Threat awareness high as digital banking users list preferred security steps
MANILA, Philippines—A recent study by a global cybersecurity and digital privacy company found that amid the rapid rise of digital payment, more electronic payment (e-payment) users in Southeast Asia (SEA) have become increasingly aware of the importance of safeguarding their financial data—especially following the recent cases of financial cybercrimes across the region.
According to Kaspersky and research agency YouGov, at least 90 percent of 1,618 respondents surveyed across APAC (Asia Pacific) territories—including Australia, China, India, Indonesia, Malaysia, Philippines, Singapore, South Korea, Thailand, and Vietnam—have used mobile payment applications at least once in the past 12 months.
The COVID-19 pandemic, according to the study, has also paved the way for the use of digital payment methods.
Around 15 percent of the total survey respondents said they began using digital payment methods during the pandemic. At least 81 percent of the respondents said they used digital payments due to convenience.
As more people rely on digital payments, security risks have become a top concern among users—who, based on the same study, have also identified several additional security features, which they hope to see implemented by banks and mobile wallet providers.
Among the security features mostly suggested were:
- sending of one-time password (OTP) via SMS for every transaction
- requiring two-stage identification
- biometric security features like facial or fingerprint recognition
- automated detection and intervention for fraudulent transactions
- “tokenization” or protecting sensitive data by “replacing it with an algorithmically generated number called token”
OTPs: Most preferred security feature
Over three in five, or 67 percent, of the surveyed digital banking and mobile wallet users in SEA said they hope for the implementation of OTPs through SMS for every transaction—to prevent unauthorized transactions.
For 57 percent of survey respondents, two-factor authentication was the most urgent concern, while 56 percent said biometric security features, like facial or fingerprint recognition, should be added for digital banking and e-wallets.
Almost half, or 40 percent, said that banks and mobile wallet companies should “start preventing frauds/scams automatically based on spending behavior and/or transfer history.”
“Digital payment customers welcome the use of machine learning in combatting social engineering attacks,” Kaspersky said in a statement.
Over a quarter, or 28 percent, prefer to have tokenization as part of additional security for bank and mobile payment transactions. This involves the process of protecting sensitive data by replacing it with an algorithmically generated number called a token.
According to the same report from Kaspersky and YouGov, respondents from the Philippines preferred to see the following security features for digital banking and payments:
- OTPs via SMS: 75 percent
- two-factor authentication: 52 percent
- biometric security features: 62 percent
- automated fraud and scam detection and prevention: 38 percent
- tokenization: 17 percent
“SEA’s sheer market size in terms of digital payment offers a lengthy runway for expansion. In a competitive sector, payment companies should be assessed not just on their innovations, but also on their security posture,” said Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky.
“We can draw from our findings that customers are increasingly becoming aware of the value of technology to protect their finances online. In general, these security features are useful preventive measures that can potentially enhance the cybersecurity standards in the digital payments space,” Tiong added.
“However, these options should not be viewed in an isolated manner, but considered as part of a holistic cybersecurity framework.”
Security likewise remained a top priority when it comes to choosing a mobile e-wallet provider.
Around 58 percent of digital payment users in the SEA region said they will use an e-wallet that has extra security features like fingerprint and two-factor authentication.
More than a third, or 37 percent, said they will use banking apps or mobile wallets from providers that have not have been engaged in any previous data breach or cybersecurity attack.
“A number of respondents also noted that mobile e-wallet has to be independent—can be used directly by a bank or through a third party (42%) or a closed one—linked to specific merchants, where users can only use the funds to make payments for transactions initiated with the specific merchant (35%),” said Kaspersky.
“Another set of consideration in choosing a digital wallet company included apps that should offer promos, cash back, lower transfer fees (49%); provide anonymity—users don’t need to reveal credit card details to too many merchants (35%); be bankless—bank account details not needed (25%) and be locally made (16%),” it added.
However, Kaspersky noted that the security features could still have their limitations.
SMS-based authentication, such as OTPs and two-factor authentication, could be unreliable at times since it can be intercepted by a Trojan—a type of malicious code or malware—inside the smartphone.
“[A] defect in the SS7 protocol used to transmit the messages,” Kaspersky said, can also disrupt SMS-based authentication.
Another method commonly used by cybercriminals was SIM swapping, wherein fraudsters trick banks to illegally obtain replacement SIM cards and use them for fraudulent activities—including the use of generated passwords sent to mobile numbers to access their victim’s bank account.
“With the complicated nature of securing apps and finances online, it is not surprising that over three in five (65%) of the respondents said that banks and mobile wallet companies should provide more incentives to maintain the security decorum – such as changing passwords regularly,” the cybersecurity firm explained.
“Another 60% noted that providers should educate users more about the threats online,” it added.
The study, after establishing the limitations of certain security features for mobile banking and payments, asked the respondents about the things they do to protect themselves—including their data and money—against malicious attacks and cybercrimes.
Results found that almost half, or 49 percent, of respondents said that while they understood the need for antivirus software to protect their money and data online, they also acknowledged the need to use some other software or services to receive full security.
“While it is encouraging that almost half of all respondents have developed an acute sense of awareness when it comes to protecting themselves when making an online transaction, almost a quarter (22%) felt that the use of antivirus software was sufficient, followed by 18 percent where respondents were uncertain or unaware about how antivirus could help them mitigate the risk of financial loss,” Kaspersky noted.
The firm also said that an alarming 12 percent of the respondents felt that antivirus software was not an essential tool in the fight against cyber threats.
“While antivirus solutions may not represent the catch-all solution to all cyber threats looking to steal our money and personal data, they should be understood as an effective safety net as most advanced solutions these days are able to filter out most of the generic attack vectors,” said Vitaly Kamluk, director of Global Research & Analysis Team (GReAT) for Asia Pacific at Kaspersky.
“In fact, the true significance of antivirus solutions should be best understood as an advanced warning system where the user can adopt containment strategies and alter their own personal protocols when it comes to digital payments,” Kamluk added.
Some of the most common personal steps taken by respondents to protect themselves from threats include:
- downloading apps from official app stores: 47 percent
- using additional layer of protection/s: 41 percent
- keeping a minimum amount of money in an account they use: 38 percent
- using devices with operating systems which they believe is most secure: 35 percent
- changing passwords regularly: 30 percent
- using antivirus and/or other security solutions: 27 percent
- using a dedicated mobile device for all financial transactions online: 26 percent
- separating salary or main account in any mobile wallet applications: 36 percent
- using a dedicated laptop for all financial transactions online: 16 percent
Around three percent, however, said they have not done anything to protect themselves from financial threats online. Another two percent said they are not aware of how to protect themselves from financial threats online.
“There are no questions about the efficiency and convenience digital payments has to offer, with consumers wanting the same thing at every touchpoint of the online or offline purchasing journey,” Kamluk clarified.
“Businesses and individuals need to be quick to adapt to the new realities of a digital economy, and it is comforting to see that many have managed to pivot successfully to e-payments in such a short period of time,” he continued.
“However, the speedy adoption process of digital payments need to be tempered with realism—one that takes into consideration some of the sentiments people have around trust if they want to strengthen and future-proof their digital payments architecture,” he added.
What should be done?
Just recently, 16 teachers from Metro Manila, Calabarzon (Cavite, Laguna, Batangas, Rizal, Quezon), Central Luzon, Negros, and Mindoro reportedly lost at least P26,000 to P121,000 each through unauthorized withdrawals from their payroll accounts in the Land Bank of the Philippines (LBP).
LBP, on the other hand, has denied any hacking incident in its systems and said that the teachers’ accounts were illegally accessed through phishing.
Last December, nearly 700 BDO Unibank accounts have been hit by the fraudulent transactions
According to social media posts of some victims, they discovered that unauthorized fund transfers were made using their accounts to move money to a UnionBank of the Philippines (UBP) account of a certain “Mark Nagoyo.”
To prevent being a victim of ever-changing fraud and cybercrime techniques, especially amid the rise of mobile banking and online payments during the pandemic, Kaspersky has recommended digital payment providers to adopt the following measures:
- Ensure prompt patching and updating of software to prevent adversaries from penetrating the system.
- Implement high-grade encryption for sensitive data and enforce strong credentials and multi-factor authentication.
- Use effective endpoint protection with threat detection and response capabilities “to block access attempts, and managed protection services for efficient attack investigation and expert response.”
- Educate customers and employees on possible tricks fraudsters may use.
- Conduct annual security audits and penetration tests to find security issues in a company’s networks.
- Install a fraud prevention solution which can be quickly adapted for identifying new attack schemes and methods.
“While some of the preventive measures are not entirely new and have been around for some time, it is crucial to consider how security features can be integrated in a manner without compromising the user experience,” said Chris Connell, managing director for Asia Pacific at Kaspersky.
“Such a strategy should focus on quality, not quantity, as the addition of too many features may potentially put off new and existing users from their digital payment offering,” he added.
“What is required, is to track where the cybersecurity gaps are when it comes to each stage of the payment process, and fit in the right IT measures in a calibrated manner.”
Subscribe to INQUIRER PLUS to get access to The Philippine Daily Inquirer & other 70+ titles, share up to 5 gadgets, listen to the news, download as early as 4am & share articles on social media. Call 896 6000.