Risky price of convenience
Experts warn of dangers in freely sharing bank QR codes on dubious platforms
Cashless payment options have become popular after the Covid-19 pandemic due to their convenience and the unnecessary need to carry large amounts of cash. However, danger lurks in the sharing of QR codes needed to make payments.
Apart from using e-wallets, the DuitNow service offers a banking solution that enables users to conduct transactions by scanning a personal bank QR code.
Today, it is a common practice for people to use a similar method to receive money, especially during festive seasons by sharing their QR codes online.
However, Emma Rahim from the rawSEC Malaysia CyberSecurity Community public communication secretariat said users need to be aware that publicly sharing personal bank QR codes exposes them to cyber criminals who can exploit such information.
“Cyber criminals can extract information from a bank QR code to launch phishing attacks, create fake websites or apps, and trick people into disclosing important information such as login or personal details.”
She said cyber criminals could also use social engineering tactics such as impersonation and manipulation to deceive individuals into divulging sensitive information.
Scammers may transfer money to potential victims, and then create a phishing email to falsely accusing them of receiving funds from terrorists.
“They then manipulate the recipients into taking certain actions to purportedly clear their accounts, thereby executing a financial scam.”
Emma said during festive seasons when QR codes are often shared to receive “duit raya” or “ang pao”, people should send them only to trusted individuals.
She warned against sharing QR codes on public domains such as forums or social media platforms, and to be cautious of unsolicited requests for personal or financial information.
Technology, media, telecoms and data protection legal adviser Deepak Pillai said while no law or regulation prohibits a person from sharing QR codes online, doing so could lead to financial disaster if it results in the individual being scammed.
“If people do not safeguard their personal banking information or protect their data, financial institutions can hold them accountable for any unauthorised transactions or fraudulent activities that occur.
“Also, according to Bank Negara Malaysia’s credit card policy, a financial institution can hold a cardholder liable for unauthorised transactions if he delays notifying the institution after having discovered the unauthorised use of his credit card, or the cardholder voluntarily discloses his card PIN to a third party.”
Deepak said the Financial Services Act 2013 and the Islamic Financial Services Act 2013 are the primary legislation that contain provisions offering protection and safeguards for the financial information of customers.
He added that banking information is considered personal data and protected under the Personal Data Protection Act 2010, which serves as the main regulation governing the processing of personal data in the context of commercial transactions.
However, Deepak said third parties such as social media platforms or websites are currently not legally required to implement measures to safeguard personal banking information shared through QR codes on their platforms.
“These platforms ought to educate users about the inherent risks, including issuing warning messages alongside shared QR codes to caution users about the potential risks of publicly sharing personal banking information and scanning unverified bank QR codes.
“In response to the increasing number of financial scams, banks have recently introduced ‘kill switch’ features that allow their customers to instantly freeze their accounts if they encounter suspicious activities,” he said.
Deepak also advised the public to take a proactive approach to understand and practice good digital hygiene, including steps to protect themselves against legal and financial risks.
He said this entails educating themselves on how criminals generally acquire and misuse information and the steps that must be taken to prevent this from happening.