3 key questions in the wake of OCBC phishing scam

There has been much commentary in the wake of a series of sophisticated scams that tricked 790 OCBC customers out of more than S$13 million.

Some people blame the bank and are all too willing to call for full compensation to be made to the victims. Others blame the victims for being gullible and not taking proper care.

There have been calls for the Government to intervene in various forms. Last month, OCBC said it would voluntarily reimburse all the scam victims.

There are three separate questions we need to ask in order to move forward.

First, prevention: What can be done to prevent people from falling victim to such scams and who should be doing it?

Second, accountability: Who should be held accountable when a scam occurs and how can victims vindicate their rights?

Third, loss allocation: In situations where no one is at fault, besides the scammers, who should bear the loss?

PREVENTING SCAMS

There are two broad categories of measures that we can take to help people avoid falling prey to scams: Technological and behavioural.

Technological measures

First, we could start with getting rid of Short Message Service (SMS) messages and One Time Passwords (OTP).

Use authenticator apps instead, like Microsoft and Google do. This is more secure as then the scammers would not be able to use the telephone number spoofing method anymore, since the apps are internet-based and not telephone-based.

Secondly, more secure identity verification measures could be put in place. For example, biometric verification of the account holder’s identity when executing transactions, such as facial or fingerprint verification.

SingPass, the Government’s secure online identity system, allows users to log in using facial recognition.

OCBC has since July 2020 already had the option for users to log in to its digital banking services using SingPass.

In fact, it may make sense for all banks to integrate with SingPass, such that transactions can only be authorised using an official government-verified digital identity.

This would ensure that scammers cannot break into a bank account by guessing a password or getting the victim to give them an OTP.

Utilising government digital infrastructure may also be more secure, because if each bank sets up its own repository of biometric data to facilitate biometric access, that opens the banks up to all sorts of data privacy complications and further possible cyber attacks.

Third, both banks and customers could make use of automated fraud detection tools.

For example, GovTech’s Open Government Products team has created an app called ScamShield for the public that is supposed to help block suspicious calls and messages.

Banks also usually have their own internal fraud detection tools — for example, automatic freezing of an account that has a certain number of suspicious transactions within a defined time period.

The downside is that automated bank protection measures may end up making things more frustrating for bank customers, who will be subject to more friction. This can sometimes be counterproductive.

For example, asking customers to create too many passwords or security codes often results in them being overwhelmed and choosing simple ones which are easy to hack — the most common passwords in the world are “password” and “1234” for a reason.

The problem with technology is that it is an arms race between the attackers and the defenders, and the race is asymmetric.

The defenders need to succeed 100 per cent of the time whereas the attacker only needs to get through once to cause catastrophic losses.

No defensive technology is foolproof — for example, facial recognition could be defeated by deep fake technology which allows an attacker to simulate the face of the victim, or even more simply, by the attacker somehow tricking the victim into giving them an image of the victim’s face.

Behavioural measures

Behavioural measures must therefore be implemented to address human weaknesses.

There are already a plethora of avenues for scam education: The police website, the National Crime Prevention Council website, ScamAlert.sg and more. The banks also regularly send scam updates via email or through their apps.

The problem is information overload. Many people may simply dismiss these messages without paying attention.

Perhaps the solution is to deploy designers together with behavioural experts to come up with some clever ways to get people to pay attention.

Better visual design, such that scam alerts are less wordy, more eye-catching and easier to absorb at a glance, is one possibility.

Another possibility is gamification, where the information is conveyed in the form of an interactive activity, which is more fun and engaging for the audience than reading static text.

Education should also go beyond merely telling people about scams and asking them not to share passwords. People will not respond when the content is too unrelatable — especially for elderly folks and those who are not tech savvy.

Simple, understandable tips could be used instead — for example, people could be encouraged to split their savings among multiple bank accounts, such that even if one account is compromised it does not result in the loss of their entire life savings.

We need to go upstream and begin inoculating our population against digital crime by increasing digital literacy from an early age.

Perhaps all schools should teach cybersecurity skills as part of their existing digital literacy curriculum.

A basic level can be taught starting primary school, since children now are exposed to the internet early, and progressively more sophisticated versions can be taught at secondary and tertiary levels.

These modules should be regularly updated with the latest scams and cyber threats.

WHO IS ACCOUNTABLE?

When scams succeed, it is important that victims have effective recourse.

The scammers are unlikely to be caught or even identified as they mostly operate from overseas.

The question is whether the victims will have recourse against the bank. There are two important dimensions to this.

First, how will the victims even know if the bank is at fault?

Government intervention might be appropriate here — for example, regulators could mandate that banks disclose the results of any investigation to the public so that the victims can assess whether they have a viable claim against the bank.

The reports may need to be appropriately redacted in order to comply with banking secrecy laws and also to prevent inadvertent disclosure of anti-fraud techniques, which might actually help scammers in future.

Knowing that they have an obligation to disclose such information may also act as an incentive for banks to keep their security systems and processes up to snuff.

Secondly, if a victim does have a viable legal claim against a bank, there should be a quick and affordable way for them to vindicate their rights.

This is all the more urgent in cases where the victims have lost their entire life savings — they cannot afford the time and money of the normal civil court process, which might take years and cost more in legal fees than what is recovered.

Currently, victims can seek mediation or adjudication of certain types of disputes through the Financial Industry Disputes Resolution Centre (Fidrec), an independent alternative dispute resolution body. However, Fidrec’s jurisdiction is limited to certain types of disputes and capped at S$100,000 per claim for adjudication, and it is not a court.

The Government will need to assess whether this is sufficient, or whether more robust measures, such as a dedicated tribunal for scam-related cases, might be necessary.

HOW TO ALLOCATE LOSSES?

In some instances, no one beyond the scammers will be at fault. The question then is which innocent party, the victims or the banks, will bear the loss.

It is not fair to call on the banks to make restitution to the victims every time a scam happens. It is easy to call for banks to bear the loss since they are large, rich and impersonal.

But we must remember that banks are businesses with employees and shareholders.

Consistently forcing banks to bear the loss indirectly punishes innocent employees and shareholders. It is also unjust, since the bank may have done all it could to stop the scams.

The Monetary Authority of Singapore has announced it will soon share details of a framework that will allocate losses between victims and banks.

It appears that this may be a hybrid answer to the issues of accountability and loss allocation: Each party will bear a portion of the loss proportional to its own level of fault.

However, in some cases neither party will be at fault at all. All reasonable security measures could have been taken and yet the scam might still succeed.

It is important to keep the concept of loss allocation distinct from the question of accountability. When we cannot use fault to allocate loss, there needs to be a policy decision where to place it instead.

There is likely to be even more commentary and further suggestions for improvement on this issue.

When evaluating these proposals, it is important that we begin with the end in mind: Keep sight of the three fundamental questions posed above and be clear about which question each solution is supposed to answer.

There may very well be trade-offs involved between the issues and conflation of objectives may lead to solutions that answer none of these questions adequately.

 

ABOUT THE AUTHOR:

Alexander Woon is a lecturer at Singapore University of Social Sciences’ School of Law and practises law as Of Counsel at RHTLaw Asia. He was formerly a Deputy Public Prosecutor at the Attorney-General's Chambers, where he was part of a team that conducted investigations and presented evidence to the Committee of Inquiry for the SingHealth cyber attack.