Tracker

How will Standard Chartered resolve its Apple payments hack?

Recently, a series of Standard Chartered Bank users can be seen on Twitter and Facebook group VOC, complaining about unauthorized transactions that usually happen on Apple.com or Uber.              

 

A Twitter user @Huk06 wrote a thread about the alleged apple payments hack that happened with the users of Standard Chartered Bank users. In his Twitter thread, he mentioned that withdrawals are on the user’s Debit card. Transactions often take place on Apple.com, and sometimes on Uber, transactions happen without the users receiving an OTP.

“For reasons of client confidentiality, we cannot share any details. Rest assured, we have robust processes and procedures in place and our systems have not been affected.”, mentioned a representative of SCB while speaking to Founder Pakistan.

Founder Pakistan, also spoke to Rafay Baloch renowned cyber security expert to inquire about how a hack of this magnitude is happening and how can banks like SCB and their users save themselves from these attacks in the future.”The risk of debit/credit cards can be minimized by enabling multi-factor authentication along with heuristic-based detection for all transactions. Banks in Pakistan have now upgraded EMVCo Standard 2.0 which may not require an OTP challenge for every transaction for e-commerce. However, in parallel, AI-based systems will study behavioral patterns of fraudulent and legitimate transactions and form a heuristic-based model.”, mentioned Rafay Baloch

Why aren’t the users receiving an OTP? 

“Furthermore, some companies have performed risk and reward assessments e.g Google, Facebook, Ali Express, etc. Whereby companies do not want people to abandon their buckets at checkout because of an OTP challenge. In this case, they can opt out of any OTP challenge. In this case, however, Google, Facebook, and other such merchants assume the risk of fraud, and the money is returned to the defrauded customer in case of fraud.”, mentioned Rafay Baloch.

How can banks minimize these types of attacks?

“Similarly, software-based two-factor authentication (MFA) mechanisms normally come in two forms i.e., SMS or In-Device Based authentication mechanism. Several attacks have emerged against SMS-based MFA such as SIM Swapping in which an attacker tricks mobile service providers into porting a phone number against a SIM card they own. SS7-based attacks redirect users’ SMS to their phone numbers. Hence, Device based multi-factor authentication is much more secure than SMS.”, mentioned Rafay Baloch.

How can customers protect themselves against hacks like this?

“As a customer, you can also protect your card details, do not hand over your debit/credit card to any person for payment at merchant locations. Do not use your card on shady websites, do not store your card details on your computer/mobile devices, and only use tokenized services offered by payment gateways for storing your card credentials. In case of established unauthorized transaction banks are liable to refund the amount, where OTP is not used.”, mentioned Rafay Baloch

Founder Pakistan also tried to reach out to the representatives of the State Bank of Pakistan, to know what action can be taken against a bank in this certain scenario. Despite reaching out multiple times there was no response on this matter. 

 

 

Rauff Hanif

Rauff Hanif is a business reporter with Founder Pakistan and covers the intersection of advertising and technology, while also reporting on the venture capital-backed start-up space. He can be reached at [email protected]
Back to top button