TNG eWallet thinks a mandatory One Time Password is unnecessary

Touch ‘n Go Digital has responded to our enquiries regarding a recent eWallet issue. Last Friday, a Touch ‘n Go eWallet user’s account was compromised and unauthorised reloads amounting to RM3,000 were made via her saved debit card.

According to TNG Digital, there was no compromise of any Touch ‘n Go eWallet system or technology and they maintain the highest standards of technology and security on its payment platform. After conducting their own investigations, they have discovered that the recent issue is a case of a phishing scam. Since the user has a verified eWallet account, Touch ‘n Go will provide full compensation under its Money-back guarantee policy.

The eWallet provider shared that the victims have so far revealed that they may have inadvertently given away their 6-digit PIN to strangers and many victims have admitted to using easily guessable 6-digit PINs. To keep its user accounts secure, TNG is now actively educating their customers to protect their 6-digit PIN and to change them if they are easily guessable.

As mentioned in our previous post, Touch ‘n Go eWallet does not require a One Time Password (OTP) for new logins on a different device. From our own testing, an OTP is required only after we tried logging in to our eWallet across different smartphones multiple times.

According to Touch ‘n Go Digital, there’s no request for OTP or two-factor authentication as users can transact as normal once they have logged in with their 6-digit PIN. For the recent incident, they added that it didn’t trigger an alert because the “suspicious activity” was not regarded as suspicious because the perpetrator had the user’s 6-digit PIN from the initial phishing attack. Upon successful login, he/she could transact as normal and according to TNG, this is the “usual customer experience”

TNG has also mentioned that they are reviewing their security protocols at the current stage. They emphasised that customers themselves play a big part in maintaining the security of their accounts as 91% of cyberattacks starts from phishing.

Although customers are responsible for keeping their account safe and secure, we still believe that there’s room for improvement by TNG Digital to prevent similar incidents from reoccurring. Yesterday, we’ve highlighted 4 key things that can be implemented to deter unauthorised access. A mandatory OTP for every new login on a new device would have made it harder for perpetrators from gaining access. Using a different password apart from the 6-digit PIN would also add an additional security layer. On top of that, the implementation of a fingerprint or facial recognition feature would also reduce the exposure of the 6-digit PIN.

Related reading