FILE PHOTO
MANILA, Philippines鈥擜 recent study by a global cybersecurity and digital privacy company found that amid the rapid rise of digital payment, more electronic payment (e-payment) users in Southeast Asia (SEA) have become increasingly aware of the importance of safeguarding their financial data鈥攅specially following the recent cases of financial cybercrimes across the region.
According to Kaspersky and research agency YouGov, at least 90 percent of 1,618 respondents surveyed across APAC (Asia Pacific) territories鈥攊ncluding Australia, China, India, Indonesia, Malaysia, Philippines, Singapore, South Korea, Thailand, and Vietnam鈥攈ave used mobile payment applications at least once in the past 12 months.
The COVID-19 pandemic, according to the study, has also paved the way for the use of digital payment methods.
Around 15 percent of the total survey respondents said they began using digital payment methods during the pandemic. At least 81 percent of the respondents said they used digital payments due to convenience.
As more people rely on digital payments, security risks have become a top concern among users鈥攚ho, based on the same study, have also identified several additional security features, which they hope to see implemented by banks and mobile wallet providers.
Among the security features mostly suggested were:
- sending of one-time password (OTP) via SMS for every transaction
- requiring two-stage identification
- biometric security features like facial or fingerprint recognition
- automated detection and intervention for fraudulent transactions
- 鈥渢okenization鈥 or protecting sensitive data by 鈥渞eplacing it with an algorithmically generated number called token鈥
OTPs: Most preferred security feature
Over three in five, or 67 percent, of the surveyed digital banking and mobile wallet users in SEA said they hope for the implementation of OTPs through SMS for every transaction鈥攖o prevent unauthorized transactions.
For 57 percent of survey respondents, two-factor authentication was the most urgent concern, while 56 percent said biometric security features, like facial or fingerprint recognition, should be added for digital banking and e-wallets.
Almost half, or 40 percent, said that banks and mobile wallet companies should 鈥渟tart preventing frauds/scams automatically based on spending behavior and/or transfer history.鈥
鈥淒igital payment customers welcome the use of machine learning in combatting social engineering attacks,鈥 Kaspersky said in a statement.
Over a quarter, or 28 percent, prefer to have tokenization as part of additional security for bank and mobile payment transactions. This involves the process of protecting sensitive data by replacing it with an algorithmically generated number called a token.
According to the same report from Kaspersky and YouGov, respondents from the Philippines preferred to see the following security features for digital banking and payments:
- OTPs via SMS: 75 percent
- two-factor authentication: 52 percent
- biometric security features: 62 percent
- automated fraud and scam detection and prevention: 38 percent
- tokenization: 17 percent
Table: Kaspersky
鈥淪EA鈥檚 sheer market size in terms of digital payment offers a lengthy runway for expansion. In a competitive sector, payment companies should be assessed not just on their innovations, but also on their security posture,鈥 said Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky.
鈥淲e can draw from our findings that customers are increasingly becoming aware of the value of technology to protect their finances online. In general, these security features are useful preventive measures that can potentially enhance the cybersecurity standards in the digital payments space,鈥 Tiong added.
鈥淗owever, these options should not be viewed in an isolated manner, but considered as part of a holistic cybersecurity framework.鈥
Security likewise remained a top priority when it comes to choosing a mobile e-wallet provider.
Around 58 percent of digital payment users in the SEA region said they will use an e-wallet that has extra security features like fingerprint and two-factor authentication.
More than a third, or 37 percent, said they will use banking apps or mobile wallets from providers that have not have been engaged in any previous data breach or cybersecurity attack.
鈥淎 number of respondents also noted that mobile e-wallet has to be independent鈥攃an be used directly by a bank or through a third party (42%) or a closed one鈥攍inked to specific merchants, where users can only use the funds to make payments for transactions initiated with the specific merchant (35%),鈥 said Kaspersky.
鈥淎nother set of consideration in choosing a digital wallet company included apps that should offer promos, cash back, lower transfer fees (49%); provide anonymity鈥攗sers don鈥檛 need to reveal credit card details to too many merchants (35%); be bankless鈥攂ank account details not needed (25%) and be locally made (16%),鈥 it added.
Limitations
However, Kaspersky noted that the security features could still have their limitations.
SMS-based authentication, such as OTPs and two-factor authentication, could be unreliable at times since it can be intercepted by a Trojan鈥攁 type of malicious code or malware鈥攊nside the smartphone.
鈥淸A] defect in the SS7 protocol used to transmit the messages,鈥 Kaspersky said, can also disrupt SMS-based authentication.
Another method commonly used by cybercriminals was SIM swapping, wherein fraudsters trick banks to illegally obtain replacement SIM cards and use them for fraudulent activities鈥攊ncluding the use of generated passwords sent to mobile numbers to access their victim鈥檚 bank account.
READ:
鈥淲ith the complicated nature of securing apps and finances online, it is not surprising that over three in five (65%) of the respondents said that banks and mobile wallet companies should provide more incentives to maintain the security decorum 鈥 such as changing passwords regularly,鈥 the cybersecurity firm explained.
鈥淎nother 60% noted that providers should educate users more about the threats online,鈥 it added.
Self-protection
The study, after establishing the limitations of certain security features for mobile banking and payments, asked the respondents about the things they do to protect themselves鈥攊ncluding their data and money鈥攁gainst malicious attacks and cybercrimes.
Results found that almost half, or 49 percent, of respondents said that while they understood the need for antivirus software to protect their money and data online, they also acknowledged the need to use some other software or services to receive full security.
鈥淲hile it is encouraging that almost half of all respondents have developed an acute sense of awareness when it comes to protecting themselves when making an online transaction, almost a quarter (22%) felt that the use of antivirus software was sufficient, followed by 18 percent where respondents were uncertain or unaware about how antivirus could help them mitigate the risk of financial loss,鈥 Kaspersky noted.
The firm also said that an alarming 12 percent of the respondents felt that antivirus software was not an essential tool in the fight against cyber threats.
鈥淲hile antivirus solutions may not represent the catch-all solution to all cyber threats looking to steal our money and personal data, they should be understood as an effective safety net as most advanced solutions these days are able to filter out most of the generic attack vectors,鈥 said Vitaly Kamluk, director of Global Research & Analysis Team (GReAT) for Asia Pacific at Kaspersky.
鈥淚n fact, the true significance of antivirus solutions should be best understood as an advanced warning system where the user can adopt containment strategies and alter their own personal protocols when it comes to digital payments,鈥 Kamluk added.
Some of the most common personal steps taken by respondents to protect themselves from threats include:
- downloading apps from official app stores: 47 percent
- using additional layer of protection/s: 41 percent
- keeping a minimum amount of money in an account they use: 38 percent
- using devices with operating systems which they believe is most secure: 35 percent
- changing passwords regularly: 30 percent
- using antivirus and/or other security solutions: 27 percent
- using a dedicated mobile device for all financial transactions online: 26 percent
- separating salary or main account in any mobile wallet applications: 36 percent
- using a dedicated laptop for all financial transactions online: 16 percent
Around three percent, however, said they have not done anything to protect themselves from financial threats online. Another two percent said they are not aware of how to protect themselves from financial threats online.
鈥淭here are no questions about the efficiency and convenience digital payments has to offer, with consumers wanting the same thing at every touchpoint of the online or offline purchasing journey,鈥 Kamluk clarified.
鈥淏usinesses and individuals need to be quick to adapt to the new realities of a digital economy, and it is comforting to see that many have managed to pivot successfully to e-payments in such a short period of time,鈥 he continued.
鈥淗owever, the speedy adoption process of digital payments need to be tempered with realism鈥攐ne that takes into consideration some of the sentiments people have around trust if they want to strengthen and future-proof their digital payments architecture,鈥 he added.
What should be done?
Just recently, 16 teachers from Metro Manila, Calabarzon (Cavite, Laguna, Batangas, Rizal, Quezon), Central Luzon, Negros, and Mindoro reportedly lost at least P26,000 to P121,000 each through unauthorized withdrawals from their payroll accounts in the Land Bank of the Philippines (LBP).
READ: Some teachers lose P26K to P121K each in alleged bank hacking 鈥 group
LBP, on the other hand, has denied any hacking incident in its systems and said that the teachers鈥 accounts were illegally accessed through phishing.
Last December, nearly 700 BDO Unibank accounts have been hit by the fraudulent transactions
According to social media posts of some victims, they discovered that unauthorized fund transfers were made using their accounts to move money to a UnionBank of the Philippines (UBP) account of a certain 鈥淢ark Nagoyo.鈥
READ: As holidays beckon, bank clients reminded of anti-fraud steps
READ: NBI arrests 2 Nigerians, 3 others for 鈥楳ark Nagoyo鈥 bank hacking
To prevent being a victim of ever-changing fraud and cybercrime techniques, especially amid the rise of mobile banking and online payments during the pandemic, Kaspersky has recommended digital payment providers to adopt the following measures:
- Ensure prompt patching and updating of software to prevent adversaries from penetrating the system.
- Implement high-grade encryption for sensitive data and enforce strong credentials and multi-factor authentication.
- Use effective endpoint protection with threat detection and response capabilities 鈥渢o block access attempts, and managed protection services for efficient attack investigation and expert response.鈥
- Educate customers and employees on possible tricks fraudsters may use.
- Conduct annual security audits and penetration tests to find security issues in a company鈥檚 networks.
- Install a fraud prevention solution which can be quickly adapted for identifying new attack schemes and methods.
鈥淲hile some of the preventive measures are not entirely new and have been around for some time, it is crucial to consider how security features can be integrated in a manner without compromising the user experience,鈥 said Chris Connell, managing director for Asia Pacific at Kaspersky.
鈥淪uch a strategy should focus on quality, not quantity, as the addition of too many features may potentially put off new and existing users from their digital payment offering,鈥 he added.
鈥淲hat is required, is to track where the cybersecurity gaps are when it comes to each stage of the payment process, and fit in the right IT measures in a calibrated manner.鈥