Zit Seng's Blog

A Singaporean's technology and lifestyle blog

The Case Of Stolen Credit Card OTP

I’ve been silent on the case of the man who was held partially liable for about $12K of fraudulent credit card charges over his hacked phone, even though I had quite a few cents to say. You see, I’m an IT security person myself, and as much as I don’t like defending the bank, the man is far from blame-free.

Credit Cards

This unfortunate situation could possibly happen to many people. In fact, it can possibly happen to anyone, even myself. That was one reason I didn’t want to say too much, particularly when it might appear that I’m defending the bank. There are, unfortunately, an abundance of views that the man was completely a victim, and the bank the villain. From an IT security point of view, that’s not quite accurate at all.

You can read about the background story in the Straits Times first, in case you’re not familiar with the case. In a nutshell, a Mr Philip Loh’s smartphone was hacked, and he subsequently found about $12K of fraudulent charges on his credit card. Hackers were able to gain access to the OTP received on his smartphone to effect transactions under the 3D secure payment system. His bank, UOB, offered to waive some of the charges, reducing his liability to $5K, but he insists it was not fair for him to be liable at all.

We don’t have all the gory details. But I think it is reasonable to assume that Mr Loh had been conned into downloading and installing a malware. He was aware that his phone was stuck in an update, but thought nothing of it. He rebooted the phone, but went to bed without checking on it. He did not check if the phone actually rebooted. Indeed, the phone was still rebooting the next morning. It was finally upon a hard reset that he realised he missed a bunch of SMS alerts from UOB.

Mr Loh, presumably, initiated a conscious action to download and install a rogue software. Of course, if the official software update of his phone, a Samsung Galaxy Note 4, had been itself hacked, that would be a completely different matter altogether. I don’t think this is the case. It was likely a malware like this one described by the Association of Banks in Singapore.

So let’s just get this clear. The bank’s computers were not hacked. Their payment system was not compromised. The system of sending OTP is sound. The bank was presented with a credit card charge, and it was properly verified through an OTP. As far as the bank is concerned, this is a legitimate verified credit card charge. Is it the bank’s fault that the credit card customer had allowed hackers to mess around with their phone?

Let me try to draw up an analogy here. You go to a gym, which provides lockers for its members to use. They give you a key to the locker so that you can keep your stuff in there while you workout. You lose the key, and later find the contents of your locker have been cleared out. Is it the gyms’ fault? Alright, maybe you didn’t lose the key, but you carelessly left it around, so that someone could borrow the key to empty the locker before returning the key to where you left it. Is it the gym’s fault?

Here’s another. You’re having some trouble with your computer. You go to some shady shop to get it fixed. They install a keystroke logger, or some other sort of malware, into your computer before handing it back to you. Hackers now have unfettered access to your online activities. Do you blame those online services for lousy security and deny any liability?

Now, before you try to poke holes in these analogies, let me just say they are meant to point out that you have certain responsibilities yourself. You are supposed to look after the keys. You are supposed to look after your computer. I think these points are easy to understand. Why wouldn’t it be your fault if you couldn’t look after your phone properly?

There’s a huge difference between a phone that has been truly hacked, as opposed to you having introduced malware into it through your own carelessness, cluelessness, or negligence.

The question, really, is what can be considered your own carelessness, cluelessness, or negligence. We all make certain assumptions, reasonable assumptions, otherwise life would be miserable. For example, I assume that the phone’s official software is secure. We assume that Samsung did not embed spyware to surreptitiously transmit private information from your phone to a secret server elsewhere. That’s a fair assumption, in my opinion, unless it’s been quite established that Samsung is careless, clueless, negligent, irresponsible, or otherwise malicious with their software. That’s not impossible, incidentally, because we now know how certain brands of computers had shipped with malware preinstalled.

It’s not just the phone. The telco can intercept and misuse OTPs as they are transmitted to you. We assume they don’t. It seems reasonable to assume that. The telco likely has many subcontractors, who could have access to those messages. The manufacturer of the equipment that the telco use might also have a backdoor. We assume none of that is happening.

Perhaps, you think to be safe, you’d just use hardware OTP tokens. On a side note, I have my personal reservations against these tokens, notably because I’m less likely to notice it stolen. Most of us will realise your phones are missing quite quickly. Now, you might say that the likelihood of the hardware OTP token getting stolen is lower, because you just leave it at home and not take it around. That’s also true. But if it does go missing, you probably won’t know it for some time.

Now, why do you trust that the hardware OTP tokens are secure? The hardware manufacturer could also embed some questionable features into it. The trustworthiness of computer processor chips have even been called into question in some circles.

There’s no end to it. So we make some reasonable assumptions, and impose some reasonable expectations. I’d like to assume that UOB carefully considered that situation, and determined that they don’t want to hold Mr Loh completely accountable for his mis-actions. However, he cannot say he is completely blameless either.

The phone, with OTPs sent to it, is a second factor for authenticating credit card charges. It is like a key, one that unlocks spending on your account. Should you not be very careful with this key?

There is no perfect security. In IT security, we are often making compromises to strike a fine balance between security and usability. We don’t need a system to be perfectly unbreakable, we just need it to be good enough so that it’s not worthwhile to break it. We do it all the time with everyday things in our lives, like how valuables at home should be locked out-of-sight while loose change might be left on the table.

UOB could certainly have done more, like determining automatically if those said transactions were fraudulent and hence be blocked. I wondered had OTPs not been used in those transactions, would UOB have blocked or allowed those transactions under the given circumstances (i.e. airline tickets booked from an unlikely country)? Just because OTPs were involved doesn’t mean that no fraud could have taken place.

I digress. This case involves a malware that was, I assume, consciously put into the phone. Should the bank be responsible for it, or should the consumer be liable?

At the start, I said I was myself an IT security person. A common challenge we face is that users often think IT security is someone else’s problem. In a business organisation, if you ask an employee who they think was responsible for IT security, they are likely to point to the IT security department of their organisation.

That is the wrong answer. IT security is everyone’s responsibility. It is not different from how you see at construction sites banners reminding their workers that safety is everyone’s responsibility. You can’t just point to the safety supervisor and say it’s his job. It is quite the same with IT security. Everyone has a part to play.

So while some people may say that the bank should recognise the risks of their use of transmitting OTPs via SMS, it is wrong to say the consumer is blameless. By giving excuses that the consumer was conned, or that they could not be expected to know better, is basically saying security is the bank’s problem, not the consumer’s.

Should Mr Loh have known better? That’s a good question. It helps to know the exact circumstances under which the malware came to get into his phone. We don’t have all the details.

But I hope this can be a lesson for everyone. Your smartphone isn’t just for calls and text messages anymore. It’s a whole lot more than that, and it’s time you learn how to look after it and use it with responsibility. If you’ve been thinking that security is someone else’s responsibility, it’s high time you make it your personal responsibility now.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.