BSP: Some victims of GCash phishing scheme shared OTP with scammers
MACTAN, Cebu — Some of the GCash users affected by the recent phishing incident fell victim due to sharing the one-time password (OTP) needed for transactions, the Bangko Sentral ng Pilipinas (BSP) said Monday.
According to BSP Governor Felipe Medalla, a number of the transactions were made as some of the users shared the OTPs to those involved in the phishing scheme which affected accounts on May 8.
“They’re not due to hacking, they’re due to phishing, and actually some people were turning over the OTP to the scammer,” he told reporters at the sidelines of the BSP-IMF International Conference on Financial Stability.
He was referring to the phishing incident last week, affecting over 1,000 accounts of GCash. Investigation of the firm showed that a phishing operation gathered information and used the OTPs generated simultaneously on May 8.
GMA News Online reached out to GCash for comment but has yet to receive a response as of posting time.
The central bank has been investigating the reports of unauthorized fund transfers from GCash accounts, with funds said to have been forwarded to accounts under Asia United Bank and East West Banking Corp.
“Luckily, they haven’t passed enough and recovered maybe 80% of what was stolen,” Medalla said.
“The people engaged here are more or less some of the smartest people in the world. As you make your system more difficult to penetrate, they’ll find new ways of getting at you, therefore this is a challenge that will be there forever,” he added.
GCash then reported a temporary downtime of its system on the evening of May 8, as it said it extended its scheduled maintenance to investigate the reported unauthorized fund transfers, reiterating that there was no hacking that happened. Its system was back on Wednesday morning.
It said adjustments to the account of all affected accounts were completed as of 3 p.m. on May 9, noting that their customers did not lose their funds on their respective accounts.
GCash — which currently has over 79 million users — is registered as a non-bank financial institution electronic money issuer (EMI-NBMF).
It is operated by GXchange Inc., a wholly-owned subsidiary of Mynt (Globe Fintech Innovations Inc.), which is in turn a partnership between Globe Telecom Inc., the Ayala Corp., and Ant Financial.—AOL, GMA Integrated News