14/04/2026

TUESDAY | APR 14, 2026

/thesuntelegram FOLLOW / Malaysian Paper

ON TELEGRAM m RAM

4

Back-end verification seen as safer than OTPs

New fungus species discovered in Sabah LAHAD DATU: A team of researchers from Universiti Malaysia Sabah created history in the world of science when they discovered a new horn-shaped fungus species in the Danum Valley Conservation Area here recently. The new species, named Pleurocordyceps cornusynnemata, has been confirmed as the first of its kind globally after publication in international taxonomy journal Phytotaxa . University Institute for Tropical Biology and Conservation Assoc Prof Dr Jaya Seelan Sathiya Seelan said the fungus is distinguished by its horn-like structure, setting it apart from 26 other Pleurocordyceps species previously recorded in China, Thailand and Japan. “In the study, our team also recorded two other fungi, namely Pleurocordyceps aurantiaca and Pleurocordyceps nipponica, recorded in Malaysia for the first time.” The research team was led by Jaya Seelan, in collaboration with PhD candidate Muhammad Shahbaz, Master’s student Firdza Zulkarnain Mohadden and citizen scientist Elyse Yang, in addition to Universiti Tun Hussein Onn Malaysia researcher Dr Yap Jing Wei and student Jeremiah Sia Yiao Rong. The fungus specimens have been stored at the institute’s Borneensis Gallery storage centre as a scientific reference for the future. University vice-chancellor Prof Datuk Dr Kasim Mansor said the discovery demonstrated the ability of local scientists in leading high-impact research at an international level. He added that the success was also in line with the university’s aspirations under its “Brain of Borneo” vision in empowering the exploration and conservation of Sabah’s biodiversity treasures. Institute director Assoc Prof Dr Fiffy Hanisdah Saikim described the achievement as the result of developing young researcher talent, as well as proof that Sabah’s tropical rainforest is still rich in species that have not been fully explored. The study received support from the UMSGreat grant and cooperation from the Sabah Forestry Department and Yayasan Sabah under the 12th Malaysia Plan project. – Bernama RM50 quit rent for non-Muslim property GEORGE TOWN: Non-Muslim houses of worship, cemeteries, charitable bodies and non-profit organisations in Penang will be eligible for a nominal quit rent rate of RM50 per lot following the latest revision. Chief Minister Chow Kon Yeow said the initiative is part of improvements made by the state government to the quit rent mechanism for landowners affected by the quit rent rate review this year. “We have previously announced several measures, including rebates, a new calculation method and land reclassification, after taking into account nearly all scenarios. “These announcements must continue to be communicated to ensure associations and landowners fully understand the initiatives introduced,” he said at a briefing and press conference on the adjustment of nominal quit rent rates for such entities here on Sunday. Citing examples in the northeast and southwest districts, Chow said several houses of worship, cemeteries and association premises that were previously subjected to high quit rent of up to hundreds of thousands of ringgit will now only be required to pay the nominal RM50 rate following the revision. “For instance, Lot 57 of the United Hokkien Cemetery in the northeast district was previously charged RM735,682, but following the adjustment, it is now subject to only RM50. Likewise, Lot 58, which was previously charged RM111,709, is now also eligible for the RM50 nominal rate.” – Bernama

Sirajuddin said among the ways in which disruptions could happen are malware hidden in Android app package files, which are app installation files that could infect a device and are often downloaded through suspicious links or malicious websites. – ADIB RAWI YAHYA/ THESUN

Universiti Malaysia Pahang Al-Sultan Abdullah Computer Networks and Cyber Security Department head Dr Syifak Izhar Hisham said SMS operates as an open communications protocol rather than a purpose-built security system. “SMS was actually never designed for security purposes. It is an open communication protocol. “Scammers are no longer just asking victims for the code. They are now using more sophisticated methods, including malware hidden in fake apps that can read the contents of SMS messages and send them directly to the scammer’s server without the victim realising it.” She said another weakness lies in Signaling System No. 7 (SS7), the global telecom signalling protocol used to route calls and messages. PETALING JAYA: What if the six-digit code meant to protect your bank transfer or social media logins has quietly become the easiest part for a scammer to steal? Cybersecurity practitioners said app programming interface (API)-led verification, also known as back-end verification, is increasingly being seen as a stronger alternative to the SMS one-time password (OTP). This movement has surfaced as institutions and digital platforms move away from texted codes that could be intercepted, hijacked or abused. Malaysia Cyber Consumer Association president Sirajuddin Jalil said the newer method is technically safer than SMS OTP, but added that it should not be mistaken for a risk-free fix. Back-end verification refers to identity checks carried out quietly between a platform and a service provider’s system, instead of through a code sent to the user’s phone. In simple terms, rather than waiting for a text message and manually entering a six-digit code, the system checks in the background whether the request is coming from the right device or app environment. “In a nutshell, back-end verification is technically safer than SMS OTP. But it is not zero threat. It still carries risks, and in some cases the risks can be significant. “It could become a single point of failure. If the system is compromised or goes down, the impact could be much greater because everything depends on that one verification mechanism,” he noted. He said the same principle could also be seen in systems such as MyDigital ID, in which verification is tied more closely to the app and the user’s device instead of an open o Institutions and digital platforms moving away from texted codes, which could be intercepted, hijacked or abused Ű BY FAIZ RUZMAN newsdesk@thesundaily.com

broader recognition that the method is no longer strong enough on its own. He likened SMS OTP to sending a secret through a postcard rather than a sealed envelope. “If the old system was still safe enough, major banks and financial institutions would not be spending large sums to replace it. “SMS was originally created to send short messages, not to become the main shield for accounts holding thousands of ringgit or highly sensitive personal data.” Ainuddin said safer options now being prioritised include passkeys using fingerprint or facial recognition, app-based authenticators, and silent or background verification tied more closely to the user’s own device. He said the shift does not mean SMS OTP will disappear overnight, but for sensitive logins, password resets and high-value transactions, experts are treating it as an ageing security layer that should no longer carry the full burden. – By Faiz Ruzman “The exploitation of SMS OTP has been happening for a long time. Even five or six years ago, many tools were being sold on the dark web and used by hackers to exploit users. “When SMS OTP is used as a verification method, the message itself becomes the key. Attackers only need that final code to complete a transaction.” utilised to verify users. “The migration from SMS OTP to API-led verification is not new and has been discussed for years. Even Bank Negara Malaysia has encouraged banks to move away from SMS OTP towards stronger verification methods.” He said among the ways in which disruptions could happen are malware hidden in Android app package files, which are app installation files that could infect a device and are often downloaded through suspicious links or malicious websites. He said another risk involves fake mobile network signals, in which a phone may be tricked into connecting to an unauthorised signal such as WiFi hotspots instead of a legitimate one, creating an opening for messages to be intercepted. In such cases, incoming messages may be monitored or intercepted without the user realising it.

She also said this is why stronger alternatives are gaining attention, especially methods that do not send a visible code to the user. Syifak added that in the case of background or back-end verification, no code is transmitted through the air for the user to read and type in. Instead, the platform and telco system quietly check whether the device and SIM details match what is expected. She said such systems reduce the “human-in-the-loop” problem, in which users can be tricked into handing over a code that was meant to protect them. Universiti Malaya Centre of Research for Cybersecurity and Network specialist Prof Dr Ainuddin Wahid Abdul Wahab said the continued move away from SMS OTP reflects a messaging channel. Sirajuddin said MyDigital ID has to be installed on a user’s phone and linked to that device, meaning it would need to be set up again if the phone was lost or changed because the verification process was tied to the device itself. “One example is banking apps in which, instead of receiving an OTP, a user gets a prompt in the app to approve or reject a transaction. That is a form of API-led verification,” he explained. “The verification happens within the app environment, rather than through a message that could be intercepted.” However, he said any model that centralises too much verification in one place could create wider consequences if it fails, especially when multiple services come to depend on a single identity layer. Using MyDigital ID as an example, he said any system positioned as a central verifier would need fallback arrangements, strong maintenance and close cybersecurity oversight to ensure continuity in case disruptions occur. “SMS OTP and API-led verification are different methods, but they serve the same use case. Both are cybersecurity functions

‘SMS never designed for security purposes’ PETALING JAYA: The SMS one-time password (OTP), long used as a quick security step for logins and transactions, is increasingly being seen by cybersecurity experts as too weak for high-risk digital use. She explained that in layman’s terms, SS7 is an older network system created before modern encryption standards became the norm, making it vulnerable to abuse if an attacker gains the right access.