MAS orders banks to tighten customer verification processes following SingHealth cyberattack

SINGAPORE — The Monetary Authority of Singapore (MAS) has instructed all financial institutions here to tighten their customer verification processes following the recent cyberattack at SingHealth, where the personal information of 1.5 million individuals were exfiltrated.

In a press release on Tuesday (July 24), MAS said that it had directed financial institutions to tighten their customer verification processes “to address any risk that the information stolen from SingHealth may be used by fraudsters to impersonate customers and perform unauthorised financial transactions”.

Currently, for access to online financial services, banks here are already required to put in place two-factor authentication (e.g. PIN and One-Time-Password) at login to identify their customers.

However, the central bank said: “With immediate effect, all financial institutions should not rely solely on the types of information stolen (name, NRIC number, address, gender, race, and date of birth) for customer verification.”

It added that additional information must be used for verification before undertaking transactions for the customer, which may include “One-Time Password, PIN, biometrics (as well as) last transaction date or amount”.

For high-risk transactions such as registration of third party payee details, revision of funds transfer limits and opening of beneficial accounts, banks will also be required to implement an additional layer of control before these may be carried out.

In the biggest and most serious cyberattack yet on Singapore, hackers broke into SingHealth's IT systems over a week between June 27 and July 4 and stole the data of 1.5 million patients, including that of Prime Minister Lee Hsien Loong.

The hackers — whom the authorities did not name and whose intentions were not spelled out — took data such as the name, NRIC number, address, gender, race, and date of birth of 1.5 million patients who visited SingHealth's specialist outpatient clinics and polyclinics from May 1 2015 to July 4 this year.

MAS said that it has also directed all financial institutions to conduct a risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers.

“Financial institutions are to take immediate steps to mitigate any risks that might arise from the misuse of the compromised information,” it added.

MAS will also engage the financial institutions on their risk assessments and mitigation steps.

“MAS will work closely with the financial institutions to ensure that robust cyber defences are in place so that customers can carry out online financial transactions with confidence,” said MAS’ chief cyber security officer Tan Yeow Seng.

He added: “But customers must also play their part. They must safeguard their passwords and practise good cyber hygiene. If they suspect any fraudulent transactions in their accounts, they should notify their banks immediately.”

Sign up for TODAY's WhatsApp service. Click here:
 

Sign Up