Eight Toss accounts see fraudulent transactions

Toss [YONHAP]

Fraudulent transactions were made through Toss, Korea’s popular money transfer service, raising trust issues for a fintech company with more than 17 million subscribers in the country.

A total of 9.38 million won ($7,800) was wrongly moved from eight users' accounts on June 3 by three websites including a U.S.-based game giant, Blizzard.

Viva Republica, parent company of Toss, said identity theft was behind the unauthorized transactions, not hacking.

“Even if the Toss system is hacked, it is impossible for it to lead to transactions because the system’s database doesn’t save users’ passwords,” a Toss spokesman said Tuesday.

“It seems like users’ personal information was leaked elsewhere.”

The company said that it immediately suspended four of the eight victims' accounts when they filed complaints on June 3.

One customer saw four unauthorized transactions from a website she has never used, each for approximately 500,000 won.

In the process of investigating the issue, Toss found there were four similar cases, and it suspended those accounts and notified the users.

All fraudulent transactions were refunded a day later on June 4.

The fraudulent transactions were made on Toss's website, not through its mobile app. Webpage transactions account for merely 5 percent of the transactions by Toss customers, or 1 percent if measured in transaction value.

Website payments require input of a user’s personal data including name, phone number and birthday and a five-digit Toss password comprised of four numbers and one letter.

There is no additional authentication required, such as input of a verification code sent to a user’s mobile phone, which is why app-based transactions are considered more secure.

Toss said it stopped webpage transactions for the three websites involved.

The company said it will cooperate with police to track down the perpetrator and find out how users' personal information got leaked.

Toss was developed by unicorn start-up Viva Republica and has been a big success. It has more than 17 million users and has transferred a total of 90 trillion won since its launch in 2015 through last month. Toss was planning to expand its finance business by launching a brokerage service this year and an online bank next year.

Viva Republica CEO Lee Seung-gun recently revealed a plan to go for an initial public offering within the next two to three years.

“Although it happened because of misuse of users’ personal data, Toss will fortify its systems looking for abnormal transactions so that no fraud can take place on the platform,” the company said in a statement.

BY JIN EUN-SOO [jin.eunsoo@joongang.co.kr]