NPC: Phishing attacks, not hacking, behind GCash fiasco
MANILA, Philippines — Reports of unauthorized deductions in customers’ accounts at the popular e-wallet brand GCash were due to phishing attacks, according to the results of an investigation by the National Privacy Commission (NPC), dismissing earlier speculations that the digital platform was hacked.
The data privacy watchdog on Wednesday said this was based on an independent probe that it initiated on May 9 to determine the extent of the reported unauthorized withdrawals and find out if personal data were compromised as well as other potential violations of the Data Privacy Act of 2012.
“Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme,” Privacy Commissioner John Henry Naga said in a statement.
“Unknown threat actors took advantage of vulnerable GCash users, triggering the phishing scheme through online gambling websites such as ‘Philwin’ and ‘tapwin1.com,’” he added.
Phishing is the act of deceiving people into revealing sensitive information, either by having them input personal data in fake websites or apps, or by installing spyware (a type of malicious software that steals sensitive information) in devices without the user’s knowledge.
The NPC first held a clarificatory meeting with G-Xchange Inc. (GXI), a unit of Globe Telecom that manages GCash, wherein it collected the information gathered during GXI’s internal investigation and the measures the company had taken to address the incident.
The government agency said it raised concerns and requested additional information and proof from GXI so it could conduct an independent assessment and verify the company’s claims.
GXI then submitted on May 19 its compliance with the orders issued by the NPC.
“We have ordered GXI to intensify its education and awareness campaign to its clients to prevent similar incidents in the future,” Naga said.
The NPC added that it was committed to promoting a safe and secure digital environment for all Filipinos, but urged everyone to remain vigilant against phishing attacks.
Reports of unauthorized deductions surfaced in social media almost three weeks ago, fueling fears and igniting public uproar concerning the safety of using the popular e-wallet platform, which boasts 81 million users.
Seeing this, GCash said it acted and extended its scheduled maintenance period that was ongoing then, causing prolonged downtime and affecting millions of Filipinos who rely on the app for online shopping, settling bills and even public transport fares on their daily commutes.
A ranking Globe official, who had requested anonymity because an internal probe was still ongoing at that time, told the Inquirer that the total amount of suspicious transactions was initially estimated at P37 million.
The Globe official explained that they saw successive “suspicious” transactions being transferred from GCash to only two accounts—one in East West Bank and the other in Asia United Bank, resulting in a freeze order issued by the firm.
GCash has since come out with a statement pointing to phishing attacks as the culprit, noting that some users might have unknowingly shared their information to suspicious sites masked as legitimate brands or institutions.
The company said that it was also able to restore the original account balances of the affected customers within 24 hours.
It has likewise rolled out additional safety features to prevent a repeat of the incident by preventing hackers from illegally taking over accounts.
In a statement on Tuesday, GCash said its “DoubleSafe” Face ID feature was already available to 100 percent of its verified users.
It is activated for every first login to a new device by the user and is backed by facial recognition, which prevents hackers from accessing the account despite them getting the users’ mobile PIN and one-time PIN.
“The face recognition feature is built within the app and doesn’t require mobile phones with high-end features. We made sure all our verified user base will have access to this security feature as we notice the prevalence of phishing attempts outside the app,” said Pebbles Sy, chief technology and operations officer of GCash.
Apart from this, GCash said it has been foiling accounts and sites found to be engaged in fraudulent activity such as phishing.
The e-wallet service provider said it has blocked 3.1 million accounts, 722 phishing sites and 38,000 malicious social media posts tagged as fraudulent in the first four months of this year.