ONGOING BIGPAY PHISHING ATTACK!

I just received a whatsapp call from fake bigpay.



Asking for SMS TAC.

However the SMS received looks different.

This is how legit one looks like:



And these are the ones that just came in:



After I froze the card in app, I gotten a fund request and the fella quickly cancelled it:



--

Edit: I think they don't know my PAN and full name. The app login is 1 factor authentication because no password required, to be frank, BigPay is sibjected to simjacking which is crazy widespread in US.

They can just poll random phone numbers in app, if there is a name returned, they phone them up.



This post has been edited by honsiong: Aug 5 2020, 08:37 PM

Before that, REPORT the number.

I wrote a blog post - Why BigPay is not that safe

Implement 2FA like all other banks. BigPay is the only one with only 1 factor of authentication out there.

Asking for password will seriously thwart scammers because it's more intuitive to most people so they don't give away their passwords easily.

I explained further in https://anonoz.github.io/security/2020/11/0...y-security.html

False.

- UOB Mighty app is 2FA everytime we login
- Maybank apps will do SMS TAC when we do outgoing transaction in app.
- GrabPay will do both SMS TAC + user's PIN before authorising transactions.

Only BigPay needs only 1FA to do outgoing transaction, I confirm this.

Both timed one time password and SMS one time password fall under "what you own" factor.

Read more: https://en.wikipedia.org/wiki/Multi-factor_authentication

No seriously, BigPay's 1FA is kinda silly. They trust telco too much.

Read my blog post, you can change the passcode by simply type in your NRIC.

NRIC and SMS TOTP both fall under "what you own", say if someone steals or snatches your purse, and your SMS can be read without unlocking the phone, your BigPay account is completely gone.

You can argue normal credit cards are less safe, but BigPay is positioning themselves as challenger bank and have applied for license with BNM iirc.

This post has been edited by honsiong: Nov 13 2020, 12:09 AM

It’s easy to say that to defend the designers in BigPay.

But if BigPay is targeted significantly more than other banks, maybe there is something to think about.

Saying their customer db has been compromised is a serious allegation. Thing is probably as simple as this guy below said.

Correct, it's pretty easy to tell if someone has a BigPay account. Or you can brute force import phone numbers onto a phone and see who show up as friends in the Payment tab.

BigPay is targeted hard specifically because of their 1FA design. And tech illiterate people are probably only think about safeguarding their passwords and not other personal identifiable information.

CAN. Use DuitNow reverse NRIC/phone number to name lookup, or whatsapp/telegram name.

They always call thru whatsapp anyway.

Ant has 50% stake in touchngo digital iirc.

I think AirAsia just wants to offer full stack services for migrant community here. They will use AirAsia to fly to and from their home country, use BigPay to remit their income home, use TuneTalk IDD to call home etc.

K bigpay is really becoming a normal bank app.

Eh they give us 0% foreign exchange rate very good already, I will take that over saving interest rate. Forex can save 3%+ vs other cards.

Bigpay charges 0.6% forex spread, same as Wise now.

Thats what I used to know, but now I read their website, they have changed their tone recently.

https://web.archive.org/web/20200511170548/...w.bigpayme.com/

May 2020:
- BEST CURRENCY EXCHANGE RATE
Banks charge you a mark-up fee on top of the currency
exchange rate. We don’t. That’s more money for you.

https://web.archive.org/web/20220223193835/...w.bigpayme.com/

2022:
- the BigPay card gives you real exchange rates, anywhere in the world.

It's a slight change in language lah, but bigpay is still much better than typical cards when paying non-MYR stuff

I sendiri compare against XE app. Again, it's possible BigPay isn't using XE rate, so I probably should have checked against Visa's rates.



Edit: OK so Visa has 0.33% markup over spot rate. I just checked XE and Visa website at the same time:

- XE.com spot rate 4.6509
- Visa exchange rate 4.6688

This is Bigpay's FAQ:



"Additional charges from these two networks" is the key -- they still give the best rates among Malaysian debit cards, but it's no longer using spot rates like before covid.

This post has been edited by honsiong: Apr 3 2022, 09:51 PM

Why not both? I think bigpay still has advantage in ATM withdrawals. But its safe to keep both at hand, just in case you lose one of them.

The virtual card is meant for card-not-present transactions, aka online purchases.

If you never use the card offline, freeze your physical card for max protection.

You can DuitNow $ from your saving account into BigPay to not pay the 1% charge. Maybank doesn't support it, get a UOB Malaysia account please.

I don't have Wise Malaysia card so I can't tell much, but Wise Singapore card limits usage to S$ 30000 per year (only ~ RM 8000/mo) which is insufficient for my spending as a digital nomad. So I have to use Bigpay which has no spending limit.

Yes, failed only in Netherlands. But for RFID txn I use Wise SG on Apple Pay mostly.

Currently in Mexico, half of the card readers here do not have RFID reader, Bigpay chip & sign works well here.

I have Wise SG card... no we cannot have 2nd account from another country.

Wise MY card is different from SG card, the SG card is issued from UK bank but MY card is from US bank iirc. You can check their first 6 digits BIN.

SG card has Apple Pay which is very safe way to pay, I always disable the physical card.

This post has been edited by honsiong: Aug 9 2022, 10:37 AM