Early this month, Datuk Shaik Abdul Rasheed Abdul Ghaffour, the Governor of Bank Negara Malaysia (BNM), announced that total unauthorised transaction scams have dropped by 58%. He attributed the reduction of scams to the BNM implementing five key measures to reduce fraud. One of these key measures is the implementation of stronger Multi-Factor Authentication (MFA) in the form of secure keys for Internet banking channels.
MFA
It is not that the banks in Malaysia did not have MFA in place at the time. The One-Time PIN, or OTP, is an example of an older variant of MFA. The MFA was designed during an era when few malicious actors designed targeted mobile phones.
Between 2021 and 2022, there was a massive outcry in the media of Malaysians falling victim to unauthorised transactions. Banks rejected the claims for compensation as their internal logs showed that these transactions were validated using the OTP sent to the victims' phones. In many cases, the victims had unknowingly installed malicious applications onto their phones. The malicious app provided a backdoor for the hackers to hijack the OTP and later delete the OTP to prevent detection.
Banks were in a dilemma. Despite often reminding customers on their website, app or even during face-to-face meetings with customers to refrain from installing unknown applications onto their devices, many customers still did. Worst still, some malicious actors could upload their apps to Google Play and, in some cases, manage to hijack genuine apps with malicious codes. Even the much-vaunted Apple Store is vulnerable to such cases. Security researchers have found some malware concealed in the Apple Store; the app only morphed into malware once uploaded onto the Apple Store to circumvent Apple's verification process. Huawei app store also faces similar issues much earlier.
Secure Key
As banks moved to secure key MFA, customers' Internet banking profiles are now bound to their mobile devices. This method theoretically prevents scammers from hijacking the MFA sent to customers to validate transactions.
BNM required all banks to adopt MFA by June 2023, which has since been complied with. This move explains the reduction of unauthorised transaction scams in Malaysia. However, the reduction of the unauthorised transactions was only 58%. How about the 42%?
Challenges
While it is true that banks have moved to secure key MFA as per BNM requirements, there are hiccups along the way.
The binding of phones to the Internet Banking profile for most banks still requires OTP. Realising the potential vulnerability, HSBC requires their accountholders to call in to deactivate their previous device so that they can perform caller verification. All I need to do after the call is to activate the account at a later time.
Maybank, on the other hand, requires customers to wait for at least 12 hours before activating the secure key. They also perform a call verification to the accountholder at an undisclosed period after the request.
Not all banks are equal; some other banks allow OTP to replace the existing bound phone with a time cooling-off period in between. On the same note, the e-wallet service provider also allowed the replacement of the bound phone almost immediately after completing the users' password and OTP verification.
On the same issue, MayBank faces one problem with the secure key implementation. As one phone is bound to one Internet banking profile, MayBank customers who are entrepreneurs either need another phone to register a separate secure key for their Internet banking profiles or change banks altogether.
And then there are credit card transactions via 3D authentication secure services. Banks subscribe to the service to authenticate their card-not-present transactions. These types of transactions still require OTP. Hence, OTP is still around and probably accounts for 42% of unauthorised transactions. Therefore, OTP may stay for a while, as the 3D authentication secure service is an international provider beyond BNM jurisdiction.
There's another facet of bound devices I have yet to mention. Do banks share the details of the devices they had identified as having been used in scams? Theoretically, the scammers can use the same device to take over their victims' Internet Banking profiles from one bank to another. If banks do share the information on the devices used, it would hopefully make it cost-prohibitive for scammers even when there are cheap phones around.
Other Types of Scams
Scammers are always one step ahead of us in this game. If you have noticed, there is an increasing trend of job scams. Similarly, parcel scams are coming back into the picture. As these syndicates find their previously lucrative channels no longer accessible, they look for other methods to continue their nefarious activities.
Consumer Education
That may be the only way. We are all consumers. As much as we hope people around us are law-abiding, there are always those who find no qualms in committing crimes.
Danny Liew is a content creator under the Newswav Creator programme, where you get to express yourself, be a citizen journalist, and at the same time monetize your content & reach millions of users on Newswav. Log in to creator.newswav.com and become a Newswav Creator now!
The User Content (as defined on Newswav Terms of Use) above including the views expressed and media (pictures, videos, citations etc) were submitted & posted by the author. Newswav is solely an aggregation platform that hosts the User Content. If you have any questions about the content, copyright or other issues of the work, please contact Newswav.
