(UPDATE) A TNG eWallet account allegedly “hacked”, RM3000 reloaded by card

[ UPDATE 7/03/2020 21:17 ] Touch ‘n Go Digital has updated that the case has been resolved quickly. The affected user has been provided with full compensation through Touch ‘n Go eWallet’s Money-back Guarantee Policy. Below is their statement in full:

Recently, a claim from one of our users was brought to our attention – that her Touch ‘n Go eWallet account has been compromised. In view of this, Touch ‘n Go eWallet has taken swift actions to investigate her case and we reached out to the affected user immediately.

Her case has been resolved and Touch ‘n Go eWallet has taken the necessary steps to recover her Touch ‘n Go eWallet account. In view of this, full compensation was provided to the user through the Money-back Guarantee Policy.

We would like to fully assure Malaysians that Touch ‘n Go eWallet is a safe & secure platform. We have enhanced security features such as our Money-back Guarantee safety policy in place to ensure that users are protected at every point of their transactions.

We would like to remind our users to always stay vigilant, and never share any personal details online or with anyone. As a precautionary measure, in the event that you notice any suspicious activities, please reach out to us through our official Facebook page at www.facebook.com/touchngoewallet/, or call our customer careline at 03-5022 3888. We thank you for your continuous support towards our Touch ‘n Go eWallet.

======

A Touch ‘n Go eWallet user in Johor claims that her eWallet account was compromised with reloads amounting to RM3,000 were performed within an hour. According to Apple Chong on Facebook, she was surprised to receive several Gmail notifications for eWallet reloads while she was working yesterday afternoon.

At first, she got a notification for a RM200 reload at 3:54 pm, and eventually, it kept on going until a total of RM3,000 was reloaded from her debit card. According to her attached police report, RM2,800 was deducted from her Public Bank savings account. However, it isn’t clear if there were any unauthorised retail transactions using her eWallet as it wasn’t mentioned in her report.

From her experience, she has urged users to take note about Touch ‘n Go eWallet’s saved card feature as anyone that has access to your account can easily perform instant reloads. Since her card was saved, the reloads were done automatically without any SMS verification required.

She has contacted Touch ‘n Go customer service and was told that she was fortunate to have her eWallet account verified. She also alleged that her mobile number details have been changed and that’s why she couldn’t log in to her TNG eWallet account.

No mandatory SMS verification for TNG eWallet login

It appears that someone has her mobile number and 6-digit pin to access her eWallet account. When we try it for ourselves, Touch ‘n Go eWallet doesn’t always perform an SMS verification when you log in to your eWallet on another device.

As a comparison, both Boost and Grab will send an OTP (One Time Pin) to your mobile number to verify that it’s you before you can use it on a new phone. The only time TNG eWallet sends an OTP is only after we tried logging in several times from multiple phones.

To change the mobile number for your TNG eWallet is fairly easy if someone knows your eWallet’s 6-digit pin and your IC number. By default, you’ll have to answer a security question but you can reset the questions and answers by entering the last 6 digits of your IC. The account’s mobile number can be switched without email validation or SMS verification to the old number.

TNG Money Back Guarantee

Since she has a verified TNG eWallet account, she should be able to get all of her money back. Touch ‘n Go has a Money Back Guarantee that provides full compensation for unauthorised purchases or reloads within 5 days after making a report. Although it is great that Touch ‘n Go has this policy, there’s still room for improvement when it comes to protecting users’ eWallet account. Perhaps they should enforce an OTP for every login on a new device. For the time being, it is best to use a 6 digit pin that is only known to you.

We’ve reached out to both Apple Chong and Touch ‘n Go Digital on the matter and we will update once we have more details.

[ SOURCE ]