In January 2021, the country’s premiere investigation unit, the Federal Investigation Agency (FIA) release a public service announcement regarding an “Easypaisa Account Block Fraud,” according to this PSA, a stranger gets in touch with the victim and claims to be a representative of the company informing the customer that their Easypaisa account has been blocked and that if you want to use it again you must tell us a certain code. Once the victim communicates the code the hacker is able to empty their digital wallet.
Over the years, several other digital wallets have begun operating in Pakistan, only recently the State Bank of Pakistan (SBP) issued licenses for 12 new electronic money institutions (EMIs). However, the hackers have not evolved their strategy, perhaps because they did not need to. Despite FIA’s explicit warnings and multiple banking institutions publicly announcing disclaimers for not revealing any personal information or OTPs, pin codes and passwords to anyone on call, customers have constantly been facing these fraudulent calls and text messages.
On 17 June 2023, this correspondent received a call from someone claiming to be Kashif Rizwan, senior supervisor at the Islamabad Jazz Cash office. He told us that the correspondent’s Jazz Cash account has been blocked and that the correspondent should tell him the OTP she will receive so he can unblock her account. However, since this was a typical jazz mobile number and not a landline number or the official Jazz helpline number which is 4444, the correspondent did not share any details and began searching out whether this has recently happened to other people.
On a Facebook group called Voice of Customer Pakistan, several social media users have warned other members of the group about their experiences of being defrauded by an alleged Jazz Cash representative who called them and asked for an OTP or pin code after which money started transacting out from their Jazz cash wallets. Some of them were contacted by a Facebook account with the title Jazz cash and were told to add a specific amount of money into their accounts after which they received the calls. A lot of posts from other Facebook groups also popped up from 2021.
Telecom companies such as Telenor and Jazz have consistently denied any strange activity on their networks or large-scale data breaches. However, Twitter users claimed in January 2022 and in May 2020 that the databases were hacked and being sold via Telegram. In 2020, the leaked personally identifiable information (PII) of 115 million subscribers was leaked and being sold for 300 bitcoins and the majority of these subscribers had chosen Jazz as their mobile operator.
In January 2022, similar tweets and posts reappeared on social media platforms, claiming that leaked Jazz and Telenor databases were being sold for just $250. Jazz and Telenor tweeted out an official rejection of this claim and eventually the tweets sharing screenshots of leaked telecom databases were subsequently removed from the platform.
To understand the other end of this hacker problem, Profit spoke to Murtaza Ali, Chief Financial Officer (CFO) Jazz Cash who continued to reject the scammer calls as a consequence of previous data leaks. He said, “Our customer data is secured in encrypted forms and is not accessible to just anyone. In fact our mobile services management data is kept completely separate from the Jazz Cash digital wallets’ data, which is stored with the Mobilink Microfinance Bank.” Ali believed that it is more likely that these scammers are getting various personal details from local vendors and then calling up registered Jazz numbers to try their luck at scamming them.
“We put special emphasis on the education of the customers through SMS marketing, advertisements and public service announcements, we have made it clear time and time again that customers should never share any type of pin code or passwords with anyone on call.” Defending the Jazz Cash financial fraud monitoring systems he said, “We have also introduced new and more updated password controls which disallows customers from even having a moment’s vulnerability where there OTP is shared on text messages, in fact, our app is able to directly fetch OTPs, preventing yet another loophole through which someone’s JazzCash wallet can be hacked.”
Profit also spoke to Ali Irfan, Chief Customer Experience Officer at JazzCash who told us that the official Jazz call centers follow a hybrid approach where the ones dealing with sensitive information are operated in-house and the rest are outsourced. “The scammer industry is a thoroughly organized crime industry and they have their methods of acquiring customers’ information. Following the gold standard for data compliance set out by the State Bank of Pakistan, we are confident in our data security mechanisms and are regularly subjected to audits and inspections by the SBP.”
Despite the company’s assurances, it seems clear that telecom companies are not ready to accept that massive consumer data leaks can severely impact the FinTech industry and most importantly customers’ ability to participate in this industry. Perhaps it is the outsourced call centers where the loophole occurs or the lack of awareness in the larger body of its customers, but similar scams keep appearing after every few months and the national FinTech industry must work on some robust data protection mechanisms as it gears up for a larger scale of prevalence.