Time’s up for OTP
When people lose money to scams and con men, the onus shouldn’t be only on victims to prove they’re an innocent party – what about what banks and government agencies should do?
ONE thing that has changed since the Covid-19 pandemic is that my mother has started doing more shopping than she did before. Whether that is a good thing or not, I shan’t say. But she now owns a dustbin with a lid that opens when you wave at it, a motorised tin opener that can be operated one handed, and something to regulate water flow to her plants on the balcony.
What she bought perhaps doesn’t work as well as promised online. As they say, caveat emptor – buyer beware.
Perhaps more crucially, online shopping is not really possible without some aspect of online banking. And the same as with any shopping, the customer needs to be aware of what can go wrong.
I think we all know now of the dangers that scammers and con men pose over the Internet. In June of this year, the Royal Malaysia Police (PDRM) reported that there were over 70,000 commercial crime cases reported since 2020 (valued at Rm5.2bil), with more than two thirds of them (68%) involving online fraud.
While most were simple ecommerce scams where what you bought online wasn’t the same as what you received at home, others were more like con jobs you see in the movies.
For example, in Casanova scams, the con man sweet talks victims into giving away their money to their new lovers. The common Macau scam is when a supposed government officer or policeman orders you to deposit money in their “secure” account to avoid legal consequences.
In these particular circumstances, the victims are active participants, and I think sometimes people believe they deserve what they get. However, the truth is that we are all susceptible to emotional manipulation, it just depends on what the context is, and where our focus lies.
However, the crimes are becoming more complex. Consider for example a website offering house cleaning services that asks you to download an app. However, when you book a slot and try to pay, it keeps failing, so you give up on the service and move on. Unfortunately what you may not realise is that the app was fake, and it has stolen your bank ID and password.
This kind of scam is meant to be mitigated by a one time password (OTP). This is the SMS text that the bank sends to you to confirm that the person using their website or app is also holding the phone registered to the owner.
Unfortunately, there are now ways to intercept the SMS text. The most obvious one is to use the app you downloaded onto your phone to also read incoming SMS texts, with particular attention paid to ones that come from the bank.
The Flubot malware is an example, and it infected more than a million users.
But there are also techniques like SIM swapping, where attackers take a new SIM card and register it with the telco as the victim’s new one. This means all messages will now go to that new card.
Because of these weaknesses, it was recently announced by Bank Negara governor Tan Sri Nor Shamsiah Mohd Yunus that banks need “to migrate from SMS one time passwords to more secure forms of authentication”.
It’s also becoming obvious that education of the end user is not going to be enough going forward. Closing one vulnerability just makes attackers change their focus to the next technological advance to beat.
Meanwhile, end users are the ones that stand to lose out, especially if they are not able to individually bear the losses.
We’ve already had issues highlighted in the press where account holders have lost money seemingly due to no fault of theirs, and it’s not clear whether the bank involved would take some responsibility for it, let alone offer compensation.
Perhaps in the same way that bank accounts in Malaysia are normally protected in part by the insurance provided by the Malaysian Deposit Insurance Corporation (PIDM), there should be something similar for victims of these scams. Lembah Pantai MP Fahmi Fadzil has suggested a recovery fund modelled after a framework being worked on by the Monetary Authority of Singapore.
That framework aims to “provide clarity on how losses arising from scams are to be shared among consumers and financial institutions”.
While accepting that customers should take precautions (eg, never giving away banking credentials, or clicking on suspicious links), banks also need to safeguard customer accounts and respond to suspicious transactions.
Indeed, responsibility for security exists all along the chain, not just with the individual user at the end of it. There needs to be a concerted effort to take collective responsibility, and when money is stolen or lost, it shouldn’t immediately be only on victims to prove that they were an innocent party.
To its credit, it’s clear that Bank Negara recognises this, calling for cooperation together with PDRM, the Malaysian Communications and Multimedia Commission and the National Anti-financial Crime Centre to combat scams.
But whether they can advise my mother which is the right automatic dustbin to buy, that’s another matter entirely.
Logic is the antithesis of emotion but mathematician-turned-scriptwriter Dzof Azmi’s theory is that people need both to make sense of life’s vagaries and contradictions. Write to Dzof at lifestyle@thestar.com.my. The views expressed here are entirely the writer’s own.
We’ve ... had issues highlighted in the press where account holders have lost money seemingly due to no fault of theirs, and it’s not clear whether the bank involved would take some responsibility for it, let alone offer compensation.