E-payment security wish list
Two-thirds of Asean consumers want one-time passwords for every transaction, says Kaspersky study
published : 15 Feb 2022 at 04:00
newspaper section: Business
As consumers in Southeast Asia become increasingly aware of the importance of safeguarding their financial data, they want to see additional security features offered by banks and mobile wallet providers, says a study by the online security firm Kaspersky.
The survey conducted by YouGov in July 2021 discovered that 67% of users of digital banking and e-wallet apps in Southeast Asia prefer to receive a one-time-password (OTP) through SMS for every transaction.
A majority of the respondents also want to see two-factor authentication (57%) as well as biometric security features like facial or fingerprint recognition (56%).
OTPs are the top priority for consumers in most Southeast Asia countries -- including Indonesia (67%), Malaysia (66%), the Philippines (75%), Thailand (63%) and Vietnam (74%) -- except Singapore where two-factor authentication had slightly more support (65%).
Digital payment customers also welcome the use of machine learning in combatting social engineering attacks. Some 40% of respondents noted that companies should start preventing frauds/scams automatically based on spending behaviour and/or transfer history.
Some 28% of respondents also said that tokenisation -- the process of protecting sensitive data by replacing it with an algorithmically generated number called a token -- can also augment the security of mobile banking and e-payment applications.
"The sheer market size of Southeast Asia in terms of digital payment offers a lengthy runway for expansion," said Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky.
"In a competitive sector, payment companies should be assessed not just on their innovations, but also on their security posture. We can draw from our findings that customers are increasingly becoming aware of the value of technology to protect their finances online.
"In general, these security features are useful preventive measures that can potentially enhance the cybersecurity standards in the digital payments space. However, these options should not be viewed in an isolated manner, but considered as part of a holistic cybersecurity framework."
The usage of two-factor authentication, for example, has its limitations, particularly when it comes to SMS-based authentication.
Password-bearing SMS messages can be intercepted by a Trojan lying inside the smartphone, or by a defect in the SS7 protocol used to transmit mobile messages, making SMS-based two-factor authentication unreliable at times.
In such cases, Kaspersky experts say, it would be advisable to employ self-contained authentication apps, with SMS being used only as a last resort to limit a company's vulnerability to data breaches.
Given the complicated nature of securing apps and finances online, it is not surprising that 65% of the respondents said that banks and mobile wallet companies should provide more incentives to maintain security integrity -- such as changing passwords regularly. Another 60% said providers should educate users more about the threats online.
When it comes to choosing a mobile e-wallet provider, security remains a priority for digital payment users in Southeast Asia.
More than half (58%) said they would use an e-wallet that includes extra security features like fingerprint and two-factor authentication, while more than a third (37%) said they would use banking apps or mobile wallets from providers that have not have been engaged in any previous data breach or cybersecurity attack.
Some 42% of respondents said they would favour a mobile e-wallet that is independent, meaning it could be used directly by a bank or through a third party. Some 35% prefer a closed system, where users can only use the funds in the wallet to make payments for transactions initiated with a specific merchant.
Other considerations in choosing a digital wallet company included: promotions, cash back and lower transfer fees (49%); anonymity -- users don't need to reveal credit card details to too many merchants (35%); bankless -- bank account details not needed (25%); and locally developed (16%).
"To develop a long-term and sustainable growth strategy, digital payment companies need to take into account some of the wants and needs of their users," said Mr Yeo.
"While some of the preventive measures are not entirely new and have been around for some time, it is crucial to consider how security features can be integrated in a manner without compromising the user experience.
"Our study showed how customers are increasingly holding digital payment providers accountable for the security of their finances online so we suggest companies determine the cybersecurity gaps in each of the stage of their payment process, and fit in the right IT measures in a calibrated manner."
To stay protected from ever-changing fraud and cybercrime techniques, Kaspersky recommends digital payment providers adopt the following measures:
Ensure prompt patching and updating of software to prevent adversaries penetrating the system.
Adopt high-grade encryption for sensitive data and enforce strong credentials and multi-factor authentication.
Use effective endpoint protection with threat detection and response capabilities to block access attempts, and managed protection services for efficient attack investigation and expert response.
Educate customers and employees on possible tricks malefactors may use. Companies should work with globally recognised security providers that can ensure an effective learning process.
Conduct annual security audits and penetration tests to find security issues in the network.
Install a fraud prevention solution that can be quickly adapted for identifying new attack schemes and methods.
For enterprises with mature IT infrastructure, install anti-APT (advanced persistent threat) and endpoint threat detection and response (EDR) solutions. Provide your security operations team with access to the latest threat intelligence and regularly upskill them with professional training.