Want to fight scams? We may have to ditch some practices that make transactions easy
Banks, e-commerce and social media platforms have to start accepting more responsibility, and consumers may have to put up with some inconvenience to keep online dealings secure.
How many times have we heard the same story?
A victim sees a very tempting deal advertised on social media or e-commerce platforms. It could involve mooncakes, beer, wagyu beef or durians.
The victim contacts the seller and then clicks on a link sent to him over private messaging.
The victim loses money through unauthorised online banking transactions.
According to the latest police statistics released on Wednesday, social media platforms such as Facebook and Instagram, private messaging tools like WhatsApp, and online shopping platforms hosted about two-thirds of the 22,000 cases of scams that took place from January to June 2023.
The problem in many such cases is that it’s hard to tell a scammer from a genuine seller – until it’s too late.
That is because, to carry out their criminal activities, scammers borrow practices commonly used by legitimate sellers.
Many genuine sellers use social media platforms like Facebook and Instagram and e-commerce platforms like Lazada and Shopee to peddle their goods and services. It is also normal for customers to fill out a clickable order form. But now, casually clicking on such links could empty out your bank account.
Remember Take.sg , the online ordering form that helps small businesses organise orders through WhatsApp? Take.sg was created in 2021 by Mr Youmin Kim, then a software engineer at Facebook, as a personal project to help hawkers affected by Covid-19 restrictions. Customers click on a link to fill out a form, and view the invoice within WhatsApp as part of the process.
Now that easy-to-follow practice has been weaponised by scammers. The latest victim, Mr Adrian Kong, 50, lost $60,000 via PayNow overnight after he responded to an advertisement for cheap beer on Facebook in August. The seller led him to click on a link to download an app believed to contain malware.
A similar thing happened to some 27 victims who lost a total of $325,000 in a scam involving advertisements for cheap mooncakes on Facebook and Instagram.
Another victim, Ms Lim (not her real name), had more than $20,000 emptied from her POSB Everyday credit card account and two DBS Bank savings accounts in a matter of hours in July. Scammers impersonating catering company Grain on Facebook sent her a link via WhatsApp to download a fake app that looked like Grain’s mobile app.
So far, the key message has been: Be wary of all clickable links. In almost all the reported incidents, victims clicked on links sent via WhatsApp or SMS. Malware-infected apps then got downloaded, allowing scammers to hijack their phones to capture keystrokes and steal banking credentials.
The entire industry now needs to review some of these accepted practices.
We also need to shed the assumption that this happens only to vulnerable seniors, as even tech-savvy people can get scammed. So can Apple iPhone users, not just those using Android phones. Malware can get onto iOS devices via a similar sideloading process if apps are downloaded from portals outside of the Apple App Store.
The key takeaway is this: Customers may have to shed many of the practices that made transactions convenient, while the middlemen (including banks and e-commerce and social media platforms) may have to shoulder more responsibility to root out scams.
Regular security updates
The institutions behind online payments and e-commerce need to get their act together.
It’s true that security measures were tightened after 790 OCBC Bank customers lost $13.7 million in phishing attacks in December 2020 and January 2021. Since then, all retail banks here have introduced a kill switch to let customers freeze all accounts if they are suspected to have been compromised. Banks have also introduced a delay of at least 12 hours before a new soft token can be activated on a mobile device.
But these measures will need to be updated more regularly as scammers are one step ahead of the game.
For instance, banks must now notify customers when a request is made to change key account details, such as phone numbers for receiving one-time passwords (OTPs). Banks must also notify customers when high-risk transactions – including adding a payee or increasing transaction limits – are made.
But what good will these OTPs or notifications do if they are received or generated on hijacked phones? This happened to Mr Kong and Ms Lim, whose phones were hijacked by scammers after they clicked on dubious links.
Mr Kong lost $60,000 from his DBS account in four separate transactions. The scammer even raised his daily PayNow transfer limit to $125,000. The transactions took place past midnight when Mr Kong was asleep.
Ms Lim’s POSB Everyday credit card limit was increased from $14,500 to $18,500 in hours. She lost a total of more than $20,000 – all her account balances and more.
Broken 2FA process
The current two-factor authentication (2FA) process involving OTPs needs to be reviewed urgently.
Currently, OTPs are sent via SMS or generated by the soft token (usually in banking apps) on the phone. If a phone is already compromised with malware, the OTPs sent via SMS or generated by the soft token can be captured by hackers, and the whole 2FA process is broken.
Biometric verifications via face or fingerprint scans can mitigate some of the risks of remotely executed unauthorised transactions.
There is currently a 12-hour lag before a new soft token on a mobile device is activated. Having been burned, Mr Kong suggested a similar delay before banks approve requests for high-risk transactions, such as the raising of transfer limits or the transfer of large sums. Such a delay would have given Mr Kong and Ms Lim time to react.
Some experts also believe it may be time to consider resurrecting hardware tokens to restore the integrity of the 2FA process. The scammer will have to get hold of the victim’s physical token device to steal the OTP or execute a truly convincing phishing campaign to get the victim to divulge it.
Some security technology vendors have embedded the hardware token in plastic cards, which could double as ATM or credit cards. This could be a solution for banks to consider.
Platforms must do their part
Currently, the burden of checking whether a seller is authentic is mostly on the buyer. But e-commerce and social media platforms must do their part in weeding out rogue sellers and advertisements.
One way to promote greater accountability is to bring these technology firms under the Monetary Authority of Singapore’s (MAS) proposed framework for equitable sharing of losses arising from scams.
The framework basically proposes that the different players involved in a transaction shoulder their fair part of the loss if a scam takes place. This has yet to be rolled out, even though it was proposed in July 2021. The Straits Times understands that telcos and banks could not agree on their share of the liability. It is also not known if e-commerce platforms, social media firms and SMS aggregators (which many banks use to send out OTPs and notifications) will come under the framework.
Meanwhile, consumers can manage their risks by opting for an escrow when paying for goods online. So far, only Shopee provides an escrow service.
An escrow is a contractual arrangement in which a third party receives and disburses money when a transaction takes place. This third party holds the funds until both buyer and seller have fulfilled their ends of the deal.
This could be a useful way to protect consumers from sellers who disappear after payment is made. With an escrow in place, a dodgy seller will not be paid until the customer receives the product.
Also, e-commerce and social media platforms are more likely to provide an escrow service or step up checks on sellers and advertisers if they are held at least partly liable for losses arising from scams.
Accept some inconvenience
Consumers must be prepared for a new reality: If they want more protection from scams, online payments and banking may not be as smooth as before.
In August, OCBC caught some flak from customers. It had introduced a new security feature on its banking app that would block access to Internet banking if it detected risky apps being downloaded from unauthorised portals. But the execution got botched up, with customers complaining of legitimate apps – such as Microsoft Authenticator, Google Authenticator and LG ThinQ – being wrongly flagged as malware.
Even so, the security feature has saved at least 30 OCBC customers from losing more than $2 million since it was introduced on Aug 5.
DBS also said its active network surveillance saved customers at least $16.5 million in losses over the last three months, including from malware scams.
Whether banks are scanning malware on their banking networks or on their customers’ phones, it may inconvenience some customers, but they must realise it’s for their own good. This much is known: The Association of Banks Singapore and the MAS are expecting more banks to scan for malware and step up their security protocols.
On their part, banks must make sure that their call centres and branches are properly resourced so that customers can reach them in a hurry when they need help. This will make it less painful to transition to the new normal of transactions full of friction.
Join ST's Telegram channel and get the latest breaking news delivered to you.
Posts
No comments:
Post a Comment