PETALING JAYA: Transactions involving cashless payment cards should be verified in real time to prevent fraud, as criminals are exploiting weaknesses in older systems that store balances directly on the card, experts say.
Cybersecurity specialist Chuah Kee Man explained that many contactless cards function like a wallet rather than a bank account.
ALSO READ: Card cloning on cops’ radar
“It’s like keeping cash in your wallet versus having money in a bank account. If someone can tamper with your wallet, they can change how much ‘money’ is in it.
“Plus, older encryption on these cards isn’t that strong by today’s standards,” he said when contacted yesterday.
Chuah added that a more secure approach would be to store the balance on a computer server rather than the card’s chip.
“Instead of storing your RM50 balance on the card, the card should just be an ID that says ‘this is John’s card’ and the actual RM50 is stored safely on a server.
“Like how debit and credit cards work, the amount is not stored in the card itself.”
According to him, fraudsters are likely using radio frequency identification (RFID) readers and writers to manipulate balances.
“They read the card’s data, figure out where the balance is stored, then write a higher amount back onto it. It’s like editing a text file but on a chip,” he said, adding that such tools are readily available.
“Pretty easy to find, unfortunately. You can buy RFID tools legitimately for ‘security research’ or ‘educational purposes’ from many online stores.
“There are also dodgy versions with pre-made software for card fraud circulating on online forums or chat groups.”
He advised consumers to stay vigilant and check their balance regularly through the official app and only top-up at legitimate places.
“If something looks off with the balance, report it straight away. Honestly, this is more of a system-level problem that users can’t fully protect against, but staying alert helps,” he said.
Technology lawyer Izwan Zakaria, founder and managing partner of Izwan & Partners, said Malaysia already has strong laws for operators to comply with industry standards.
However, he said enforcement still requires vigilance, adding that regulatory oversight and consumer awareness must go hand in hand to protect the integrity of Malaysia’s cashless ecosystem.
“It’s about how the users use it. That’s a bit challenging because anyone can go buy such a card,” he said, warning that operators may face additional risks beyond fraud.
“The challenge is on the operators’ side because we don’t know where the money is coming from - it could be laundered money being moved around,” he said.
Izwan suggests setting limits on how many cards a single person can buy, as well as imposing thresholds on balances.
“There should be a limit on how many cards one person can purchase.
“Maybe operators would also want to enhance controls for certain threshold amounts, like the card itself should probably have a limit, say a maximum of RM1,500.”
