‘Viva Republica’ Sustained Hacking Incident on the ‘Toss’ Payment Platform

• A Korean electronic payments service has had an account takeover and fraudulent transaction event.
• Hackers carried out eight transactions on three online retailers, totaling $79,000.
• The actors had valid PII of actual ‘Toss’ users, which the firm claims were sourced from elsewhere.

‘Viva Republica,’ the owner and operator of the ‘Toss’ money transfer platform, has announced a security incident. More specifically, the company has detected a total of eight unauthorized purchases carried out by hackers who used the PII (personally identifiable information) of legitimate clients. The actors managed to make acquisitions worth approximately $79,000, charging the rightful owners with the amount on June 3, 2020. The platform has detected the fraudulent nature of the transactions and proceeded to refund its clients as there could be no reversion. Although noteworthy, the amount wasn’t anything catastrophically large, but the problem lies elsewhere anyway.

The hackers used the real names of legitimate ‘Toss’ users, and also their phone numbers, their birth dates, and they even knew their PINs. ‘Viva Republica’ stated that there’s no way that this information was leaked by the company, as there have been no security breaches on their systems. The ‘Toss’ platform does not store this type of data on its servers, so it claims that the actors sourced it from somewhere else. Already, they have informed the law enforcement authorities of all the technical details, and they are cooperating to get to the bottom of the matter.

In addition to the above, ‘Viva Republica’ stated that although they did nothing wrong, they are still planning to upgrade the security on the ‘Toss’ platform, essentially blocking any account compromise attacks launched by hackers who are using stolen personal data in the future. No matter whether the payments company is being entirely honest or not, the incident has caused a stir in South Korea, where people use it extensively. ‘Viva Republica’ was launched as a promising startup in 2011, after a record-breaking funding of $261 million, and an estimated valuation of over two billion USD that earned the firm the “unicorn” status.

Now, and with the COVID-19 situation pushing people towards electronic, contactless payments, the popularity of ‘Toss’ exploded. Until recently, Toss was serving 13 million users and had processed over $10 billion in P2P payments. The news of fraudulent transactions hitting the platform is certainly coming as a warning to its users that nothing is utterly safe. One breach or a single leak on an online platform may have grave consequences elsewhere, so you cannot afford to take the data’s security lightly, no matter how insignificant an online service may be.