BETWEEN January 2019 to July 2022, Malaysians had lost over RM2 bil to digital scams but yet, ruling career politicians are still trapped within the “SPM mentality” by launching multiple “awareness” campaigns to tackle scams.
The Government must implement concrete macro-policies to curb scams such as improving digital privacy. Unknown to the masses, there is a strong correlation between the number of scams to digital data leaks.
The COVID-19 pandemic had increased the amount of personal data available due to accelerated digitalisation while the weakness in digital privacy regulation had increased the quantity and quality of actionable data leaks.
The amount of data compromised per leak is higher in the public sector compared to the private sector. However, data leaks are more common in the latter sector compared to the former sector.
Meanwhile, cumulatively, more data are leaked from the private sector than the public sector. Hackers monetise these data leaks by selling them on the dark web to potential scammers.
Data leaks from financial surveys and consumer loyalty programmes provide scammers with information about the potential victims’ financial capacity whereas data leaks from e-commerce websites such as consumer activities and debit card details allow scammers to impersonate bank staff, police officers and Bank Negara officers.
Scammers utilises these data leaks to provide certain accurate information to convince and terrorise victims.
Data leaks increase the success rate of scams. Thus, scammers continue to raise the price for data leaks on the dark web which motivates hackers to steal more digital data. This self-reinforcing vicious cycle can only be broken by strengthening digital privacy.
Make account deletion function mandatory
Firstly, make the account deletion function for apps and websites mandatory. Most consumer websites and smartphone apps do not have an account deletion function and users cannot delete their personal details after they decide to stop using those services permanently.
Certain website operators require users to e-mail them for account deletion. This additional step was designed to discourage users from deleting their personal details.
This is a deliberate business practice to retain personal data. Dormant accounts with personal details increase the number of actionable data leaks.
In Malaysia, 99% of smartphone users download their apps from Apple AppStore, Google Play, Huawei AppGallery, and Windows Phone Apps.
Currently, only Apple makes mandatory an account delete function for apps published in App Store. However, Apple’s iPhone makes up only 27% of smartphone users in Malaysia, therefore leaving the rest of smartphone users in the country vulnerable.
A compulsory account deletion function allows users to remove their personal details from websites and apps. The reduction in dormant accounts with personal details reduces the probability of being scammed.
Make the use of passkeys mandatory
Passkeys are the new global standard for login privacy developed by FIDO Alliance with the World Wide Web Consortium (W3C).
The Government’s campaigns advising people not to share their login credentials are meaningless as login credentials are stolen from the website servers and not shared voluntarily by the people.
Password-based login is made up of two components, namely the username and password. Both login credentials are stored on the website server.
Hackers attack these servers to steal login credentials. The majority of server attacks are neither detected nor reported, and the fact that users do not change their passwords following an attack grants scammers easy access to data.
Passkeys use digital cryptography linked to personal devices to replace password-based login. Passkeys store one of two credential components in the user’s personal device itself and are resistant to phishing, making it near impossible for scammers to access users’ accounts.
Operating System (OS) developers such as Apple, Google, Huawei, and Microsoft have made passkeys available across their software.
However, domestic websites are reluctant to adopt passkeys due to integration costs. Thus, the Government needs to make it compulsory for domestic websites to adopt this method for better data security.
Adopt multi-ledger pseudonymisation for government data
Multi-ledger pseudonymisation is a data storage method whereby personal data on the master ledger is masked with pseudonyms.
The multi-ledger pseudonymisation could be explained in layman analogy using a Microsoft Excel spreadsheet and three pen drives.
Let’s assume that Department XYZ keeps records of names with the respective IC numbers in a Microsoft Excel spreadsheet in pen-drive A. The multi-ledger pseudonymisation method will replace the names and IC numbers with pseudonyms.
The name corresponding with the pseudonym is kept separately in an Excel sheet in pen-drive B whereas the IC number corresponding with the pseudonym is kept separately in an Excel sheet in pen-drive C.
The government staff will be required to cross-reference Microsoft Excel spreadsheets from three different pen drives simultaneously to link a specific name to the IC number and stealing just one pen drive will not grant any actionable information.
In reality, multi-ledger pseudonymisation operations are faster and more sophisticated. The data are stored in multiple different cloud servers with cross-referencing conducted upon request.
Multi-ledger pseudonymisation operation reduces the quality of actionable data for hackers.
Get telcos to provide eSIM
Finally, instruct all domestic telcos to provide eSIM at no cost to new and existing customers. Embedded SIM (eSIM) is the global industry standard to activate cellular without the physical SIM card.
Most Malaysians will not terminate their physical SIM cards after losing their phones with hopes of reuniting with their phones one day.
Scammers may not have access to data from lost or stolen mobile phones due to the screen lock function but they can gain access to the physical SIM card which will allow them to gain access to one-time passwords (OTPs), secondary authentications and password reset.
eSIM prevents scammers from accessing the SIM card in a locked phone. This reduces the probability of hacking into users’ personal accounts.
Currently, only eight out of 25 cellular providers in Malaysia provide eSIMs. Not all mobile devices are compatible with eSIM, but it minimises the accessibility of SIM cards by scammers.
Curtailing the quality and quantity of actionable data leaks will reduce the success rate of scams. The proposed steps are within the discretionary power of the Multimedia and Communication Ministry which regulates digital infrastructure.
The primary question now is if there is the political will to execute them. – Sept 27, 2022
Sharan Raj is a human rights activist, environmentalist and infrastructure policy analyst. Currently, he is pursuing a postgraduate degree through research in economics, focusing on a regional currency union for ASEAN and Oceania.
The views expressed are solely of the author and do not necessarily reflect those of Focus Malaysia.
