PETALING JAYA: While cybersecurity may not be a foolproof solution to online financial scams, experts say there are a few extra measures that can be taken by banks to beef up protection.

Cybersecurity expert and LE Global Services Bhd managing director Fong Choong-Fook said the most effective way to protect consumers is awareness, as at this juncture there is no effective way to fight online crime with technology.

However, he noted there are a few extra protection measures which could be adopted by banks, such as moving away from SMS one-time passwords (OTPs) for authentication of transactions.

This is one of the measures that Bank Negara is effecting in its stepped up efforts to fight online financial crime (see “Putting the brakes on cybercrime” on P5).

“Moving out of OTP is good because currently all the malware is trying to read SMS texts. As long as we move away from SMS, the risks will be less,” he said.

He said some banks have already adopted the more secure Soft Token application for authentication; this is a software-based security token that will generate a single-use login PIN (personal identification number) instead of an OTP for transactions.

“It is not easy for hackers to hijack the soft token application, he said, though he believes new forms of attacks by scammers will emerge when the OTP system is abolished.

He said banks could also do pattern analyses of user transactions, so unusual transactions differing from the usual pattern would trigger checks.

However, he conceded that this is easier said than done.

Although hotlines could be abused by imposters and disrupters, he said it is still important for financial institutions to have an effective hotline system through which consumers can reach out quickly.

“The other thing the bank needs to do is identify mule accounts because scammers transfer their stolen money out to mule accounts,” he said.

If banks could quickly identify mule accounts at a very early stage, they could at least freeze those accounts and attempt to recover the money, he added.

He said it is important for banks to collaborate closely and share intelligence because illegal funds are likely to be transferred from one institution to another.

Consumers must do their part too. It is essential to ensure devices are protected with anti-virus software to prevent malware getting through to phones and computers, he said.

Concurring with Fong, Universiti Sains Islam Malaysia’s Prof Datuk Dr Mohamed Ridza Wahiddin said, from a technological point of view, an SMS-based OTP system is the least secure of all authentication methods.

“It is susceptible to a ‘man-in-the-middle’ attack as well as social engineering. Advanced countries are now considering Fast Identity Online [Fido] to replace the former,” said the chairman of the Information Technology & Computer Science Discipline at Akademi Sains Malaysia.

(A “man-in-the-middle” attack is when a scammer positions himself in a conversation between a user and an application to impersonate one of the parties, making it appear as if a normal exchange of information is underway.)

He also agrees that it comes down to users themselves to keep safe: “End-users must increase their awareness of phishing and social engineering threats, and consequently take action on how to alleviate them,” he said.

Federation of Malaysian Consumer Associations (Fomca) chief executive officer T. Saravanan said banks should have beefed up security a long time ago.

“Bank Negara’s intervention shows that there are some weaknesses in the security, such as transaction authorisation codes or OTPs, blocking transactions and others,” he said.

Banks are generating income from people’s money, so their number one priority should be to protect their money.

“Banks need to invest more in security improvements,” he said, adding that Fomca agrees with and supports Bank Negara’s guidelines.

He said banks should also play an important role in educating their customers about banking security.

“Many elderly customers and rural consumers are overlooked as they are not digitally savvy and eventually fall into traps,” he said.

“We hope banks will improve their customer service hotline and (take) quick action to resolve these consumer issues.”

He added that banks should do away with unnecessary advertisements when customers call their service lines, as they waste a lot of time.

Meanwhile, to avoid falling victim to scams, the Consumers Association of Penang’s (CAP) senior education officer, NV Subbarow, said consumers need to be wary of online purchases.

“We would advise them to buy from legitimate online shopping platforms and avoid buying things from social media,” he said.

He pointed out that if anything goes wrong with a legitimate shopping platform transaction, it is possible for the consumer to take the case to the relevant authorities, such as the Domestic Trade and Consumer Affairs Ministry or the Tribunal for Consumer Claims.

“If a person is scammed through social media, the person has to lodge a police report for investigation first and, if it is really a scam, the shop or person might not have existed at all,” he said.

The Star’s front page story yesterday reported that the government is looking at a comprehensive law to bring online businesses under closer control.

A task force is conducting a review to pave the way for a new licensing mechanism, with existing regulations to be amended.

Deputy Domestic Trade and Consumer Affairs Minister, Datuk Rosol Wahid, said the ministry is mulling a special licence for online businesses to protect consumers from scams.