Updated on March 23, 2018: The Lazada team have reached out to us with their response to the situation. We have updated the article to reflect that.
- A Facebook user by the name of Pin Pin uploaded a series of screenshots about how a scammer who presumably phished her information, and used it to purchase things on Lazada, even after she lodged a complaint.
- Currently, Lazada’s platform allows users to change their emails without authenticating the old email first.
- In the event of this happening, victims should immediately make calls to the bank to either cancel, or freeze their card to prevent further transactions.
- But Lazada should also consider tightening security for their platform, as well as introduce more SOPs to more efficiently stop scammers in their tracks once reported.
Lazada is one of the biggest e-commerce sites in Malaysia today, and with that popularity comes scammers hoping to take advantage of it.
Once a security system for a service as popular as Lazada has a flaw or gap, we’re not too surprised to hear that there are already people exploiting it.
On March 21, 2018, a Facebook user by the name of Pin Pin uploaded a series of screenshots detailing a major security flaw with Lazada that has been exploited.
Pin Pin discovered that someone had spent RM800 from her PayPal account on Lazada, and went investigating. When she logged into her Lazada account, she found that someone had changed the email associated with her Lazada account to theirs.
The Lazada system doesn’t need the owner of the old email to verify the change, which made it easy for someone who is already in the account to swap it.
The scammer continued to make purchases on her account, one of the worth up to RM3,513. Some of the places the items were sent includes Sandakan, Sabah and Kuala Besut, Terengganu.
Eventually Pin Pin researched the shipping address online to discover that one of the addresses has been involved in other similar cases as well.
Some netizens have criticised Pin Pin for not getting in touch with either PayPal or Maybank to stop more of these fraudulent charges, which would probably have saved her the RM3,513.
That being said, Lazada’s response—as described by Pin Pin—seemed inadequate to deal with the issue. Basically, they processed her dispute and marked the case as close, which means that the account could still make purchases.
In retrospect, they could have flagged the account and stopped more transactions from taking place, rather than letting the situation go on for as long as it did.
Another step that complicated things up is that for PayPal payments, Lazada will redirect buyer to PayPal’s login page before the payment can be made.
As purchases continued to be made on her account, this probably means that the victim’s PayPal login information was compromised as well as her Lazada details.
According to her, Pin Pin had to escalate the case by going in to the Lazada HQ on March 20. After she went there, Lazada sent her an email to apologise and also update her on which orders made through her account had been cancelled, and which had been delivered.
The victim has since lodged a police report about the incident.
Lazada have released their statement on what went on, which we have included below (emphasis ours).
“Lazada has investigated the matter and can confirm that the individual’s email and password were obtained from another website. The individual’s Lazada account was then accessed, and orders made. Once Lazada was informed, we took action to cancel the fraudulent orders. As of today [22/3/2018], 9pm, customer has acknowledged that she has received her refund from Lazada.
Lazada takes security very seriously. We can confirm that our systems remain safe and uncompromised. We strongly encourage consumers to take necessary precautions to protect their login credentials and passwords, and to avoid using the same login ID and password on multiple sites to prevent such occurrences. In addition, bank transfers and credit card transactions on Lazada Malaysia do require an additional security measure such as the One-Time Pin ( OTP) which is sent to the customers mobile phone for added verification. To ensure that this level of security is also applied to PayPal, Lazada Malaysia has taken the decision to de-link all PayPal accounts from customers Lazada accounts, requiring an additional layer of security, similar to our other payment methods.”
Netizens have been quick to comment on the situation, but here’s a quick guide if you ever find yourself in the same position.
What can you do if this were you?
Step 1: Immediately call your bank and cancel or freeze your compromised card, to prevent more purchases from being made. If it’s a debit purchase, your bank may be able to get the money back to you, though chances are slim and it may take some time for them to process the returns.
Step 2: If PayPal was involved, get in touch with both PayPal and Lazada about the breach as soon as possible. You can file a dispute with PayPal about the purchase too.
Step 3: You can even find out if your information was part of a known data breach situation on this website, then make efforts to tighten your passwords online.
After you’ve done this, you can at least mitigate the risk of your information from continuing to be used, although you may still have made losses on some transactions made before you noticed.
Some netizens recommend that you remove any linked cards to your accounts to help circumvent similar cases. Be warned that this precaution can only prevent those with your usernames and passwords from gaining access to your money. It doesn’t mean that banking details that have already been compromised will be safe.
Too many of us take it for granted in this age of data breaches and scamming, but a weak password can really put your account at risk. A dedicated internet user can quite easily glean information about your email, and if your password is weak, then you’re just putting yourself at risk.
This is especially dangerous if you use the same password for all of your online accounts, as compromising one will compromise them all.
Unfortunately, as the victim pointed out in her own post about the situation, Lazada too has some issues to look at.
Lazada should not allow users to change their emails without verifying on the old email first, though to be fair, they aren’t the only website to do this.
But as one of the biggest e-commerce sites in Malaysia—one that handles money daily—they could have gone against this trend.
There have also been suggestions for Lazada to adopt two-step authentication for any purchases on their platform, meaning that you have to verify a transaction on your phone first before the transaction can go through.
You’re probably familiar with it by either your TAC number or OTP on both debit and credit cards respectively. There are other ways to do it though, like the Google Authenticator.
Amazon and big-time cryptocurrency exchanges are already using some form of two-step authentication, though some Malaysians might not appreciate having to authenticate themselves twice for the same purchase—one from Lazada and one from their credit card.
It’s a fine balance between security and customer convenience. At the end of the day, we’d think customers would complain less about having to go through more steps if it means their hard-earned money is safe.
But crucially, we feel like Lazada still had a responsibility to either freeze or bar the compromised victim’s account, once she lodged a complaint with them. They did help her cancel some of the transactions that came up afterwards, but it was notable that the account was allowed to remain active.
With stories of so many breaches happening these days, not to mention the amount of trojan horses and phishing sites, online shoppers should be particularly careful with their online activities.
Feature Image Credit: Lazada