Cybercriminals “hacked” into the accounts of several users of GCash, the popular digital payments app of Globe Telecom Inc., then siphoned off millions of pesos through a pattern of relatively small withdrawals and transferred the money to two recipient bank accounts late Monday night.
Affected users of the e-wallet—the Philippines’ most popular financial technology platform with 81 million users—made their disappointment known by flooding social media with posts about their concerns, especially after the GCash app became inaccessible until late Tuesday morning.
But a ranking Globe official, requesting anonymity because an internal probe was still ongoing as of press time, told the Inquirer that GCash foiled the attempts after the company detected the pattern of small withdrawals. The total amount of suspicious transactions was initially estimated at P37 million.
“This was averted by GCash, which immediately put a hold order on the transfers once the pattern was detected,” the official said.
The GCash app suspended its service around midnight and was restored around 10 a.m. on Tuesday, affecting millions of Filipinos who rely on the service for online shopping, settling bills at restaurants and even public transport fares on their daily commutes.
“The money is intact, and everything will be returned to our clients,” the official added, explaining that the company’s priority was to be proactive in its response so as to maintain the trust of its clients, especially with more Filipinos adopting digital payments since the start of the pandemic.
“We wish to reiterate that our customers did not lose their funds on GCash. Rest assured, your funds are intact, safe and secure with GCash,” the company said in an advisory.
Hacking or phishing?
The Globe official explained that the company decided to act after seeing successive “suspicious” transactions being transferred from GCash to only two accounts—one in East West Banking Corp. and the other in Asia United Bank (AUB), resulting in a freeze order issued by the firm.
The transfers initially looked “legitimate” but were later suspected of having been validated by the perpetrators using information gathered from users through phishing techniques, the Globe official said.
GCash denied that it was a hacking incident, explaining that a scheduled maintenance transpired on Monday evening but it had to be extended the next day after receiving complaints on balance deductions.
“We extended our scheduled maintenance to investigate and determined that no hacking occurred,” it said.
The e-wallet company, in response to the complaints, said it adjusted the account balances to reflect the right amount and this was completed by 3 p.m. on Tuesday as scheduled.
Account frozen
A well-placed banking source said about P9 million worth of questionable funds had been transferred from GCash to AUB on May 8.
Of these, AUB was able to hold P7 million, while P2 million had been withdrawn by the time the GCash alert was issued.
“We’re now investigating it,” one bank official said, adding that the account used to siphon the money has been frozen.
Privacy probe
In its official statement, AUB said it was alerted by GCash “on certain transactions that involved the transfer of funds via Instapay to an AUB account,” adding that it immediately acted on the notice.
Amid the denial from GCash that there was no hacking involved, the bank official asked, “if there wasn’t any hacking, how could the money have gone out?”
The banker said it was possible to file charges of Anti-Money Laundering Act violation against the owner of the bank account used in withdrawing the funds that came from GCash.
The National Privacy Commission (NPC) on Tuesday said it already started an investigation on the reports of suspicious GCash transactions.
A representative from the NPC told the Inquirer that their compliance and complaints investigation groups have already started a probe, ahead of the breach notification which has yet to be submitted by Mynt, the e-wallet’s owner and operator majority owned by Globe.
“We are monitoring the situation and we will provide a statement if we receive more information,” added the representative. “If there are personal data involved, they need to notify the NPC and the affected data subject within 72 hours upon knowledge of the breach.”
House inquiry sought
In Congress, Parañaque City Rep. Edwin Olivarez pushed for an inquiry by Congress on the reported missing funds in e-wallet accounts, specifically of GCash and Maya.
Olivarez filed on April 14 House Resolution No. 918, which sought an investigation in aid of legislation to protect and safeguard the public’s interest in the use of digital financial services. It was referred during Monday’s plenary session to the committee on rules.
He said that as of the first quarter of the year, there were more than 30 persons who lodged complaints at the Philippine National Police’s Anti-Cybercrime unit over missing funds in their e-wallets.
“While the number of complainants would appear to be insignificant as compared to the total number of e-wallet account holders, there is still a need to address the issue for the protection of the general public and to determine if there is a necessity for legislation to further safeguard the interest of the public,” he pointed out.
Wake-up call
Infrawatch PH convener Terry Ridon, in a message to the Inquirer, said this incident was a “wake-up call to GCash to make their platform more secure.”However, GCash said its “proactive cybersecurity policies are in place to protect our consumers.”
In March, GCash introduced the “DoubleSafe” security feature to prevent account takeovers, which allow hackers to drain a user’s e-wallet account.
The feature is activated for every first login to a new device by the user. It is backed by facial recognition, which prevents hackers from accessing the account despite tricking users into giving their mobile PIN (MPIN) and one-time PIN (OTP).
Prior to this, GCash has already been implementing two levels of authentication via OTP and MPIN.
—WITH REPORTS FROM DORIS DUMLAO-ABADILLA, ALDEN M. MONZON AND JEANNETTE I. ANDRADE INQ
RELATED STORY:
GCash foils P37-M hack try; seized funds to be returned to users