Users remain the weakest link

For about a thousand or more GCash users, May 8 is a day they will likely forever remember. On this day, their GCash wallets were stripped clean save for less than a hundred pesos.

If we are to believe GCash, Globe’s electronic wallet or mobile payment operator, all the money that had surreptitiously been siphoned off from their GCash holders’ wallets on that day were returned by 4 in the afternoon of the following day after a series of actions, including suspending its operations for a few hours starting midnight of May 9.

Based on the statements of GCash on the incident, we can assume that the fraudster or fraudsters involved were able to successfully mine the target GCash accounts, but not to spirit away the illegally transferred monies to the suspicious accounts at EastWest Bank (EWB) and Asia United Bank (AUB).

Swift action on the parts of GCash and the two banks that halted any withdrawal activities from the two involved numbered accounts, EWB’s ending in 5239 and AUB’s ending in 3008, likely prevented the full consummation of a crime.

Had the money (some estimates were at about P2 million) been successfully withdrawn, this ultimately would have been the subject of contention and possible litigation between GCash users and the involved financial institutions.

Weakest link

What the reportedly foiled incident tells us is that cybercriminals are relentless in pursuing activities that can earn them some money, even chump change if we are to surmise from the amount involved. Once again, one of the weakest links that allow fraudsters to successfully pull off a crime would be the user itself.

GCash is already standing pat on its conclusion that a phishing attempt had been successful pulled off between the cybercriminal and wallet owners. GCash’s internal investigation supposedly showed that account holders had unwittingly exposed themselves by clicking on some cleverly disguised links used as bait by phishing masterminds.

Many of the targets were GCash holders who access the internet a lot through their mobile phones, mainly on gaming sites where distractions while playing could have resulted in failure to distinguish suspicious from legitimate sites.

Of course, the targeted victims were also those who left an amount that supposedly many GCash users don’t leave in their accounts for long periods of time. Many of the more cautious GCash account holders, for example, simply top up their wallets when they need to make a purchase, and leave just a few pesos that often amounts to loose change.

Outside of mobile wallets, many successful banking cybercrimes were also the result of user mistakes. Again, such are usually successfully pulled off when the target of an attack clicks on the link that allows the fraudster to mine personal information that could open up to a successful hack.

In such cases, bank account holders are often not able to get back their money, amounts that often run to the hundreds of thousands. Definitely, the use of digital banking has made users more vulnerable to successful attempts, unlike those days when criminals could only forge check signatures to try to rob accounts.

Growing e-commerce

GCash, being the leading and preferred e-commerce payment method in the Philippines, is the most vulnerable to attacks, especially with the growing popular habit of micro and small entrepreneurs to accept payments through customer e-wallets.

GCash now has over 80 million registered users while its closest rival, Maya, is still miles away. Aware of this vulnerability, GCash has been investing and rolling out new features in its infrastructure hardware and software to ward off internal attacks, known as hacking, and to protect customers against a variety of fraudulent initiatives.

Cybercriminals, however, are becoming more creative in their executions of phishing that even the most astute e-commerce user can unwittingly fall for. The world over, governments are racking their brains to come up with laws and measures that will discourage, accost, and penalize such law breakers. Except for really big cases, petty criminals are often given lower priority in investigations and pursuits.

Despite the risks, digital payment transactions like GCash and Maya are gaining popularity in the Philippines where formal banking penetration remains low despite the central bank’s campaigns for financial inclusiveness.

Filipinos have exhibited a relatively fast adoption to nonbank fintechs despite the potential risks. High-profile incidents like the recent one involving GCash and CWB/AUB may have given pause for many users in using their mobile wallets, but the conveniences offered will not keep Filipinos from totally abandoning the use of digital payment channels.

GCash and others are striving hard to remain relevant to consumers’ lives despite the razor-thin margin levels, and increased usage through a variety of new products, as well as partnerships with banks and other finance institutions, that can provide the necessary profits.

Of course, the Bangko Sentral ng Pilipinas (BSP) is closely watching such innovative offerings to ensure that consumers are not unduly exposed to risks. For example, GCash is now into savings with CIMB Bank as a partner. GCash has also moved into investments in money-market funds and listed unit investment trust funds (UITFs) at very low initial starting amounts.

Other opportunities that could be used include lending or remittances, as is popular now in Africa and India, or prepaid phone services or online gaming in Vietnam. Again, regulatory oversight, as well as strict adherence to know-your-customer (KYC) guidelines for banking transactions and SIM registration for mobile phone ownership, should be better observed.

Our government must try to be always one step ahead if it truly believes that e-commerce will be one of the best ways to bring Filipinos to inclusion in the financial system.

Facebook and Twitter

We are actively using two social networking websites to reach out more often and even interact with and engage our readers, friends and colleagues in the various areas of interest that I tackle in my column. Please like us on www.facebook.com/ReyGamboa and follow us on www.twitter.com/ReyGamboa.

Should you wish to share any insights, write me at Link Edge, 25th Floor, 139 Corporate Center, Valero Street, Salcedo Village, 1227 Makati City. Or e-mail me at [email protected]. For a compilation of previous articles, visit www.BizlinksPhilippines.net.