LETTER | Steps to reduce data leaks and tackle scams

LETTER | Between January 2019 and July 2022, Malaysians lost over RM2 billion to digital scams.

Meanwhile, ruling career politicians are trapped within the “SPM mentality” by launching multiple “awareness” campaigns to tackle scams. For the record, the most popular tip for essay writing during SPM exams is to include public campaigns as a solution for all social problems.

The government must implement concrete macro-policies to curb scams such as improving digital privacy. Unknown to the masses, there is a strong correlation between the number of scams and digital data leaks.

The Covid-19 pandemic had increased the amount of personal data available due accelerated digitalisation. The weaknesses in digital privacy regulation had increased the quantity and quality of actionable data leaks.

The amount of data compromised per leak is higher in the public sector compared to the private sector. However, data leaks are more common in private sectors compared to the public sector. Cumulatively, more data is leaked from the private sector than the public sector. Hackers monetise these data leaks by selling it on the dark web to potential scammers.

Data leak from financial surveys and consumer loyalty programmes provide scammers with the information of the potential victims’ financial capacity. Additionally, leaks from e-commerce websites such as consumer activities and debit card details allow scammers to impersonate as bank staff, police officers, and Bank Negara officers. In turn, scammers utilise these data leaks to provide certain accurate information to convince and terrorise victims.

These leaks increase the success rate of scams. Thus, scammers continue to raise the price for leaked data on the dark web, which motivates hackers to steal more digital data. This self-reinforcing vicious cycle can only be broken by strengthening digital privacy.

Mandatory account delete function

Firstly, an account delete function should be made mandatory for apps and websites. The majority of consumer websites and smartphone apps do not have such a function. Users cannot delete their personal details after they decide to stop using those services permanently.

Certain website operators require users to send an email for account deletion. This additional step was designed to discourage users from deleting their personal details. It is a deliberate business practice to retain personal data. Such dormant accounts with personal details increase the quantity of actionable data leaks.

In Malaysia, 99 percent smartphones users download their apps from the Apple AppStore, Google Play, Huawei AppGallery, and Windows Phone Apps. Currently, only Apple has made the delete function for mandatory apps published on its App Store. Apple only covers only 27 percent smartphones users leaving the remaining 62 percent of smartphone users vulnerable.

A compulsory account delete function allows users to remove their personal details from websites and apps. The reduction in dormant accounts with personal details reduces the probability of being scammed.

Mandatory use of PassKey

Secondly, authorities should make it mandatory for websites and apps to offer PassKey as a login method. PassKey is the new global standard for login privacy developed by Fido alliances with the World Wide Web Consortium (W3C).

The government’s campaigns advising people to not share their login credentials are meaningless because such information is stolen from website servers and are not shared voluntarily by users.

Password-based login is made up of two components - username and password. Both of these are stored in the website’s server. Hackers attack these servers to steal the login credentials. Most server attacks are neither detected nor reported. Thus, the leaked credentials were never changed by users, granting access to scammers.

PassKey uses digital cryptography linked to personal devices to replace password-based login. PassKey stores one of two credential components in the users’ personal device itself. The system is resistant to phishing and it is near impossible for scammers to access users’ accounts.

Operating system (OS) developers such as Apple, Google, Huawei, and Microsoft have made PassKey available across their software. However, domestic websites are reluctant to adopt PassKey to avoid the integration cost. Thus, the government needs to make it compulsory for domestic websites to adopt PassKey.

Multi-ledger pseudonymisation for govt data

Thirdly, adopt multi-ledger pseudonymisation as a data storage method for government data. Multi-ledger pseudonymisation is a data storage method where personal data on the master ledger is masked with a pseudonym.

The system could be explained in layman terms by using Microsoft Excel and pendrives as an analogy.

Assume that department XYZ keeps its records of names with their respective MyKad information in a Microsoft Excel sheet in Pendrive A. The multi-ledger pseudonymisation method, replaces the name and the MyKad number with a pseudonym.

The names that correspond with the pseudonyms are kept separately in an Excel sheet in Pendrive B. The MyKad information that corresponds with the pseudonym is kept separately in an Excel sheet in Pendrive C.

In this way, government staff needs to cross-reference the information from all three pendrives simultaneously to link the name with the MyKad information. Stealing one pendrive will not grant any actionable information.

This may sound tedious, but the method is more sophisticated and faster in reality. The data is stored in multiple different cloud servers with cross-referencing conducted in the government staff’s computer upon request. Multi-ledger pseudonymisation reduces the quality of actionable data for hackers.

Get telcos to provide eSIM

Finally, instruct all domestic telcos to provide eSIM at no cost to new and existing customers. Embedded SIM (eSIM) is the global industry standard to activate cellular service without the physical SIM card. Most Malaysians will not terminate their physical SIM cards after losing a mobile phone with the hope of retrieving back their mobile phone.

Scammers may not be able to access the data from lost or stolen mobile phones because of screen lock. However, scammers can gain access to the physical SIM itself. This allows scammers access to one-time passwords, secondary authentication, and password reset.

ESIM prevents scammers from accessing the SIM in a locked phone. This reduces the probability of hacking into users’ personal accounts. Currently, only eight out of 25 cellular providers in Malaysia provide eSIM. Not all mobile devices are compatible with it, but it minimises accessibility by scammers.

Conclusion

Curtailing the quality and quantity of actionable data leaks will reduce the success rate of scams. The proposed steps are within the discretionary power of the communications and multimedia minister, who regulates digital infrastructure. The primary question now is the political will to execute.

The views expressed here are those of the author/contributor and do not necessarily represent the views of Malaysiakini.