Touch ‘n Go eWallet accounts got hacked to buy Steam game credits

It was recently reported that several teachers have incurred losses when their Touch ‘n Go eWallet (TNG eWallet) accounts got hacked. During a press conference organised by the DAP, one of the victims claimed to have lost nearly RM3,000 through three transactions made in a span of 7 minutes. To make matters worse, some of them had activated auto-reload which is linked to their bank accounts.

Based on a screenshot published by Kwong Wah Yit Poh, one of the accounts was used to purchased Steam Wallet credits based on the multiple RM300 transactions made for “Valve”. It was reported that about 20 teachers had fallen victim and demanded Touch ‘n Go to explain why hackers can allow such transactions without their permission.

DAP Public Complaints Bureau Chief Yew Jia Haur has urged other victims to come forward and make police reports. He also advised users not to use the first 6 digits of their identification card or date of birth as their eWallet’s 6-digit pin.

OTP and 6-digit pin

Following complaints and security suggestions made several years ago, Touch ‘n Go eWallet has made some changes to its security process which uses facial recognition, 6-digit pin, and OTP, but the process is inconsistent. It is worth highlighting that the TNG eWallet will only allow one active device and you’ll be logged out automatically if you log in on another phone.

If you try to log in to your TNG eWallet from a new phone, users with facial recognition enabled are required to scan their face and blink to prove that they are not a bot. If the face matches, they are required to enter an OTP that’s sent via SMS but if the facial recognition fails or cancelled, the app requests for a 6-digit PIN which is less secure.

From our tests, users without facial recognition are only required to enter their 6-digit pin to access their account. In some instances, if you try to re-login on the same device, you can access your account with just facial recognition, and there’s no need for further verification with 6-digit or OTP.

At the time of writing, TNG eWallet has not yet enabled fingerprint verification for its app. A fingerprint sensor feature would be useful on older devices to minimise exposure of the 6-digit pin in public when making a transaction. TNG has repeatedly reminded users not to use their date of birth, phone number, general numbers (e.g. 123456), and repeated numbers (e.g. 111111) to secure their eWallets.

TNG eWallet has a Money Back Guarantee which promises to refund your money within 5 days if your eWallet is charged with an authorised transaction. However, you must report the transaction to TNG within 60 days from the unauthorised transaction date. The compensation will be given within 5 working days upon investigation and confirmation.

Malware apps may be a culprit

Besides securing your account with stronger passwords, the type of apps you install may put your online banking and eWallet’s security at risk. There has been a rise of scams that uses APK files infested with malware to steal 2FA SMS codes. These malware apps will be able to access your SMS including OTP sent from your bank or eWallet providers, which will then allow the culprits to access your account.

It is advisable to only download apps from the Apple App Store, Google Play Store, and Huawei App Gallery. You should avoid downloading and installing random APK files that are sent by strangers or from untrusted app stores. Maybank has also put up a PSA to warn its customers not to install apps from unknown sources.

[ SOURCE 2 ]