[ UPDATE 11/3/2020 21:00 ]: Touch ‘n Go Digital has responded to our queries on the recent eWallet incident.
====
Last week, a Touch ‘n Go eWallet user’s account was compromised and it raises concerns on account security. According to her police report, the eWallet account became inaccessible and a total of RM3,000 was reloaded through her linked debit card.
Luckily for her, she will be getting her money back as she was covered by Touch ‘n Go eWallet’s Money-back guarantee. However, Touch ‘n Go Digital didn’t provide much details about the incident and most importantly, what can be done to prevent this from happening again in the future.
From our own evaluation, it appears that it is easy for anyone to access a Touch ‘n Go eWallet account provided that they have your registered mobile number and your 6-digit PIN. Here are 4 things that Touch ‘n Go eWallet should do to better protect its users’ accounts.
Stronger password for account login
At the moment, Touch ‘n Go eWallet relies on a 6-digit PIN to secure your eWallet login. This is the same PIN that is used for both login and to authorise payments. This can be a potential risk if someone watches as you enter the 6-digit PIN while making a payment at the counter.
Touch ‘n Go eWallet could use a different password for account login and this can be an alphanumeric password that’s more complicated. In the event that your 6-digit PIN is compromised, it will be harder for someone else to access your account as it requires a different and more complicated password.
This is the case for Boost eWallet as it uses a different alphanumeric password for its account login and it also requires a One Time Password (OTP) to verify that it’s you. For Grab, you’ll have to login via an OTP that is sent to your mobile number and with “Safer Login“, it will also require you to verify with either by Facebook or Google login.
Mandatory OTP for every login on a new device
From our experience, Touch ‘n Go eWallet doesn’t always require an OTP to sign in on a new device unless it is deemed as suspicious activity. From our trials last Saturday, we managed to login the same account on different phones without requesting for an OTP. It is only after we’ve tried it multiple times, we were warned that they have detected suspicious activity and an OTP is required.
Enforcing a mandatory OTP for new device logins would be a great deterrent. Alternatively, this can also be done via email verification and TNG could also consider the possibility of allowing users to enable Two-Factor Authentication (2FA) via AUTHY or Google Authenticator.
Fingerprint/Face Unlock for payment
Touch ‘n Go eWallet’s 6-digit PIN is crucial to keep your eWallet safe and you shouldn’t share it with anyone. However, it is challenging to keep the PIN safe from prying eyes if you’re required to key in the code in public when making a payment.
To make it more convenient and secure, Touch ‘n Go eWallet should enable biometric authentication such as Face ID or fingerprint authentication. Not only this reduces the exposure of your PIN but it also makes payments easier.
Both Boost and Grab currently support Face ID or fingerprint authentication, and it’s about time for Touch ‘n Go eWallet to do so.
Better verification for mobile number change
From the recent incident, it is surprising that a person’s registered mobile number can be changed without the knowledge of the account holder. On Touch ‘n Go eWallet, you will need to answer a secret question before you can proceed to enter the new number. If you don’t have the answer, anyone can reset this if they have your last 6 digits of your IC number.
The unauthorised number change can be prevented if there is another layer of verification. The eWallet could request for an account password (if there was one in the first place) or require an OTP verification via email or SMS.
For Grab, you can change a mobile number easily by just entering the 6-digit PIN but the chances for a stranger to do so is rather slim since a new device login will require an OTP and Facebook/Google login. Interestingly, Boost doesn’t allow you to change your mobile number and the only way to switch is to register a new Boost account.
We have reached out to Touch ‘n Go Digital last Saturday to find out what really happened to the compromised eWallet account and if there were any unauthorised transactions performed after the reload. We’ve also asked if Touch ‘n Go will implement additional security measures and what users should do to increase their account security. At the moment, Touch ‘n Go eWallet has not responded to our enquiries and we will update once we have more details.
