This week’s story of a man who got his phone hacked by thieves to make fraudulent purchases should give pause to everyone who’s embracing online shopping.
When 47-year-old Philip Loh found that he was swept up in a scam last September, it was already too late for him to reverse the credit card charges.
His bank, United Overseas Bank, is now insisting that he pay S$5,000 of the more than S$12,000 that hackers likely spent on plane tickets in Eastern Europe after they stole his information.
The bank argues that its security systems were not compromised. This includes the one-time password (OTP) that was sent to the user’s phone, as an additional security measure.
If there’s one lesson here, it’s clear that the crooks have caught up with the technology. It is not as safe as before to send a password to your phone to verify an online purchase with your credit card.
A report out of China this week claims that over 370 million phone users received malware in 2015, and the number is still rising. Indeed, phones have become the main channel of fraud, cautioned Qihoo 360, a China-based security software provider.
In the case of Loh, what could have happened is hackers accessing his phone and stealing the one-time passwords it received as SMSes, whenever an online purchase was attempted. The perpetrators then approved the transactions with these passwords.
This meant the cyber criminals had access to both his credit card details and the “second-factor” authentication device – his phone – that provided an additional layer of security.
Such break-ins were seen in the past as too much trouble for cyber criminals because they involve hacking into various devices. However, as financial institutions and consumers have tightened up security over the years, so have the crooks upped their game.
Opportunity is knocking too. With people buying more things on their phones and storing important information on them, it’s natural that these devices will become the next big target for hackers.
Sure, you can avoid being a victim, say, by not downloading software from dubious sources or clicking on links that bring you to websites infecting your phone with malicious code.
But it’s also time to rethink the use of SMS passwords, which are now routinely sent to phones that are often open to tampering.
This is one reason why banks will force you to use your physical token when transferring large amounts of money online. Similarly, if you add a new payee, for example, you will be challenged again for another password.
These are measures that make it a lot harder for criminals to break into your account and steal money online. In particular, a hardware token – one you physically hold in your hands – is less likely to be tampered with than a PC or phone that’s connected to the Net all day.
But will users always favour a token over SMS? Imagine if you had to go dig up your token whenever you wanted to buy cinema tickets or some groceries online.
Tokens can be a pain to use – particularly if you have too many of them. Plus, you may not carry a token with you everywhere. What if you’re travelling and need to transfer some money? You might have to turn up at the bank.
The dilemma is a familiar one. It’s one of security versus convenience. For a long time, SMS passwords have proven to be a good barrier against fraud (it’s better than just a simple credit card number and expiry date). They are convenient too.
Yet, this practice is becoming less trustworthy as hackers find new ways to break into smartphones. They will only get more sophisticated as their tools become more widespread.
The question for consumers, as more turn to the phone as a mobile wallet, is whether they value more convenience or security. What kind of compromise would they accept?
