One of the most telling things about the OCBC phishing scam that has filled news headlines this past couple of weeks is the time it took the bank to finally face up to the issue.
After first having its security head say that its banking systems were secure and that its fraud management software had been running, it seemed to have gone quiet.
Was it thinking the incident would blow over? After all, this was yet another scam, right?
Well, now we know it’s not. After a couple of weeks of pressure from the public, angered at the apparent lack of protection from scams that could easily lure even savvy users, OCBC finally said it would fully reimburse the amounts lost by the victims.
This is good news for those who were scammed, though unsurprisingly, there are experts who now wonder if this has set a precedent, which would make cyber criminals more keen to target Singapore banks.
While that’s debatable, what’s clear is the urgent need to rethink how to manage the evolving risks that come with sophisticated scams like the OCBC one.
Not only has this episode shaken confidence in digital banking – I know people who had wanted to take money out of OCBC – it has also thrown a spanner in the works for Singapore’s smart nation ambitions.
How digital can you get when you can’t even safeguard your life’s savings?
Perhaps cognizant of this, the monetary authorities finally reacted this week, by calling for tighter controls for digital banking services. However, there needs to be a broad-based change to the way people use and share data in general as well.
Here are four suggestions:
1. Take private personal data seriously
Yes, users share a responsibility with their bank when it comes to keeping out scammers. Besides ignoring dubious links sent over SMS, they have to be more aware of the importance of personal data.
A coordinated attack like the OCBC one does not happen overnight. Before the scam, the attackers may have tried to get hold of the personal details of potential victims from lists sold on the Dark Web.
“It is possible for criminals to target customers of a specific bank more narrowly and precisely, perhaps if they acquire lists of customer contact information from a previous compromise,” said Paul Prudhomme, head of threat intelligence advisory at IntSights, a Rapid7 company, which tracks the Dark Web.
“Such lists can be purchased in underground criminal marketplaces,” he warned, adding that “e-mail addresses and phone numbers may be sufficient contact information for the targeting of such a campaign.”
So, consumers need to be aware of not sharing their personal data on, say, social media apps. Or just any online form that asks for it. Reducing one’s risks is key.
People have to be concerned if their data is stolen, say, during the huge SingHealth data breach back in 2018, because it may be used for future scams. Their data is not “worthless” even though they are not famous people.
2. Reduce some convenient features
In the digital world, convenience and security are often on opposite sides of a scale – you need to balance the two.
This is why the Monetary Authority of Singapore (MAS) has added new restrictions on, say, a change in the digital token or app set up on phones to authenticate many banking transactions.
It is possible that hackers in the OCBC case may have tricked users into supplying an SMS one-time password to reset the digital token and then set a new one up on their own phones. Once done, they can carry out transactions pretty much like they own a victim’s account.
So, it is a good thing that MAS is mandating that a change of these tokens should be delayed by at least 12 hours. This means you have more time to stop scam transactions if you spot them.
This has implications, of course. If you buy a new phone, you’d need to wait 12 hours before your new token can be set up to make payments or transfer money out.
Would this be a rule for other software tokens too? Yes, I’m thinking of Singpass, which also uses a software token to authenticate and approve many important transactions with the government and the private sector, including banks.
Banks have gone fully into digital onboarding these days, so it’s not surprising there’s no mandate to move this token onboarding process back over the counter. But that should be an option if further tightening is needed.
3. Phase out SMS one-time passwords
After years of forcing customers to stop using their physical tokens, banks here have stopped phasing them out because of the OCBC phishing scam.
That’s a stop-gap measure, possibly, because it’s not only expensive to maintain these tokens in the long term, but they are also not as convenient to carry around (unlike a phone).
What users should transition to are app-based tokens, now that these software tokens are protected by a 12-hour delay.
It’s also time to scrap the use of one-time passwords over SMS, which security experts have long said are not secure and prone to theft. Just a few months ago, SMS OTPs had been diverted in a separate scam that affected credit card users here.
So, it’s time to at least stop using SMS OTPs for high-risk transactions, like the changing of transfer limits or adding of a new account for transferring money out.
4. Audit banks’ fraud management systems
This is the part that MAS has said it would scrutinise more intensely but so far, it has not set any standards for them to follow – at least not publicly.
Sure, the threat is always evolving and what works one day may not work the next. That said, the banks cannot just put in “best effort” when it comes to fraud detection.
As the final layer of defence, fraud management is important to keep out fraudsters that manage to get through despite greater user awareness, the rooting out of fake SMSes, and hardening of token and login security.
This is the part where banks have to do better in. OCBC needs to explain, for example, how its fraud detection system failed to stop transfers that were huge in amount and also unusual when compared to historical records.
Banks should no longer say that their cyber perimeters are not breached, thus all the liability is on a victim. This goes against what cybersecurity is about today – you defend not just the borders of your castle but also what gets inside.
MAS has to find a way to scrutinise banks’ fraud management systems with an independent, common industry standard that is robust yet fair. Ultimately, banks have to share the risk more evenly with customers.
MAS may not wish to publish everything it finds in public because you don’t want to give hackers a headstart on what defences or vulnerabilities you have.
However, there should be at least broad guarantees on what types of suspicious transactions customers can reasonably expect to be blocked. And when things don’t work as expected, customers should get an answer why.
Nothing is 100 per cent, to be sure. Even with security guards, banks do get robbed, though that’s a rarity in low-crime Singapore.
By the same analogy, it also goes that banks need to tighten their security and awareness beyond just gun-toting criminals.
Scammers coming in, drawing out large amounts of cash in a hurry, should raise suspicions at a bank that promises to take care of the money entrusted to them. It’s reasonable to expect them to stop these scams.