On the morning of May 9, GCash issued an advisory intended to assure its millions of users: “We’re back!” 

The advisory was posted after GCash extended a scheduled maintenance job “to investigate and determine that no hacking had occurred” the day before, when unauthorized deductions were made on certain accounts. The downtime that prevented users from accessing the app was prompted by the complaints of users of suddenly thinned e-wallets. 

The lack of access to the app unnerved GCash users, and understandably so.  In a post on Twitter, Renz Bangayan said: “I am upset and nervous, I work hard to get money and this happened? There’s no warning, no text, no info, just shutdown.”  He pleaded: “Please don’t take my money away.”

In its advisory, GCash promised that “any deduction from a GCash account will be adjusted before 3 p.m. today.” It apparently made good on its promise because in another advisory issued shortly before 5 p.m., it said: “We have already adjusted the e-wallets of the affected GCash users and the app is back up so you may now safely proceed with your regular transactions.”

Is it the end of an unfortunate incident? Not likely. 

Unhappy users

Most of the comments to the advisory posted on the GCash Facebook page were obviously from unhappy users. In fact, the Author of the post was apologizing again and again for the inconvenience that users experienced and advising them to get a ticket at the GCash Help Center so their concerns could be addressed. 

What it indicated was that the comments from users, which were no longer shown, were complaints and frustrations expressed over the downtime they seemed to continue to experience. 

Only a few comments indicated user relief. A certain Kai said she was afraid that part of her money had been taken, and was comforted that it did not happen: “Kinabahan ako baka nabawasan pera ko. Buti nalang kumpleto pa.” 

But another said she was relieved for another reason: She was able to transfer her money to a bank account. 

Others said they were considering shifting to another e-wallet app.

Continuing questions

On top of these were the questions raised by many users. They are continuing to ask questions because they are not getting the answers they need.

Commenting on the May 9 advisory, Gelo Asis said on FB: “No explanation as to what happened?”

Joseph Villadelgado said: “This is a brush-off statement. We require you to explain why this happened!”

Lea Tapican pointed out: “You still did not address the issue ‘why was there a bank transfer without an OTP.’” 

The one-time PIN (personal identification number), or OTP, is a unique number combination sent only to the user’s mobile number. In its latest advisory, GCash once again warned users to never share their OTP and MPIN (mobile PIN) with anyone.  

The MPIN, a four-digit passcode that only the customer or GCash account owner should know, is another level of authentication. Sharing the OTP and MPIN means that a user is authorizing a transaction.  

GCash has stressed that its representatives will never ask for this information. 

It contends that no hacking occurred on May 8 and that the unauthorized deductions and fund transfers were due to phishing.

Hacking happens when there is an unauthorized access to personal or organizational data. GCash denies that this happened, and says there are no glitches in its system.

Phishing, on the other hand, happens when a perpetrator poses as a legitimate institution such as a bank, an online payment site, a tour operator, or an online commerce site and devises messages that often contain links to websites that lure victims into revealing their personal information including banking and credit card details, usernames and passwords.

Was this how the perpetrator in the May 8 GCash incident acquired PMINs and OTPs?

‘Fraudster’ 

In a report on GMA News Online, GCash vice president for corporate affairs Gilda Maquilan said a “fraudster” had made the account takeover using “sophisticated phishing.”

Per GMA, GCash’s investigation showed that the phishing operation gathered information and used the one-time passwords generated simultaneously on May 8.

But what is “sophisticated phishing”? How can it be prevented?  Is it sufficient for users never to share their OTP and PMIN?

GCash has reportedly been ordered by the Bangko Sentral ng Pilipinas and the National Privacy Commission to explain the incident. There are proposals for an investigation in aid of legislation to be conducted in the House of Representatives.

GCash is also said to be coordinating with EastWest Bank and Asia United Bank, where the unauthorized deductions were transferred, and with the Philippine National Police and the National Bureau of Investigation for the pursuit of the perps. 

The incident has been described as “isolated” because only more than 1,000 GCash accounts out of 81 million were affected.

But not all users are taking that perspective.  

Mi Lo wrote on the GCash FB page: “Though I was not affected, I think you guys owe us an explanation as to why there were multiple unauthorized transactions to an EastWest Bank account ending in -5239. [Explain] why and who.”

The need to know, as stated by Darwin Alix, is prompted by the question:  “And how can you make sure that this won’t happen again?”

It was the worst experience for all those inconvenienced, according to Cyl Khí: “Sa lahat ng naperwisyo ito ang pinaka grabe sa lahat!”