This article first appeared in Digital Edge, The Edge Malaysia Weekly on January 24, 2022 - January 30, 2022

In a cashless society, many people opt to carry fewer physical notes in their wallets for fear of robberies. However, are people more trusting of digital payment apps such as e-wallets and willing to “carry” more money on these platforms?

According to a Kaspersky survey in October 2021, that isn’t the case either. The survey, which gathered responses from over 1,000 respondents in Asia-Pacific, found that 38% of them kept the amount of money in their accounts to a minimum and 26% did not connect their salary or main accounts to any e-wallet applications. Less than half of the respondents trusted digital payments fully.

The survey found that this unease in using digital payments in general stems from concerns about cybersecurity. And the risk is there. In Asia-Pacific, fake websites and phishing scams are among the biggest threats that users face.

“Cybercriminals will continue to make use of various tactics to scam e-wallet users. One such method is to trick them into downloading fake, legitimate-looking e-wallet apps, which are malware aiming to infect smartphones used for digital payments,” says Chris Connell, managing director at Kaspersky for Asia-Pacific.

But it is a misconception that ­e-wallets have low cybersecurity standards, say cybersecurity experts that Digital Edge interviewed. In Malaysia, e-wallet operators have to follow the cybersecurity standards set by Bank Negara Malaysia. E-wallets have safety measures in place, such as one-time passwords, PINs and biometric authentication.

So far, there have not been many e-wallet hacking incidents reported in Malaysia, says Fong Choong Fook, CEO of penetration testing company LGMS. 

“We haven’t seen many cases of criminals actively exploiting e-wallets as they do with e-banking. That may be because the amounts transferred aren’t too large now. E-wallet security is also very much tied to your phone’s security. As long as your phone is secure, your e-wallet should be too,” says Fong.

It is more tedious for hackers to cash out from e-wallets, he adds. They would have to transfer the funds to another e-wallet and then send it to a bank account. For that amount of trouble, the hackers may prefer to target banking apps instead.

The risks are enhanced if the hacker can gain access to one’s phone through malware. A user could have accidentally clicked on a phishing link, which downloads a spyware onto their phone, thereby allowing the hacker to read the user’s password and transaction authorisation code (TAC) sent through text.

“However, hackers can do the same for your e-banking app. It’s the same process but more lucrative … Maybe people have the perception that banks are more established and experienced in conducting investigations [into hacking incidents]. But from the technical perspective, the effort it takes to hack an e-wallet is more or less the same as a bank account, but it’s less appealing,” says Fong.

Some e-wallets allow users to save their card information or link their bank accounts to the e-wallet. If hackers are able to gain access to the e-wallet app, could this information be compromised? Fong says it is possible. 

But card and account transactions nowadays require two-factor authentication. So, unless the hacker has taken over the user’s phone with a spyware, the transactions may not go through. Some banks have gone a step further and are doing away with the TAC that is sent through text messages. 

“They either use a separate application or the e-banking app to do the authentication process. For instance, Maybank uses the Secure2u function [in the bank app] instead of relying on text messages. Hackers require more sophisticated malware to hack the bank app, whereas it’s easy to plant a spyware to read texts in your phone,” says Fong.

Even if hackers were to succeed in gaining access to the app, Fong says credit card transactions are protected, so the user can file a dispute and get compensated. Debit card fraud will be investigated by the bank. But for the latter, he says the fault is often on the end user, whose devices might have been infected by malware. “You cannot claim [for compensation] under those circumstances.”

That’s why Kaspersky’s Connell suggests that users link a credit card instead of a debit card to their e-wallet accounts. “Disputes are easier to settle if a malicious transaction involves your credit card. Banks have insurance schemes and a grace period that allow you to alert them, should you detect a suspicious transaction,” he says.

“We also suggest having an additional security layer by using a separate credit card meant only for spending through e-wallets. If it is compromised, you can easily terminate the card without affecting your main accounts.”

Compared to banks, are e-wallet operators less likely to implement technology to detect fraud and protect users against these risks? That’s not necessarily the case.

The Touch ‘n Go eWallet, for instance, is compliant with the Payment Card Industry Data Security Standard and utilises artificial intelligence to detect and prevent unauthorised transactions. 

It is also the only e-wallet in Malaysia with the “Money back guarantee” feature, whereby users who have suffered from unauthorised transactions can get their money back. 

“Our risk system is built upon Ant Financial’s world-class risk engine. It has proven to be very robust and secure,” says Alan Ni, chief operating officer of TNG Digital. The e-wallet also has facial recognition technology for verification.

Evidently, e-wallet operators also have the capability to implement technology to detect and prevent fraud. Mok Chee Yong, managing director of Cardtrend Systems, which provides digital payment authorisation and transaction processing solutions, has done that for e-wallet companies. 

“For instance, we can understand that a certain user usually performs transactions in the Klang Valley only. But within half an hour [of such a transaction], a new one occurs in Penang. The system would flag this transaction and alert the user,” says Mok.

E-wallet users should, in general, adhere to the best cybersecurity practices out there. This means not clicking on suspicious links to avoid phishing attacks and not revealing one’s TAC or passwords to others. 

“Avoid public WiFi when you carry out sensitive transactions. Don’t use your e-wallets in dodgy places,” says Fong.

Using strong passwords — and different ones across platforms — is also important. “Weak passwords could expose you to the risk of brute force attacks, where the hackers use special software to guess your password,” says Connell.

“Procrastinating on updates is a misstep that can help cybercriminals gain access … Use your own computer and internet connection when making payments online. Public computers could have spyware recording everything you type on the keyboards. This could also happen if a public internet connection has been intercepted by cybercriminals.”

As for e-wallet service providers, Fong observes that they will have to follow what the rest of the financial institutions are doing and keep themselves aware of the latest trends. The providers will have to keep testing their systems and be proactive in understanding the security landscape, keeping themselves and their customers informed about cybersecurity attacks, he says. 

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.