Skip to main content

Advertisement

Advertisement

Banks mulling more anti-scam moves including biometric tech, letting customers freeze accounts unilaterally

SINGAPORE — The authorities and banks here are considering new measures, including allowing bank customers to freeze their accounts without having to contact the banks, as well as the use of biometric authentication, to further reduce the risks posed by phishing scams.

 

Singapore's authorities and banks are mulling over measures, including allowing bank customers to freeze their accounts without having to contact the banks, to further reduce the risk of people falling victim to phishing scams.
Singapore's authorities and banks are mulling over measures, including allowing bank customers to freeze their accounts without having to contact the banks, to further reduce the risk of people falling victim to phishing scams.
Follow TODAY on WhatsApp
  • The authorities and banks here are mulling over new measures to further lower the risk of customers falling victim to phishing scams
  • These include allowing bank customers to freeze their accounts without having to contact the banks
  • Also being explored is an expansion of the use of biometric authentication to complement passwords and one-time passwords
  • Extra customer confirmations for significant changes to their accounts or high-risk transactions are also being explored 

SINGAPORE — The authorities and banks here are considering new measures, including allowing bank customers to freeze their accounts without having to contact the banks, as well as the use of biometric authentication, to further reduce the risks posed by phishing scams.

This is even though banks having already rolled out a slew of measures to bolster digital banking security.

Delivering a ministerial statement in Parliament on Tuesday (Feb 15) on strengthening the security of digital banking, Finance Minister Lawrence Wong said that tackling the problem would require “robust responses” at the individual, industry and infrastructural levels.

“We are addressing the risks at every part of the digital ecosystem, so that taken together, the measures will significantly mitigate risks for the entire system and enable us to operate safely in a digital world." 

His statement came in the aftermath of a recent phishing scam that hit 790 OCBC bank customers who lost a total of S$13.7 million to the scammers. The Singapore-based bank completed arrangements to reimburse all the victims with "goodwill payments" late last month. 

Mr Wong outlined five key measures that are being considered.

The first will see banks working to further strengthen their fraud-surveillance capabilities to identify suspicious and anomalous transactions.

At present, Mr Wong said that most banks have some rule-based parameters to trigger suspicion, such as large transfers to new recipients.

“But these parameters need to be expanded to take account of a broader range of scam scenarios.”

Beyond pre-defined parameters, Mr Wong said that Singapore's central bank, the Monetary Authority of Singapore (MAS), would expect banks to develop “more versatile algorithms” that employ artificial intelligence and machine learning to detect suspicious transactions.

Such algorithms should be based on many sources of information, including customer profiles and vulnerabilities, past transaction patterns, account activity and mobile device identification.

“I must caveat that while these advances will help, fraud-monitoring systems are not a silver bullet. It is not possible to detect every scam,” he said.

Second, Mr Wong said that banks should step up their ability to immediately block suspicious transactions and reach out to their customers to verify their authenticity.

He said that transactions would be unblocked and processed only upon confirmation by the customer. While he noted that banks today have some of these capabilities, they were “not consistent across various types of transactions”.

Furthermore, he said that the authorities were also looking into enabling customers to trigger a freeze on their accounts without having to contact the banks if they suspect their accounts have been compromised.

The third measure being looked at is the introduction of extra customer confirmations — beyond notifications — for significant changes to their accounts or high-risk transactions.

These could include changes to account-holder details, activating a token on another device, fund transfers that are large relative to overall balances, and overseas transfers.

“This will introduce some friction to customers carrying out genuine transactions. But we will all need to adapt and get used to these inconveniences, in order to strengthen the security of digital banking,” Mr Wong said.

The fourth measure will explore expanding the use of biometric technology to complement passwords and one-time passwords as a means of authentication.

“This will add one more layer of security that cannot be easily phished by scammers to access a customer’s account.” 

Fifth, Mr Wong said that banks would speed up the shift towards the use of mobile banking applications for customer authentication, transaction authorisation and delivery of bank notifications.

If rolled out well, he said that it would be harder for scammers to abuse mobile banking apps.

At the same time, Mr Wong added that MAS and the banks were reviewing the use of SMS (Short Message Service) text messages to deliver one-time passwords, and the potential measures that should be taken to reduce risks, should such a practice continue.

As it is, Mr Wong told the Parliament that the Association of Banks in Singapore had announced a set of measures on Jan 19 for immediate roll-out by retail banks.

These include removing clickable links in all bank email and SMS messages sent to retail customers, delaying by at least 12 hours before a new soft token can be activated on a mobile device, and lowering to S$100 or below the default threshold for sending transaction notifications to customers.

Other measures that were rolled out required notification alerts to be sent to a customer’s existing mobile number or email registered with the bank whenever there is a request for change.

FRAMEWORK FOR SHARING LOSSES

In his statement, Mr Wong also spoke about the importance of establishing a common and equitable framework for sharing the losses that customers incur from scams.

He said that under this framework, which is being worked on by the MAS-chaired Payments Council, banks and their customers have their respective responsibilities, and the share of losses each party bears would depend on whether and how that party has fallen short of the responsibilities.

Financial institutions, he said, should bear an appropriate share of losses arising from scams, but "care must be taken to ensure that any compensation paid to customers does not weaken their incentive to be vigilant".

Seeking more clarity, Dr Tan Wu Meng, Member of Parliament with the Jurong Group Representation Constituency, asked Mr Wong whether the proposed framework would consider the difference between an unforced error and a forced error — where a customer was led or pressured into making the error, as was the case with the OCBC scam. 

In response, Mr Wong said that it was a complex issue.

Even so, he said that the Payments Council was deliberating the matter and its aim was to "put out something" for public consultation within the next three months.

Mr Wong also sketched out some of the key principles that he said the council was using to guide its deliberations.

For one, he said that the framework for the sharing of losses should be consistent and common, so it "shouldn't matter which bank you go to" because it has to be applied consistently across the industry. 

Aside from that, the framework should be equitable in determining how losses are to be shared, because banks and customers have their respective responsibilities.

On Dr Tan's scenario about forced and unforced errors, Mr Wong said that the authorities would be "quite clear and specific" about the responsibilities of financial institutions and customers, and what each party is expected to do to prevent scams.

"Then the share of losses each party bears will depend on whether and how the party has fallen short of these very clearly stated responsibilities," Mr Wong said.

"I think that's a fair and equitable principle, but obviously there are many details to be worked out." 

Related topics

Lawrence Wong bank phishing scam OCBC digital banking cybersecurity

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.