OCBC’s digital app security update: Mixed reactions from Singapore and Malaysia amidst rising scam concerns

SINGAPORE: Singapore’s OCBC digital banking app customers expressing strong dissatisfaction with its recent security update to its mobile app, probably never fallen prey to any form of scams, such as unauthorised transactions made from the their bank accounts draining their savings from the bank account.

A considerable number of OCBC mobile app users in Singapore have voiced their concerns in the comment section of the bank’s Facebook page, and have even left one-star reviews on the Google Play Store.

While the move is unfavourable to some Singaporeans, Malaysians welcome the move and hope Malaysian banks can enforce this security measure soon.

Calyn Beh Kim Lian, 35, analyst, said OCBC’s move is commendable and hope Malaysian banks can take a leaf out of its online banking security measures.

“I have a family member whose money was emptied from her e-wallet of a major bank in Malaysia. We still don’t know how it happened even though we are cautious of unknown callers, and the common precautious told be police,” she said.

Farahin Mh, 33, entrepreneur, said OCBC bank new security feature on its mobile app is laudable, she said Malaysian banks should emulate its security move as soon as possible.

“I don’t understand why the bank’s customers showed so strong disapproval of the new feature. Those who oppose most likely have not fallen prey to online scams.

“They could be OCBC bank’s competitors,” she said jokingly.

Celeste Loh, 38, Klang-based marketing manager for a FMCG company said she worries such feature might be discriminatory to those who are technologically challenged.

“Such move could deter users such as elderly who are not well versed in technology. Generally, they would panic if their phone receive any such notifications,” Loh suggests OCBC should explore other less invasive measures.

Loh suggested OCBC or other banks to engage their digitally challenged customers with targeted workshops or provide easy guidance at branches or via the phone on how to use the app.

Salim Hamidon, 41, an engineer from Cyberjaya, supports such move and hopes other banks will follow suit.

“There’s too many digital threats these days from scam calls, data leaks and identify theft. More banks need to take on such measures to protect the consumers as we may not have the right tools of knowledge to deal with scams and fraud cases,” he said.

On 5 August, OCBC launched its latest security update to the OCBC Digital app as part of its ongoing efforts against cybercrime and to protect customers’ online banking experience.

This “essential security enhancement” will only allow the OCBC Digital app to work on phones whose mobile apps are only downloaded from official app stores.

Apps that come from other sources, like Android Package Kit (APK) files, “tend to have more security vulnerabilities, including being more susceptible to malware infection”, said OCBC.

Screengrabs from OCBC’s Facebook and Google Play Store:

MAS and the Association of Banks in Singapore support OCBC’s move

In a press release on 8 August, the Monetary Authority of Singapore (MAS) said it “strongly supports banks’ initiatives to bolster the security of digital banking”.

MAS stated that it has been working closely with banks to introduce measures to address the risks associated with malware-related scams, which “an increasing number of customers have fallen prey to”.

“Security measures will come with some measure of added inconvenience for customers, but they are necessary to maintain security of and confidence in digital banking. Coupled with a vigilant and discerning public, robust security measures will help us strengthen our defence against scams,” it said in the statement.

The Association of Banks in Singapore (ABS) emphasised that banks do not monitor customers’ phone activity or conduct surveillance on mobile phones.

“We would like to assure all banking customers that this security feature does not collect nor store any personal data. The technology detects higher risk behaviours which are characteristic of known malware activities when the banking apps are opened. It does not identify the owner of the mobile phone,” said ABS director Ong Ai Boon.

OCBC emphasises it does not monitor phone activities

OCBC head of the anti-fraud division, Beaver Chua, reportedly said on the bank’s side, they do not know what apps are flagged on users’ phones.

All the checks for malware on the phone happen on the phone itself, said Chua.

“Whatever content you have [that] is on your phone… it doesn’t go to us. We are just asking before you enter into the app, the app is just checking the phone for any sort of dodgy apps around. If you have, we can’t let you log in,” he said.

Chua also assured that the information does not go back to the bank, and the banks do not know what apps are flagged.

The bank does not have access to users’ private data on their phones, like their photos or documents, there is no surveillance capability, and it is not checking users’ phones actively, he said.

“We want to stop any potential scammers from taking over the phone and trying to launch the online banking app and then utilise our app with the information [they] have gotten from the user and then emptying out the banking account,” he said.

Chua clarified that they are not stopping users who downloaded apps not from official stores like Google Playstore, App Store, Huawei App Gallery, and OPPO Store.

The OCBC Digital app will only stop users from logging in if they have an app on their mobile phone that is not from an official app store, and the app must have a risky setting known in the IT security space to cause a security problem.

Chua stressed that this security update is to protect the customers, especially the vulnerable customer who may fall victim to scams and install an app that is not from an official store.

Before OCBC rolled out the new security update, they would have at least one reported case of malware from third-party apps that led to users having their bank accounts drained. Chua stated that since the update, they have not seen any cases reported to them.

He also shared that these cases appear only to Android phone users.

Users can read up on the new security update on OCBC’s FAQ page for more information.

The risk of falling victim to scams is higher than ever, as scammers continue to adapt and develop newer and advanced schemes

Scam victims in Singapore lost a total of SG$660.7 million in 2022, up from SG$632 million in 2021.

The figures released by the police on Wednesday (8 Feb) mean that almost SG$1.3 billion was lost to scams in the past two years.

And contrary to popular belief, it was not mostly the elderly who fell prey to scams. More than 53% of scam victims were between 20 and 39 years old, according to The Straits Times.

Meanwhile, in Malaysia, police statistics revealed that there were 12,092 scam cases between January and July last year, which totalled to a loss of RM414.8 million. In 2021, 20,701 cases were reported with losses amounting to RM511.2 million.

The scam cases, on an upward trend, included online trading scams, sale scams, business email scams and SMS scams.

According to Singapore Police Force, since January 2023, the police have received increasing reports informing that malware was used to compromise Android mobile devices, resulting in unauthorised transactions made from the victims’ bank accounts even though they did not divulge their Internet banking credentials, One-Time-Passwords (OTPs) or Singpass credentials to anyone.

“In these cases, the victims responded to advertisements (eg, on cleaning services, pet grooming, food items such as seafood and groceries, etc.) on social media platforms like Facebook and were later instructed by the scammers to download Android Package Kit (or APK) from non-official app-store to facilitate the purchase, leading to malware being installed on the victims’ mobile devices.

“The scammers then convince the victims via phone calls or text messages to turn on accessibility services on their Android phones. Doing so weakens the phones’ security and allows the scammer to take full control of the phones.

“This means that the scammers can log every keystroke and steal banking credentials stored in the phones and allows the scammer to remotely log in to the victims’ banking apps, add money mules as payees, raise payment limits and transfer monies out to money mules. The scammers can further delete SMS and email notifications of that bank transfer to cover their tracks,” SPF said in a statement in July.

Malware have resulted in confidential and sensitive data, such as banking credentials, being stolen

The Police and the Cyber Security Agency of Singapore (CSA) released a statement to remind the public of the dangers of downloading applications from third party or dubious sites that can lead to malware installed into victims’ mobile phones, computers, and other Information Communications Technology (ICT) devices.

Such malware have resulted in confidential and sensitive data, such as banking credentials, being stolen.

Malware may infect ICT devices through various means, including through the downloading of software or applications from unknown sources, opening of attachments from unsolicited emails and accessing malicious websites.

Users should also be wary if they are asked to download suspicious Android/Chrome/Google-related updates or any dubious Android Package Kit (APK) files onto their mobile devices, even with seemingly genuine naming conventions, such as the following:

• GooglePlay23Update[.]apk[1];
• GooglePlay.apkUpdate[.]apk;
• Chrome_update1123[.]apk;
• Chrome-upd13111[.]apk; and
• Chrome-update10366[.]apk

To find out more about malware and the preventive steps that users can take to protect their devices, please refer to CSA’s SingCERT advisory at https://www.csa.gov.sg/alerts-advisories/Advisories/2021/ad-2021-008.

Carefully assess any messages claiming to be your bank

According to McAfee, a computer security software company, public can better recognise phishing emails once they understand how banks communicate with customers.

“There are certain things legitimate banks never do. If you get a message like that, assume it’s fraudulent,” it said in its website.

Some other tips include:

• Calling: Banks or other financial institutions don’t call for your PIN or checking account number. Never provide this over the phone. Call your bank directly using the phone number on your credit card or bank statement if you want to confirm.
• Email: Your bank has no reason to email you for account information it already has. If you receive an email asking you to click a link or provide account information, assume it’s fraudulent. Don’t click any links and mark the email as spam.
• Text messages: If a message appears to be from your bank asking you to sign in or enter your PIN, it’s a scam. Banks never ask customers for this information by text.
• Urgent action: A common theme in phishing emails is the urgent call to action. Cybercriminals want to scare you into acting immediately without thinking. The email says there was suspicious activity on your account, and you should log in immediately to avoid having it frozen or closed. No legitimate business would close a customer’s account without giving reasonable notice. Contact your bank through your normal channels to check your balance and account activity if you aren’t sure.
• Typos: Misspelled words and grammatical errors are another red flag. Major corporations have professional editors to make sure the content is correct.