A shared responsibility between institutions, consumers
Digital payments are becoming a part of people’s lifestyles in the new normal as consumers are further adopting electronic wallets, online banking, and e-commerce platforms, to name a few. A survey by Mastercard across 18 markets globally show that 90% of the consumers were found to have tried at least one emerging payment type in the last year, while 60% would like to shy away from merchants who do not offer electronic payments of any kind.
Along with this increased adoption of digital payments, however, there is also a heightened concern over cybersecurity. Mastercard’s survey noted that one out of four consumers have experienced online fraud last year as a result of lockdowns during the pandemic. In addition, the Philippines was found by cybersecurity firm Kaspersky to have the highest number of users attacked by banking malicious software, particularly Trojans, accounting for 22.26% of all banking Trojans discovered in the Asia-Pacific this year.
How do authorities ensure safety in digital payments, so far? As law firm Disini & Disini explained in its Data Privacy Philippines website, the Bangko Sentral ng Pilipinas (BSP) provided several ways for consumers and users to be protected.
First, the BSP requires electronic money issuers (EMI) to maintain a record-keeping system for storing the e-money instruments issued, the identity of e-money holders, and individual and consolidated balances.
The BSP also requires EMIs to maintain a redress mechanism that would allow customers to file complaints. Moreover, these issuers, before they operate, should have minimum risk management systems and controls such as internal controls, properly designed-and-tested computer systems, appropriate security policies and measures, business continuity and recovery plans, audit function, and compliance with Anti-Money Laundering Act (AMLA) regulations.
“To bolster protection in cashless payments, [the] BSP has issued Circular No. 808 to tighten cybersecurity protocols. In order to manage IT risks and information security issues, [the] BSP requires EMIs to establish a robust IT Risk Management (ITRM) System that covers IT governance, risk identification and assessment, IT controls implementation, and risk measurement and monitoring,” the law firm added.
While these measures — and much more like one-time passcodes or two-step verification — essentially help, consumers themselves still have a responsibility to be vigilant and mindful of their transactions. This involves protecting their passwords; not sharing sensitive information; and being careful against frauds, malware, and other cyberthreats.
As the Financial Consumer Protection Department of the BSP advises in a primer, users should create and use a password that is long; cannot be easily guessed by anyone else; contains a combination of characters; and does not contain personal information such as birthday, name of partner or child, or mobile number.
To create a password that is difficult to guess but still easy to remember, the BSP suggests, think of a sentence or a phrase that can be easily recalled. Determine its acronym, then decide which characters can be changed to symbols or numbers. Then, determine which characters can be changed to uppercase, while still leaving some in lowercase.
In fact, the Federal Bureau of Investigation’s office in Portland, Oregon advises having “passphrases” instead of passwords. “Instead of using a short, complex password that is hard to remember, consider using a longer passphrase. This involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for you to remember,” FBI Oregon wrote in an online column.
US-based Identity Theft Resource Center adds that consumers should enable all the security features in their devices (e.g., screen lock/biometric lock) to keep hackers from accessing their digital wallet or payment apps, as well as stealing log-in credentials or money. Consumers should also be on guard against unsolicited emails or text messages that ask the user to send money directly through a digital wallet or payment app; as well as “red flags” such as payments they did not make using their payment apps. — Adrian Paul B. Conoza