Recent unauthorized payments on money transfer platform Toss are stoking concerns about the safety of payment solutions in general and online financial services available in South Korea.

Online purchases worth 9.38 million ($7,770) were made on websites without permission of Toss account holders earlier this month using their personal data. Although initial inspections by the financial authority showed that users’ personal data were not compromised via the fintech platform itself, the incident shed light on the security of similar services, including those run by online platform operators Naver, Kakao, and NHN.

“After the incident, I realized that any smartphone user can fall victim to such unauthorized transactions without knowing it,” said a 30-year-old fintech service user, adding “I may have to be more cautious when using mobile financial services for a while.”

Although the personal data used was not stolen through Toss, Viva Republica has taken significant flak due to the unauthorized transactions. The Toss platform, which focuses on convenience, only requires a user’s personal identification number when verifying the account owner before processing online payments.

Users of some other payment services, on the other hand, have to go through one or more additional steps for authentication. Viva Republica said that it has added additional security measures for verifying account holders since the online theft case, and that is fully cooperating with the police and financial authorities to find who illegally gained the personal data.

"The problematic payments were an unusual case that took place at just a few websites, and it has already beefed up all of its systems with more layers of user verification" an official from the fintech startup said.

Personal data can be leaked through different ways, including via access to compromised Wi-Fi networks and downloads of programs that contain malicious code, according to experts.

“The thing is, it is hard to track down who illegally gained access to the personal data,” an official from the data security sector said.

Unauthorized transactions are also a headache for many global payment services such as PayPal. Although the exact statistics are not available, hackers who have illegally obtained user data make payments via such payment services.

Local fintech services providers have been paying keen attention to the latest case of unauthorized payments on Toss.

Naver and NHN, respectively, run mobile payment services N Pay and Payco while Kakao owns its own fintech solution Kakao Pay. E-commerce giants Shinsegae and Lotte operate payment services of their own.

“Kakao Pay has long maintained data protection policies, such as tokenization of personal data and strict limits on access to personal information,” said an official from the subsidiary of mobile messenger firm Kakao.

NHN also said that it was taking extra precautions in the entire payment process and monitoring and analyzing the latest hacking attempts.

The Financial Supervisory Service has hinted that it would review the security systems of some 40 payment services in the nation, if necessary.

By Kim Young-won (wone0102@heraldcorp.com)