IT has obviously been a double whammy for Malaysia’s leading cashless innovator Touch ’n Go (TnG) after some school teachers recently found a decent sum of money (hundreds of thousands of ringgit according to Sin Chew Daily) from their e-wallet.
This comes so soon after the country’s mobility leader is embroiled in the “RFID (radio frequency identification) saga” when the system it supplied encountered hiccups upon being implemented by expressway concessionaire Plus Malaysia Bhd along 83 toll plazas along the North-South Expressway (NSE).
Back to the e-wallet issue, Sin Chew Daily reported on Feb 12 that money was continuously stolen as some of the victims has activated the auto-reload function which is linked to the account holders’ bank credit/debit card accounts.
“The theft could not be reported in the early morning because the e-wallet company does not provide a 24-hour fraud report service,” the Chinese daily pointed out. “Hence, money continued to be stolen repeatedly with account holders unable to do anything.”
During a press conference organised by the DAP, one of the victims claimed to have lost nearly RM3,000 through three transactions made in a span of seven minutes.
Based on a screenshot published by Kwong Wah Yit Poh, one of the accounts was used to purchase Steam Wallet credits based on the multiple RM300 transactions made for “Valve”. The paper further reported that about 20 teachers had fallen victim and demanded TnG to explain why hackers were able to carry out such transactions without their permission.
Meanwhile, DAP Public Complaints Bureau Chief Yew Jia Haur urged other victims to come forward and make police reports. He also advised users not to use the first six digits of their identification card or date of birth as their e-wallet’s six-digit pin.
Flawless securities features?
News portal SoyaCincau recently evaluated TnG e-wallet’s securities features and came out with the below assessment.
Following complaints and security suggestions made several years ago, TnG e-wallet has made some changes to its security process which uses facial recognition, six-digit pin, and one-time password (OTP) but the process is inconsistent.
It is worth highlighting that the TnG e-wallet will only allow one active device and you’ll be logged out automatically if you log in on another phone.
If you try to log in to your TnG e-wallet from a new phone, users with facial recognition enabled are required to scan their face and blink to prove that they are not a bot. If the face matches, they are required to enter an OTP that’s sent via SMS but if the facial recognition fails or cancelled, the app requests for a six-digit PIN which is less secure.
From our tests, users without facial recognition are only required to enter their six-digit pin to access their account. In some instances, if you try to re-login on the same device, you can access your account with just facial recognition, and there’s no need for further verification with six-digit or OTP.
At the time of writing, TnG e-wallet has not yet enabled fingerprint verification for its app. A fingerprint sensor feature would be useful on older devices to minimise exposure of the six-digit pin in public when making a transaction.
TnG has repeatedly reminded users not to use their date of birth, phone number, general numbers (e.g. 123456), and repeated numbers (e.g. 111111) to secure their e-wallets.
TnG e-wallet has a money back guarantee which promises to refund one’s money if one’s e-wallet is charged with an unauthorised transaction. However, a report of the transaction mut be made to TnG within 60 days from the unauthorised transaction date. The compensation will be given within five working days upon investigation and confirmation.
Beware of malware apps
Besides securing one’s account with stronger passwords, SoyaCincau noted that the type of apps one installs may also put one’s online banking and e-wallet’s security at risk.
There was been a rise of scams that uses APK (Android Package Kit) files infested with malware to steal 2FA (two-factor authentication) SMS codes. These malware apps will be able to access one’s SMS including OTP sent from one’s bank or e-wallet providers by allowing the culprits to access one’s account.
“It is advisable to only download apps from the Apple App Store, Google Play Store, and Huawei App Gallery,” advised SoyaCincau.
“You should avoid downloading and installing random APK files that are sent by strangers or from untrusted app stores. Maybank has also put up a PSA (public service announcement) to warn its customers not to install apps from unknown sources.” – Feb 15, 2022
