At the Senate hearing on the proliferation of spam and phishing text messages, Sen. Grace Poe, chairperson of the Committee on Public Information and Mass Media, asked, "how did the scammers get our numbers." Guests from the government and private sectors often mentioned scraping, a method where users can collect publicly available information from the web or installed apps where users upload personal information. MB Technews collaborated with Alvin Veroy, a highly respected cybersecurity professional, to check how scammers harvested our numbers.
Alvin Veroy, thru MB Technews, presented to Globe and GCash teams a proof of concept (POC) on how the scammers harvested the names of users from messaging apps. The same technique was used against GCash to abuse a legitimate feature where users could see the recipient's first names and initials, letting them know that they are sending money to the right person.
The POC, however, is now irrelevant as GCash, in less than 48 hours, updated the app and now shows masked or hidden information about the recipient. All names harvested before the update was already exposed. Masking the users' names is a temporary solution for GCash users who are concerned that scammers know their names. It is a work in progress and will be improved in the coming days.
Mark Frogoso, Chief Information Security Officer of GCash, informed MB Technews that they have been working closely with the National Privacy Commission on the issue of text scams with names and that their system and infrastructure remain secure from data leaks and breaches.
While we look at it as a non-problem, GCash immediately fixed the issue that alarmed Pinoy social media users when they saw their names on scam and spam messages sent via SMS. (Art Samaniego)
-o0o-
Many people have been receiving spam messages offering job opportunities, special promos, or whatever may sound appealing for the recipients to engage. The message always contains a link that would lead to malicious sites and aims to trick the recipient into sending personal information. Engaging with these messages is equivalent to handing the keys to your home to someone who intends to harm you.
Fintech and communication apps are currently being blamed. Many users reported that it looks like messaging apps could be the source of the personalized scam and spam messages. Users of Telegram and Whatsapp also noted that these apps could be the source of the scammers. MB Technews identified the format of the names on spam text messages as likely coming from Viber and GCash.
At the meeting with Globe and GCASH, the MB Technews team got an assurance that the users' data were safe and that GCash data had not been leaked or sold. Nonetheless, they took swift action by masking usernames and mobile numbers. This extends to GCash's API, meaning even in their servers, the names and numbers have been hidden, and scammers won't be able to read the names of account holders even if they use sophisticated scraping methods.
Zoom meeting with Globe, GCash, and Manila Bulletin Technews team where we talked about the possible sources of the names on scam text messages.
Masking, however, is a band-aid solution. GCash has now hidden a helpful feature that would allow users to ensure they are sending money to the right person. On top of that, knowing the name of the person you send the money to is a deterrent to fraud.
GCash is not alone in this. Viber was also called out for privacy issues. Other cybersecurity reports from last year even mentioned that WhatsApp and Telegram are susceptible to hackers sending malicious code into your devices.
While we should enjoy these legitimate features and services, there will always be individuals that will exploit every opportunity they see to benefit themselves at the cost of others. This is why we should limit the number of what we share on various social media platforms. Any information we post and share online, be it on Facebook, Twitter, Instagram, Telegram, Viber, or even LinkedIn, as long as it is online, can be used by scammers against us.
It's also crucial to always remember not to click on any link you receive, especially from someone you do not know. This is not limited to SMS but also messaging platforms.
Even if someone you know has sent you a link, it won't hurt to confirm if that person did indeed send you that message. It's better to be paranoid than get your privacy compromised. (Jonathan Castillo)