A recent incident involving a state-bank cardholder who had VND500 million (US$22,300) in her ATM account withdrawn overnight has become a case study as to whether an OTP, or a one-time password, in Internet banking is really safe.
Hoang Thi Na Huong woke up on August 4 to find out someone had managed to transfer that huge amount of money from her account, while she did not receive any notification for the transactions either via SMS or the Vietcombank app on her smartphone.
The hackers had managed to withdraw VND200 million ($8,929) of the stolen money via ATMs in Malaysia, before the Hanoi-based lender took action and froze the remaining VND300 million.
Vietcombank, a major state-run lender, said on Friday last week that Huong had visited a bogus website and provided the card credentials of her ATM account to hackers, who later used them to conduct the ATM theft.
The statement has been perceived as a move to duck responsibility by Vietcombank, with many experts believing that the bank should be held responsible for its Internet banking, whose OTP function proves problematic.
As Huong claimed that she did not receive any OTP, the question remains whether hackers also managed to obtain this one-time password.
While it is clear that hackers can easily log in to the Internet banking page on Vietcombank’s website using the username and password stolen from Huong, they still needed the OTP for each transaction to be completed.
Vietcombank allows users to choose to receive an OTP either via SMS or SmartOTP, a feature on its mobile app.
One of the most plausible hypotheses is that hackers changed the mobile phone number of the victim into theirs, and installed the Vietcombank app on their device using the alternative phone number.
This means the OTPs for the transactions stealing money from Huong would be sent to hackers through the SmartOTP function on their smartphone, instead of Huong’s device.
If this is really the case, experts say Vietcombank is to blame as it allows people to change the phone number for Internet banking on its website, instead of physically coming to a branch office.
Bank cannot duck responsibility
Nguyen Ai Dan, an expert on banking technology, said Vietcombank should not put all the blame on its customer, as the lender already did in last week’s statement on the issue.
“If I were in Vietcombank’s shoes, I could not just say that the customer lost her money through phishing,” he told Tuoi Tre (Youth) newspaper on Sunday.
“That is not enough because the bank plays a part in this too.”
Even if Huong actually lost her account information to a bogus website, Vietcombank should still compensate the victim, Dan asserted.
The expert also suggested that customers avoid putting too much money in one ATM account; limit the number of devices used for online transactions; and not use convenient but high-risk banking services that allow transactions anytime, anywhere.
In the meantime, Vo Van Khang, another banking security expert, said Vietnamese banks should also tighten security on their OTP features.
“What most lenders in Vietnam have yet to do with their Internet banking services is to verify the in-use devices for every transaction,” Khang told Tuoi Tre.
This means banks should track the devices customers use to conduct transactions online, something “Facebook or Yahoo! have done for years,” he said.
For instance, the system should be able to recognize that a user is carrying out a transaction from a smartphone or computer differently from what they used to do, and ask them to confirm if they are really doing the transaction, not a hacker.
Google and Facebook always notify their users whenever there is any new sign-in instance on an unfamiliar device or at an unsual location.
“If banks can do the same, while users are trained to get used to the security of Internet banking, I believe everyone can use the services with ease, as can hundreds of millions of people around the world,” he said.
Ngo Tuan Anh, deputy chairman of Internet security at Bkav, a Hanoi-based security firm, advised Vietnamese ATM cardholders not to boycott Internet banking services following Huong’s case.
“You cannot stop going to the street just because accidents happen every day,” he said. “Boycotting Internet banking services does no good to Vietnam’s development.”