Last updated Feb 18, 2023
GCash has a number of security features that are being practiced as the digital wallet market leader. As a market leader, it is also assailed on all fronts daily as the volume of transactions increases steadily. I’ve listed these features here and will be updating this list as the features get released.
One-Time Password (OTP)
One-Time Passwords are usually sent via SMS and are used for registering, linking accounts, cashing out, paying online via webpay, and forget-password functions. Some services use OTP sent via email instead. Please do not share OTPs at any time. No one should ask the OTP out of you.
As GCash becomes bigger and bigger, the scale of SMS notifications has also become bloated and has also become a vector of downtime as GCash also outsources SMS services to third parties. This has also been another source of fraud as a lot of scammers try to phish users by spoofing the “GCash” label in SMS messages.
To counteract this, GCash has steadily migrated some of the notifications to the user’s Inbox and email, starting with Pay Bills. Now, a lot of notifications to the user have also been transferred to the Inbox, including Send Money and Bank Transfer.
Notifications to the recipient are still being sent by SMS currently.
Masking of Recipient Names
This feature was a direct result of an increase in spammers and scammers using the name-lookup tools in GCash and in Viber in 2022. Both have implemented this to counteract these spammers. The increase in spammers has also resulted in the government pushing through with the SIM Registration Act in 2022.
Double Authentication (Double Safe)
This feature has been rolled out in early 2023, and it lessens the chance of account takeover. Basically, when you link your account to a new phone signature, GCash not only asks for the normal OTP and MPIN but also a selfie to check whether the actual user is the one linking his account to the phone.
What is Double Authentication?
Double Authentication is a security feature in GCash that prevents account takeovers by getting your selfie and comparing it with the selfie you provided during verification.
This is a result of a glut of scams perpetuated in social media and SMS. Alongside the masking feature for Send Money, this heightens the account security for all users moving forward.
This facial recognition only triggers when you log in from a different phone you’ve used previously. If the recognition fails 5 times, you will not be able to access your account. You will need to file a ticket to Help Support to prove your identity.
This step goes between the input of OTP and MPIN during the changing number step.
What is Face Verify?
This feature has also been rolled out in conjunction with DoubleSafe. Basically, when you trigger an MPIN reset, instead of using account recovery questions, it now asks for your selfie instead and an OTP.
Your Account Recovery questions are still saved in your account, in the case when additional verification is needed.
GCash Card Lock/Deactivate
This feature allows a user to disable or unlink his GCash card from within the app. This allows a user to have control of the card and prevent transactions when a card becomes lost.
Also, another security feature is the GCash Card PIN is different from the MPIN used in the app.
Biometrics Login is the logging in of the user into GCash by showing his face (through Face ID) or by scanning his fingerprint. This speeds up login time and also obfuscates the MPIN. This is useful if you are using your GCash app regularly in public.
Customer Protect is not really a security feature, but more of a guarantee. The user will not be liable for any unauthorized transactions using their account. It also ensures that all concerns regarding the dispute will be resolved within 5 days. Unauthorized transactions mean that the user did not consent to and does not include the case when users shared deliberately their MPIN and OTP.
Transaction Security in QR Payments
Any QR payment has no Personal Identifiable Information (PII) in either the QR data encoded or in the transaction footprint itself. Even the merchant processing the payment would not have any user data even after settlement.
Another way not to provide your number for Send Money is through Personal QR as sending through QR codes does not need you to know the account number of the recipient. This QR code is also compatible with QR PH, meaning any other financial app with QR PH support can send money to your account.