New banking app security feature sparks customer outcry; banks say it doesn't conduct surveillance on users' phones
SINGAPORE — To counter malware scams, banks here are rolling out a “stronger security feature” where phone users will not be able to use their mobile banking applications or log in to their internet banking accounts temporarily if their devices have other apps downloaded outside of official app stores.
- Banks in Singapore are rolling out a “stronger security feature” to detect higher-risk behaviours linked to malware activities when banking apps are opened
- The feature temporarily disallows customers from using digital banking services if it detects apps downloaded from unofficial app stores on phones
- This move has drawn negative responses from some bank customers
- The Association of Banks in Singapore responded by saying that in having this feature, they do not monitor customers’ phone activity or conduct surveillance on their mobile phones
SINGAPORE — Banks here will be rolling out a “stronger security feature” on their mobile banking applications to counter malware scams, the Association of Banks in Singapore (ABS) said on Tuesday (Aug 8) following an outcry by OCBC customers when the bank introduced the feature.
In doing so, the banks do not monitor customers’ phone activity or conduct surveillance on their mobile phones, said ABS director Ong Ai Boon in response to queries from TODAY.
The customers' complaints, which surfaced on OCBC's social media pages as well as on online forums after the bank introduced the feature last Saturday, centred upon the fact that the new feature prevents phone users from accessing their mobile banking applications or log in to their internet banking accounts temporarily if their devices have other apps downloaded outside of official app stores.
Netizens questioned if the bank is being “high-handed” or can monitor users' activities on their phones, noting that the bank app flagged "unauthorised" apps such as certain authenticator software as well as several China-based banking apps.
In response to the complaints, OCBC said in a Facebook post on Sunday that its customers will not be able to log in to its internet banking or mobile app if they do not uninstall apps downloaded outside of official app stores from their phones.
They will be required to download and reinstall the apps only from official app stores to continue using the bank's digital services.
TODAY understands that other Singapore banks, apart from OCBC, will be rolling out the security feature, and has reached out to DBS and United Overseas Bank for comment.
Reiterating an explanation by OCBC on Sunday, Mrs Ong said: “ABS would like to assure all banking customers that this security feature does not collect or store any personal data.
“The technology detects higher-risk behaviours that are characteristic of known malware activities when the banking apps are opened. It does not identify the owner of the mobile phone.”
She added that banks here have been working closely with government and law enforcement authorities to fight malware scams, which are deemed “particularly aggressive” and pose a serious threat to consumers.
“Together with the authorities, we have been reminding members of the public of the dangers of downloading apps from unauthorised sources that can lead to malware being installed on their mobile phones.
“In general, consumers who do not take the necessary precautions will be expected to bear the losses arising from malware scams,” Mrs Ong said.
The Monetary Authority of Singapore (MAS) said on Tuesday night that it strongly supports banks' moves to bolster the security of digital banking in the wake of malware-related scams, to which an increasing number of customers have fallen prey.
“OCBC’s latest security feature aims to address the dangers of downloading applications from unauthorised sources, as these may contain malware,” the central bank said.
“It is in the nature of new innovations that they may cause unintended inconveniences.
"MAS will work with the banks to learn from these experiences and continually enhance their security features.”
Mr Beaver Chua, head of anti-fraud at OCBC group financial crime compliance, told TODAY that the security feature was to help filter out “bad apps” that can make devices susceptible to security vulnerabilities.
He cited as examples recent cases of malware scams such as Central Provident Fund accounts being remotely accessed by scammers, resulting in money being withdrawn.
When asked about the conditions the feature takes into account when filtering the apps, he said that he cannot go into specifics.
In general, it looks at:
- whether the apps are downloaded from official app stores
- the risk settings of the apps, such as whether they carry certain risks or unwanted permissions
- whether the apps can be remotely accessed, giving scammers control
Addressing claims by online users that some legitimate apps such as Microsoft Authenticator are being identified as risky, Mr Chua said that these apps are usually downloaded directly from websites and not app stores.
“Since we rolled out the Android security feature on Aug 5, we have not received any malware scam reports from customers who have updated their app and therefore have this new feature.
“This is in contrast to before Aug 5, where we usually receive at least one malware scam report from our customers a day,” Mr Chua said, adding that the feature also recognises app stores from other mobile device brands such as Oppo and Huawei.
Customers who have problems with digital banking related to this may proceed to OCBC's bank branches for help or call the bank's customer service hotline at 1800-363-3333, Mr Chua advised.
Mrs Ong said that in putting up new security measures to protect customers, banks will strike a balance between security and convenience.
“We seek the understanding of consumers, as scammers are deploying increasingly sophisticated tactics,” she added.
MAS said that while security measures will come with “some measure of added inconvenience” for customers, they are necessary to maintain security of and confidence in digital banking.
“Coupled with a vigilant and discerning public, robust security measures will help us strengthen our defence against scams.”
In late 2021, OCBC was involved in a high-profile case where hundreds of phishing scams linked to its bank accounts caused victims to lose millions of dollars in total. Since then, the bank and the authorities have been bolstering security measures and improving communication to customers in order to counter scams and enhance digital banking services.