OCBC phishing scam underscores trade-off between convenience and security, with bank customers at risk: Experts
SINGAPORE — As banks move towards digital banking, the recent phishing scam that affected hundreds of OCBC customers highlighted the trade-off between convenience and banking security, with bank customers at risk of bearing the entire financial cost of such modern day bank robberies, experts said.
- Experts said the convenience of online banking should not necessarily compromise security, and vice versa
- A circular to banks from the central bank said consumers should not have to bear full financial losses of any fraudulent transactions unless they had been grossly negligent
- The banks have a role to safeguard customers' funds by using the best cybersecurity strategy, but customers have to level up as well
- Only 4 per cent of Singaporeans are able to identify phishing attempts, a 2020 poll showed
- Some cybersecurity experts highlight a weakness in relying on SMS for two-factor authentication
SINGAPORE — As banks move towards digital banking, the recent phishing scam that affected hundreds of OCBC customers highlighted the trade-off between convenience and banking security, with bank customers at risk of bearing the entire financial cost of such modern day bank robberies, experts said.
After all, a scam in which the customer willingly, albeit unknowingly, gave up his bank account information to a cleverly disguised fake website is not technically a breach of the bank's cybersecurity infrastructure.
Mr Bryan Tan, a partner at law firm Pinsent Masons, told TODAY: "The current position is that the loss lies where it falls. If the money came out from your side, and you allowed (scammers) to authorise the transaction, the bank can defend themselves by saying they do not have a clue that the user isn't you."
However, an ongoing review by the authorities on the responsibilities and liabilities of consumers and financial institutions for fraudulent payment transactions, announced last year, may give hope to those who practise good digital health.
In a circular to financial institutions last August, the Monetary Authority of Singapore said that consumers should not have to bear full financial losses of any fraudulent transactions unless they had been "grossly negligent". Banks and financial institutions should also investigate the scam or fraud in a fair and reasonable manner.
In the circular seen by TODAY, the authority gave two examples of gross negligence, such as if the consumer did not report the fraudulent transaction in a timely manner or had disclosed his personal account details.
Such a review could lend greater clarity to a process in which both the bank customer and the bank itself are victims of the cybercrime, Mr Tan said.
So far, some cases of bank-related scams were resolved by the banks compensating their customer out of their own volition, though no cases have gone to court to determine whether there were indeed any breaches of cybersecurity guidelines, he noted.
The recent spate of SMS phishing attempts on OCBC customers affected at least 469 customers, who lost around S$8.5 million in all.
Scammers were able to phish out account login information through phone text messages that spoofed the bank's official SMS thread, fooling people into keying their details on a fake website.
“Generally, customers have a responsibility to monitor their notifications, protect access to their accounts, and report immediately when they notice something wrong.Ms Eunice Chua, chief executive officer of Financial Industry Disputes Resolution Centre”
These scams have risen in numbers in recent years.
The Financial Industry Disputes Resolution Centre (Fidrec), an independent company that mediates disputes between consumers and financial institutions, said in response to queries that "unauthorised transactions, frauds and scams" was the most popular category of claims made against banks and finance companies in the 2021 financial year — with 42 per cent of all complaints falling under this heading.
This is compared with the 29.4 per cent of all complaints Fidrec received in 2020.
The centre has also received enquiries from 11 victims of the OCBC phishing scam, though no complaints have been filed so far because Fidrec accepts complaints only four weeks after victims have contacted their bank for help.
Victims may also file a complaint if the bank responded but the resolution is unsatisfactory.
Ms Eunice Chua, Fidrec's chief executive officer, said that at present, it is the contractual terms between the customer and the bank, as well as the conduct of both, that determines whether the scam victims are awarded compensation for their financial loss.
"Generally, customers have a responsibility to monitor their notifications, protect access to their accounts, and report immediately when they notice something wrong."
Ms Joanne Wong, vice-president of international markets for American security intelligence firm LogRhythm, said that online banking solutions have made it more accessible and convenient for people to pay their bills, transfer money and check their transaction records, but it has also created new vulnerabilities, which sophisticated cybercriminals are quick to exploit.
The state of cyber vigilance in Singapore is "astonishingly low for such a digitally savvy nation", she observed.
She also said that a poll by the Government's Cyber Security Agency found in 2020 that only 4 per cent of Singaporeans are able to identify phishing attempts made through emails.
Cybersecurity experts said that banks may push responsibility of SMS phishing attempts to customers whenever scammers succeed, but the reality is that they play a far greater role in protecting their customers' funds.
Ms Wong said: "After all, phishing attacks and SMS spoofs are just individual parts of a much bigger threat-scape, with recent data breaches and the rise of ransomware pointing towards the need for organisations to mature their cybersecurity strategies as a whole."
“These attacks work precisely because they are carefully designed to manipulate emotions and take advantage of victims’ trust and human nature.Mr Andrew Shikiar, executive director of Fido Alliance, a global industry association on open and free authentication standards”
Mr Mark Goudie, Asia-Pacific and Japan services director at cybersecurity firm Crowdstrike, agreed that the onus is on business leaders to ensure that their operational processes and security measures can prevent attacks such as an SMS phishing scam in the first place.
"At a basic level with encryption and two-factor authentication in place at the front end, banking should continue to be secure, though threat actors will continue to try to find and exploit any weaknesses," Mr Goudie said.
PROTECTING BANK CUSTOMERS BETTER
Some cybersecurity experts were concerned about Singapore's reliance on passwords for online banking, including two-factor authentication methods such as one-time passwords (OTPs) sent via SMS, which are vulnerable to phishing attacks.
Mr Andrew Shikiar, executive director of Fido Alliance, a global industry association on open and free authentication standards, told TODAY that OTPs share a common trait with account passwords and personal identification number (PIN) because they are "knowledge-based secrets which can and will be pried out of an unassuming consumer's hands by enterprising hackers".
"These attacks work precisely because they are carefully designed to manipulate emotions and take advantage of victims’ trust and human nature," Mr Shikiar said.
A number of victims in the OCBC phishing scam previously told TODAY that they had not given up any OTP or security token details to the scammers, but their online bank accounts were hijacked anyway.
Mr Shikiar added: "Instead of knowledge-based authentication... cryptographically secure, possession-based authentication should be the preferred path forward."
Examples of this would be physical bank tokens or the bank's own mobile application that is paired to a physical device. As long as a user can prove that they possess the device such as through unlocking it with a fingerprint, the transaction can proceed.
Ms Wong from LogRhythm said: "Authenticator apps are a much safer alternative to SMS OTPs, as these are time-based one-time passcodes generated on the device itself, barring interception by external parties."
At the same time, customers are also responsible for practising good cyber hygiene, such as by setting complex passwords for their online accounts and keeping apps, software and operating systems up to date.
Banks can help raise awareness among customers as well, by sending them frequent information about the latest phishing techniques that cyber criminals use, Ms Wong said.
"Convenience (of banking) should not necessarily compromise security, and vice versa. Banks and financial institutions can and should leverage digital technologies to make banking solutions more convenient and accessible for their customers, without always having to make the security trade-offs," she added.