PETALING JAYA: Just like any online data, the account information of Employees Provident Fund (EPF) contributors is vulnerable to cyber attacks.
By extension, it is highly possible that account holders who have applied to withdraw their money under the i-Sinar initiative can potentially lose their savings.
This weakness was made evident in a recent fraudulent attempt to make a withdrawal from a woman’s EPF account under the i-Sinar programme.
While there are security measures in place for most sensitive data, they are not foolproof.
A cyber security expert said a one-time-password (OTP) is only as secure as the certainty that the smartphone used to deliver it belongs to the rightful account holder.
Criminologist Shankar Durairaja said data only becomes a target of hackers when it is of value to a third party.
In the case of i-Sinar, it is the money that account holders are now allowed to withdraw to meet their immediate needs in the face of Covid-19 challenges.
Shankar was commenting on a claim posted on YouTube that such accounts can be easily breached, and all it takes is the account holder’s identification number and smartphone number.
According to the post, the hacker only needs personal details such as the home address, email and bank account number of the account holder.
“Various types of data represent different levels of risks to businesses or individuals. Such data, illegally obtained, can be sold and used for marketing purposes, fraud and identity theft,” Shankar told theSun.
“While providing our identification and mobile numbers may seem harmless, criminals need only low-sensitivity information and a bit of medium or high-sensitivity data to commit fraud and identity theft,” he added.
He said a person raises the risk of exposure by posting personal information on public forums such as social media.
In the case of i-Sinar, he said despite having to respond to security questions when logging in, it is not impossible for someone to gain access to another person’s account.
Shankar said EPF could beef up security by training network engineers and system administrators on security-related skills to enable them to manage and configure the system securely.
“They can also hire cyber-security experts to stress-test the system to identify its weaknesses and vulnerabilities and offer remedies. Employees should also be systematically educated to ensure that they do not become victims or conduits for security breaches,” he added.
Associate professor Dr Selvakumar Manickam of Universiti Sains Malaysia said that apart from the OTP, introducing a requirement to fill out a security questionnaire accurately can significantly reduce the chances of criminals gaining access to the applicant’s information.
However, he conceded that it is still possible to obtain the required information through social engineering.
“When there’s a will, there’s a way.”
Social engineering involves gaining access to systems or data using human psychology rather than technological hacking techniques.
“The high number of scams we have witnessed in recent times is proof that social engineering has been very successful.”
Selvakumar said criminals can also buy personal data on the darknet, by sending out phishing emails or simply tricking the user into divulging the needed information.
To register for an EPF i-Akaun, one has to be physically present at an EPF office to get a temporary user ID and password. Selvakumar said the same requirement could have been imposed for the i-Sinar programme.
“This can be a hassle, but it is better to be safe and secure than sorry,” he added.
On Sunday, a 28-year-old assistant nurse lodged a police report alleging that there was an unauthorised attempt to withdraw RM5,000 from her EPF account on Friday.
On checking, she found that an unknown bank account number had been registered under the i-Lestari programme.
She later managed to uncover the identity of the bank account holder, whom she did not know.
It is learnt that EPF has rejected the withdrawal as the bank account number did not match that of the woman’s.
Efforts to get comments from EPF were unsuccessful at press time.