The unauthorized deductions in GCash users’ account balances have raised concerns on whether or not the use of e-wallets is safe for Filipinos who have gotten used to transacting via these financial platforms, especially during the pandemic when people were forced to stay home and do many tasks digitally.
Users of the e-wallet backed by Globe Telecom Inc. on Tuesday reported the losses through several social media posts.
The company later the same day said there was no hacking that happened and that the account balances of affected users had been restored, assuring its 81 million subscribers that their money remained safe in the app.
READ MORE: What is phishing and how to avoid this?
“The recent incident has surely raised questions about its safety as a financial tool. Every Filipino who has a digital wallet, or is thinking of getting one, has become suddenly worried about security,” Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky, told the Inquirer.
The National Privacy Commission (NPC) said that it has not yet received a breach notification from GCash, but it has set a clarification meeting with the e-wallet company on Friday.
While Yeo said that e-wallets were safe “for the most part,” this did not mean that they would not be subjected to digital threats anymore.
“Just because a house, for example, was looted doesn’t mean it’s no longer safe, and you decide you don’t want to live in any house anymore,” the Kaspersky official explained, noting instead the need to put up additional layers of security.
Yeo said that cybercriminals were continuing to innovate their digital attacks because e-wallets carried sensitive information and access to money.
Among their ploys are mobile message scams, which are a widespread type of phishing that can lead to financial losses on the part of the victims.
Cyber hygiene
“As an e-wallet user, there are a number of things you can do to improve its safety and security,” he said.
For one, the cybersecurity expert encouraged Filipinos to practice good cyber hygiene.
“Cyber hygiene is about training yourself to form good habits around cybersecurity so that you can stay ahead of cyberthreats and online security issues,” he noted.
These include using multi-factor authentication for online accounts, using strong passwords and changing them regularly, and avoiding posting private information on social media for privacy.
It would also benefit users to educate themselves about the current modus operandi of cybercriminals so they would not fall victim to their attempts, Yeo said.
The official advised financial technology companies to always monitor the security of their apps and programs, scanning them for vulnerabilities.
“Install a reliable security solution on work devices, ideally one that is cloud-based and managed through a single control panel,” Yeo suggested.
Along with this, he raised the need for e-wallet service providers to train their employees on the fundamentals of cybersecurity.
GCash, for its part, introduced the “DoubleSafe” security feature in March to prevent account takeovers, which allow hackers to drain a user’s e-wallet account.
The feature is activated for every first login to a new device by the user. It is backed by facial recognition, which prevents hackers from accessing the account despite tricking users into giving their mobile PIN (MPIN) and one-time PIN (OTP).
GCash also reminded subscribers to not share their OTP and MPIN, especially amid the rise of text scams.
In a statement on Wednesday, Globe said it had blocked 4.07 million malicious bank-related text scams in the first quarter, up 2.7 percent from 3.97 million in the same period last year.
House probe
Meanwhile, a lawmaker has called for an inquiry in aid of legislation into the P37 million worth of suspicious GCash transactions that affected an undisclosed number of users last Tuesday.
In House Resolution No. 963, House Deputy Minority Leader Rep. Bernadette Herrera stressed the need to probe the extent of the unauthorized transactions and the number of GCash accounts involved, adding that she was one of the GCash users affected by the incident.
“It is the duty of Congress to protect the interests and welfare of the Filipino people and ensure that digital platforms like GCash operate within the bounds of the law,” she said in the measure.
Herrera added: “We must ensure that the rights and interests of the affected GCash users are adequately protected and that they receive appropriate compensation for any financial losses or damages incurred as a result of the unauthorized deductions.”
HR 963 urged the appropriate House panel to invite officials of GCash, G-Xchange Inc., Mynt, Globe Telecom Inc., Ayala Corp., and Ant Financial—companies associated with the e-wallet app—to explain the nature, scope and cause of the unauthorized deductions, and their plans to address and prevent a repeat of the incident.
For her part, House Assistant Minority Leader Rep. Arlene Brosas said GCash should be held accountable for the breach and should work on strengthening its data protection measures.