Last updated May 24, 2023
GCash has a number of security features that are being practiced as the digital wallet market leader. As a market leader, it is also being assailed on all fronts daily as the volume of transactions increases steadily. I’ve listed these features here and will be updating this list as the features get released.
One-Time Password (OTP)
One-Time Passwords are usually sent via SMS and are used for registering, linking accounts, cashing out, paying online via web pay, and forget-password functions. Some services use OTP sent via email instead. Please do not share OTPs at any time. No one should take the OTP from you at any time.
Some malicious apps may have visibility of your SMS Inbox and take the OTP from that and do GCash account hijacking.
Services that use OTP are GCash switching accounts, creating accounts (an example is GSave), withdrawing funds, sending money (big amounts), and linking accounts (like GCash Cards and Paypal).
As GCash becomes bigger and bigger, the scale of SMS notifications has also become bloated and has also become a vector of downtime as GCash also outsources SMS services to third parties. This has also been another source of fraud as a lot of scammers try to phish users by spoofing the “GCash” label in SMS messages.
To counteract this, GCash has steadily migrated some of the notifications to the user’s Inbox and email, starting with Pay Bills. Now, a lot of notifications to the user have also been transferred to the Inbox, including Send Money and Bank Transfer.
Notifications to the recipient of Send Money are still being sent by SMS.
Masking of Recipient Names
This feature was a direct result of an increase in spammers and scammers using the name-lookup tools in GCash and in Viber in 2022. Both have implemented this to counteract these spammers. The increase in spammers has also resulted in the government pushing through with the SIM Registration Act in 2022.
Double Authentication (Double Safe)
This feature was rolled out in early 2023, and it lessens the chance of account takeover. Basically, when you link your account to a new phone signature, GCash not only asks for the normal OTP and MPIN but also a selfie to check whether the actual user is the one linking his account to the phone.
What is Double Authentication?
Double Authentication is a security feature in GCash that prevents account takeovers by getting your selfie and comparing it with the selfie you provided during verification.
This is a result of a glut of scams perpetuated in social media and SMS. Alongside the masking feature for Send Money, this heightens the account security for all users moving forward.
This facial recognition only triggers when you log in from a different phone you’ve used previously. If the recognition fails 5 times, you will not be able to access your account. You will need to file a ticket to Help Support to prove your identity.
This step goes between the input of OTP and MPIN during the changing number step.
What is Face Verify?
This feature has also been rolled out in conjunction with DoubleSafe. Basically, when you trigger an MPIN reset, instead of using account recovery questions, it now asks for your selfie instead and an OTP.
Your Account Recovery questions are still saved in your account, in the case when additional verification is needed.
GCash Card Lock/Deactivate
This feature allows users to disable or unlink their GCash card from within the app. This allows a user to have control of the card and prevent transactions when a card becomes lost.
Also, another security feature is the GCash Card PIN is different from the MPIN used in the app.
Biometrics Login is the logging in of the user into GCash by showing his face (through Face ID) or by scanning his fingerprint. This speeds up login time and also obfuscates the MPIN. This is useful if you are using your GCash app regularly in public.
Customer Protect is not really a security feature, but more of a guarantee. The user will not be liable for any unauthorized transactions using their account. It also ensures that all concerns regarding the dispute will be resolved within 5 days. Unauthorized transactions mean that the user did not consent to and does not include the case when users deliberately shared their MPIN and OTP.
Transaction Security in QR Payments
Any QR payment has no Personal Identifiable Information (PII) in either the QR data encoded or in the transaction footprint itself. Even the merchant processing the payment would not have any user data even after settlement.
Another way not to provide your number for Send Money is through Personal QR as sending through QR codes does not need you to know the account number of the recipient. This QR code is also compatible with QR PH, meaning any other financial app with QR PH support can send money to your account.