Steps to Reduce Data Leaks to Tackle Scams
Between January 2019 till July 2022, Malaysians had lost over RM2 billion to digital scams. Meanwhile, ruling career politicians are trapped within the “SPM mentality” by launching multiple ‘awareness’ campaigns to tackle scams. For the record, the most popular tip for SPM exam essay writing is to include public campaigns as a solution for all social problems.
The government must implement concrete macro-policies to curb scams such as improving digital privacy. Unknown to the masses, there is a strong correlation between the number of scams relative to digital data leaks.
The Covid-19 pandemic had increased the amount of personal data available due accelerated digitalisation. The weakness in the digital privacy regulation had increased the quantity and quality of actionable data leaks.
The amount of data compromised per leak is higher in the public sector compared to the private sector. However, data leaks are more common in the private sector compared to the public sector. Cumulatively, more data is leaked from the private sector than the public sector. Hackers monetise these data leaks by selling it on the dark web to potential scammers.
Data leak from financial surveys and consumer loyalty programmes provide scammers with the information of the potential victims’ financial capacity. Data leaks from e-commerce websites such as consumer activities and debit card details allow scammers to impersonate bank staff, police officers and Bank Negara officers. Scammers utilise these data leaks to provide certain accurate information to convince and terrorise victims.
Data leaks increase the success rate of scams. Thus, scammers continue to raise the price for data leaks on the dark web which motivates hackers to steal more digital data. This self-reinforcing vicious cycle can only be broken by strengthening digital privacy.
Mandatory Account Delete Function
Firstly, make it mandatory to have account delete function for apps and websites. Majority of consumer websites and smartphone apps do not have an account delete function. Users cannot delete their personal details after they decide to stop using those services permanently.
Certain website operators require users to e-mail for account deletion. This additional step was designed to discourage users from deleting their personal details. This is a deliberate business practice to retain the personal data. Dormant accounts with personal details increase the quantity of actionable data leaks.
In Malaysia, 99% of smartphone users download their apps from Apple AppStore, Google Play, Huawei AppGallery, and Windows Phone Apps. Currently, only Apple has a mandatory delete function for apps published in the App Store. Apple only covers only 27% of smartphone users leaving the remaining 62% of smartphone users vulnerable.
Compulsory account delete functions allow users to remove their personal details from websites and apps. The reduction in dormant accounts with personal details reduces the probability of being scammed.
Mandatory Use of PassKeys
Secondly, make it mandatory for websites to offer PassKey as a login method. PassKey is the new global standard for login privacy developed by FIDO alliances with the World Wide Web Consortium (W3C). The government’s campaigns advising people not share the login credentials are meaningless because login credentials are stolen from the website servers and not shared voluntarily by the people.
Password based logins are made up of 2 components; username and password. Both the login credentials are stored in the website server. Hackers attack these servers to steal the login credentials. The majority of server attacks are neither detected nor reported. Thus, leaked credentials were never changed by users granting access to the scammers.
PassKey uses digital cryptography linked to personal devices to replace password-based login. PassKey stores one of 2 credential components in the users’ personal device itself. PassKey is resistant to phishing and near impossible for scammers to access users’ accounts.
Operating System (OS) developers such as Apple, Google, Huawei, and Microsoft have made PassKey available across their software. However, domestic websites are reluctant to adopt PassKey to avoid the integration cost. Thus, the government needs to make it compulsory for domestic websites to adopt PassKey.
Adopt Multi-Ledger Pseudonymisation for Government Data
Thirdly, adopt multi-ledger pseudonymisation as a data storage method for government data. Multi-ledger pseudonymisation is a data storage method whereby the personal data on master ledger is masked with a pseudonym.
The multi-ledger pseudonymisation could be explained in layman analogy using Microsoft Excel and pendrive. Assume, department XYZ keeps records of names with the respective MyKad in a Microsoft Excel in Pendrive A. In the multi-ledger pseudonymisation method, the name and MyKad number will be replaced with pseudonym.
The name correspondence with the pseudonym is kept separately in an Excel sheet in Pendrive B. The MyKad correspondence with the pseudonym is kept separately in an Excel sheet in Pendrive C. The government staff needs to cross reference Microsoft Excel from 3 different pendrive simultaneously to link the name with MyKad. Stealing one pendrive will not grant any actionable information.
In reality, multi-ledger pseudonymisation operations are more sophisticated and faster. The data are stored in multiple different cloud servers with cross referencing conducted in government staff’s computer upon request. Multi-ledger pseudonymisation operation reduces the quality of actionable data for the hackers.
Get Telcos to Provide eSIM
Finally, instruct all domestic telcos to provide eSIM at no cost to new and existing customers. Embedded SIM (eSIM) is the global industry standard to activate cellular without the physical SIM card. Most Malaysians will not terminate their physical SIM cards after losing the mobile phone with the hope of retrieving back their mobile phone.
Scammers may not access the data from lost or stolen mobile phones because of screen lock. However, scammers can gain access to the physical SIM. This allows scammers to gain access to OTP, secondary authentication and password reset.
eSIM prevents scammers from accessing the SIM in a locked phone. This reduces the probability of hacking into users’ personal accounts. Currently only 3 out of 25 cellular providers in Malaysia provide eSIM. Not all mobile devices are compatible with eSIM, but it minimises accessibility of SIM cards by scammers.
Conclusion
Curtailing quality and quantity of actionable data leaks will reduce the success rate scams. The proposed steps are within the discretionary power of the communication minister that regulates digital infrastructure. The primary question now is the political will to execute.
SHARAN RAJ is a human rights activist, environmentalist and infrastructure policy analyst. Currently, he is currently pursuing a postgraduate degree through research in economics, focusing on a regional currency union for ASEAN and Oceania.
HP Number : 019-4479734
E-mail : raj28sharan@icloud.com
Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of Ipoh Echo