users to activate additional security features, including two-factor authentication (2FA), passkeys, and biometric verification. She highlighted that Google has required 2FA implementation across various institutions, including Universitas Airlangga, since February.

Moreover, she cautioned against blindly trusting OTP requests, even if they appear to come from an official bank number.

“Fraudsters can easily spoof legitimate banking numbers, deceiving users into unknowingly handing over their access credentials. Whenever you receive a suspicious message, always verify it by directly contacting your bank through official channels,” she concluded.

Author: Sintya Alfafa

Editor: Ragil Kukuh Imanto

Share This

Berita Terkini

UNAIR NEWS
Layanan Pengaduan Informasi (Chat Only)
Search
Search