OCBC phishing scam underscores trade-off between convenience and security, with bank customers at risk: Experts
As banks move towards digital banking, the recent phishing scam that affected hundreds of OCBC customers highlighted the trade-off between convenience and banking security, with bank customers at risk of bearing the entire financial cost of such modern day bank robberies, experts said.
In a circular to financial institutions last August, the Monetary Authority of Singapore said that consumers should not have to bear full financial losses of any fraudulent transactions unless they had been "grossly negligent". Banks and financial institutions should also investigate the scam or fraud in a fair and reasonable manner.
A poll by the Government's Cyber Security Agency found in 2020 that only 4 per cent of Singaporeans are able to identify phishing attempts made through emails.
Ms Joanne Wong, vice-president of international markets for American security intelligence firm LogRhythm, said the state of cyber vigilance in Singapore is "astonishingly low for such a digitally savvy nation."
Cybersecurity experts said that banks may push responsibility of SMS phishing attempts to customers whenever scammers succeed, but the reality is that they play a far greater role in protecting their customers' funds.
Ms Wong said: "After all, phishing attacks and SMS spoofs are just individual parts of a much bigger threat-scape, with recent data breaches and the rise of ransomware pointing towards the need for organisations to mature their cybersecurity strategies as a whole."
Some cybersecurity experts were concerned about Singapore's reliance on passwords for online banking, including two-factor authentication methods such as one-time passwords (OTPs) sent via SMS, which are vulnerable to phishing attacks.
Mr Andrew Shikiar, executive director of Fido Alliance, a global industry association on open and free authentication standards, said: "Instead of knowledge-based authentication... cryptographically secure, possession-based authentication should be the preferred path forward."
Examples of this would be physical bank tokens or the bank's own mobile application that is paired to a physical device. As long as a user can prove that they possess the device such as through unlocking it with a fingerprint, the transaction can proceed.