10 Starbucks Gift Cards Not Paid by Consumers Purchased and Sent via SSG Pay
SSG Pay Says "Not Hacking...Random Input Using Exposed Personal Information"
Financial Industry Calls It "Predictable Outcome...Authorities Neglect Fintech Security While Promoting New Industries"
[Asia Economy Reporter Wondara] There have been consecutive incidents of cash being stolen and paid without user approval on SSG Pay, the simple payment service of Shinsegae Group, prompting consumers to exercise caution.
According to SSG.com on the 8th, it has been confirmed that two cases of identity theft involving consumers using SSG Pay were recently reported to the SSG.com customer center. The cases involved more than 50 Starbucks coupons being sent to a specific number without the consumers making the payments.
Mr. A received a message on the 5th stating, "An SMS necessary for exchanging the ordered product was sent to 84** and 9 others." The total payment amount was 500,000 KRW. Initially suspecting voice phishing, Mr. A checked his SSG Pay usage history just in case and confirmed that the payment had indeed been made. However, the SSG Pay customer center only responded, "We can only accept the case after receiving a police investigation cooperation letter." The only answer he got from the payment agency’s customer center was that "there are 70 such cases, so it is difficult to track."
Earlier, on the 4th, Mr. B experienced the same issue. After receiving a message that 500,000 KRW had been charged to his SSG Pay, he inquired at the SSG customer center and tried to report it to the police. However, the police said evidence was needed and told him to "obtain the IP address used at the time of payment." The SSG customer center repeatedly said they could not provide it due to personal information protection. He also asked the card company, but they said it was under SSG Pay’s jurisdiction. Mr. A expressed frustration, saying, "The fact that such incidents occurred even the day after Mr. B reported this to the customer center means SSG Pay took no action."
This is not the first payment incident involving SSG Pay. In September last year, there were 1,000 cases where payments were made with cards different from those registered by users. At that time, SSG Pay explained, "It was only a data misconnection during the process of transmitting payment information from SSG.com to SSG Pay and unrelated to hacking or personal information leakage." Regarding the recent identity theft cases, SSG Pay stated, "It is not a systemic hacking but confirmed to be credential stuffing, where exposed personal information from other sites is randomly tried until one succeeds." They added, "We have reported to the Financial Supervisory Service. Discussions on compensation measures are underway, and we will establish enhanced security measures."
The financial industry views this as a predictable outcome. Although fintech companies like SSG Pay are entering the financial sector, security verification is relatively lax, overshadowed by the government’s new industry promotion policies. An industry insider said, "It is unreasonable to assume IT-based companies are always weak in security, but since these are new business types, most companies do not even have manuals when incidents occur." Currently, only Kakao Pay and Toss among domestic payment companies have pre-compensation systems in place for identity theft damages.
A Financial Supervisory Service official in charge of simple payment regulations said, "If we comment on this matter, it would mean acknowledging the incident, so we cannot say anything," but added, "Due to frequent accidents involving simple payment companies, we sent guidance letters last year to strengthen identity verification procedures."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
