The system glitch that happened at GCash recently became a huge issue not only on social media but for the finance community. On May 8, several GCash users complained they lost money in their GCash accounts. These were allegedly transferred to accounts in EastWest Bank and Asia United Bank (AUB).
The mobile wallet app, which has more than 81 million users, at once responded to said complaints via its Facebook and Twitter accounts, assuring customers that any funds deducted from their accounts will be adjusted before 3PM the same day. Later, it posted an announcement saying the “e-wallets of affected GCash users have already been adjusted” and that “customers may safely proceed with their regular transactions.”
Both the Bangko Sentral ng Pilipinas (BSP) and the National Privacy Commission (NPC) said they are probing the alleged unauthorized fund transfers and possible breach of personal data. GCash insists the “glitch” was not a hacking incident and told media they are working with BSP and NPC, providing them with necessary information to deter “illegal phishing activities.”
The incident has raised questions that need immediate answers: Are digital wallets safe to use? How can we protect ourselves and our hard-earned money from fraudsters? These concerns, among others, were addressed in veteran business journalist Salve Duplito’s online talk show “Salve Says.”
Phishing vs hacking
Two terms that came up in the GCash discussion were phishing and hacking. According to this website, “phishing is a type of cybersecurity attack during which malicious actors send messages pretending to be a trusted person or entity.” Notice the tons of messages via SMS, messaging apps, and social media we get from unknown numbers lately? People offering jobs or telling us we won the jackpot in a contest we didn’t join. Those are among the tactics of threat actors, or people that intend to cause harm in the digital sphere. They manipulate the users to “install a file, click a link, or divulge sensitive information such as access credentials.”
Lito Villanueva, the founding chairman of FinTech Alliance.Ph, says giving a stranger your secret financial information such as an OTP (one-time password) can be likened to handing out the key to your home. By sending your OTP, you are already giving that person access to your funds.
Hacking, on the other hand, “is the act of gaining unauthorized access to data in a system or computer.” Oliver “Olie” Liggayu, who does consultancy work for a Singapore-based cybersecurity company called Cyfirma, says if a system is hacked, what usually happens is that even the IT staff of a company cannot penetrate or access their own system.
Villanueva says a company usually has its own internal measures and risk-mitigating processes supposing its system is hacked. What cybersecurity companies do is prepare and alert them ahead of time of the possibilities that can happen in their industry and equip their system with tools to protect it from hackers. He says it is important for companies to always put their defenses up.
What’s good with GCash, noted Liggayu, is that it was alert, responsive, and proactive. “When they said na yung funds na nawala ay ibabalik by 3 o’clock, nabalik yun ahead of time. So kumbaga yung commitment na binigay nila ay talagang pinanindigan nila, ginawan nila ng paraan at talagang mabilis. Sa ganitong cases, dapat talaga mabilis ang aksyon,” he said.
Supposing a digital bank’s system is hacked, can a customer still recover his funds? It would ultimately depend on the result of the investigation, said Villanueva. “Aalamin kung ano ang puno’t dulo, yung nangyari. At kung napatunayan na merong pagkukulang [ang bangko], talagang dapat ibalik ang pera,” he said. However, there are also instances where the customer provided the threat actor his OTP—in other words, the customer authorized the transfer of his own funds. In this case, the bank cannot be obliged to return lost funds.
Are e-wallets safe?
“Yes,” said Liggayu. Before they became a digital bank and their licenses get approved, these companies had to pass thru BSP’s rigorous tests. The level of safety varies from bank to bank and website to website, however, added Liggayu. Companies should invest on cybersecurity measures because this equates to the value of their business. “Pag nasira ang tiwala, wala ka nang negosyo.”
Villanueva agreed. “Definitely [e-wallets] are safe,” said the digital finance advocate. “Ang industriya, kasama ang BSP ay talagang iyan ang itinataguyod.”
The BSP, he offered, has twin goals in the digital payment transformation roadmap. One is to convert at least 50% of retail financial transactions to digital and on board at least 70% of adult Filipinos to the formal financial system by the end of this year. The good news, he said, is that we will be able to surpass those targets before 2023 ends. The ultimate goal, according to Villanueva, is to uplift the Philippine economy by including the unbanked or underserved Filipinos in the formal financial system.
The digital banking industry needs to keep in mind four important pillars, said Liggayu. First, the need to train and educate its people on possible things that fraudsters can do. Second, keep digital technology tools up to date. Third, make sure there are efficient processes in place to ensure fraudulent activities are monitored. Lastly, establish good governance and work with regulators in the industry. “If itong apat na pillars ay nandiyan—people, technology, process and governance—that finance app should be trustworthy enough,” he said.
As for Liggayu, digital banking companies should continue to upgrade their systems as threat actors get more and more creative these days. “Dapat hindi lang reactive,” he stressed.
However, no matter how banks strive to protect all its customers, “There is always a weakness, which boils down to the person,” said Liggayu. “Kasi yung mga processes naman now especially with tech, mabilis mag-adapt. Ang problem is yung tao ang naiiwan. So we have to continually educate ourselves. Magkaroon tayo ng security conscious mindset. Trust but verify.”
[Veteran business journalist and financial literacy advocate Salve Duplito also hosts "Diskarte" on Teleradyo every Friday 4pm to 5pm.]