Skip to main content
Best News Website or Mobile Service
WAN-IFRA Digital Media Awards Worldwide 2022
Best News Website or Mobile Service
Digital Media Awards Worldwide 2022
Hamburger Menu

Advertisement

Advertisement

Commentary

Commentary: Right intention, wrong approach for OCBC and its new anti-scam measure

Users are a weak link when it comes to scams, but banks have to walk a tightrope between stringent security measures and customer experience, says fintech CEO Jonathan Chang.

Commentary: Right intention, wrong approach for OCBC and its new anti-scam measure
OCBC introduced a new security feature targeted at the threat of malware from risky apps downloaded from unofficial platforms. (Photo: TODAY/Ili Nadhirah Mansor)

SINGAPORE: Given the rising tide of malware scams, would it make sense to protect people by preventing access to online banking services if there were other risky apps on their phones?

Some OCBC users got a rude shock in August when they were blocked from using the bank’s internet banking and mobile banking app, as part of a new security feature that detects potentially risky Android apps downloaded from unofficial platforms. Irked customers took to social media, taking issue with the bank telling them which apps are allowed on their own phones and seemingly monitoring their activities.

Highlighting users as a cybersecurity vulnerability is by no means unwarranted. People generally are unaware of the dangers lurking in the shadows of unauthorised app stores and the permissions they grant to these potentially rogue apps.

That said, it is by no means entirely the user’s fault. Scammers are often a few steps ahead of the general public, devising new ways to scam users of their hard-earned savings.

Just this week, the Singapore Police Force (SPF) warned of three new scam variants luring victims into downloading malicious apps - from targeting dating platform users to ads for fake loans with attractive interest rates and even a bogus Goods and Services Tax (GST) Voucher mobile app. This follows earlier warnings against downloading a fake ScamShield app - the SPF’s own anti-scam effort.

OCBC might be feeling just a little bit vindicated in pushing out their contentious anti-scam measure. But should users see OCBC’s latest anti-scam measure as a necessary guardrail or an ambitious overreach?

TIGHTROPE OF SCAM PROTECTION AND USER FRICTION

Using technology to combat human error isn’t new. Just think of self-braking systems, lane departure warnings and parking assists that come built into our cars today to counteract human negligence and ensure safety.

Similarly, the banking sector has high stakes. Errors here can lead to users losing their life savings and potentially irrevocable damage to the institution's reputation.

Mobile phone app stores, with their rigorous approval processes, are fundamentally designed to protect users from apps that harbour malicious intents, such as stealing personal data or hijacking transactions.

However, stringent security measures come at a price - the erosion of user convenience.

Some OCBC users complained that common apps such as Chinese TikTok-equivalent Douyin, Microsoft Authenticator and LG’s smart appliance control app had also caused their banking access to be blocked, even though OCBC clarified that it would flag only apps downloaded from unofficial platforms which also have risky permission settings that could be exploited by scammers.

Furthermore, for a multitude of reasons, some users are compelled to download apps from unofficial platforms. This can range from geo-restrictions in official app stores to beta versions provided directly by developers on their official sites.

The tightrope walk between security and convenience in the expansive digital realm is fraught with challenges. While striving for a seamless user experience is commendable, it's imperative to recognise that each point of ease could potentially be exploited by cyber criminals.

HEAVY-HANDED APPROACH ISN’T OPTIMAL

Though OCBC’s attempt to curb malware attacks with its security update cannot be understated, it may not have taken the optimal route. Interfering with the user’s freedom of choice when it comes to installing external apps can come across as heavy-handed.

Additionally, while malware remains a potent threat, it's only one of many. The omnipresence of phishing scams, identity theft and credit card fraud demands innovative and holistic security solutions.

On the flip side, there's also the risk of being too stringent. For instance, in their bid to counter fraudulent activities, some banks employ rigorous transaction verification processes that can sometimes decline legitimate transactions.

Rather than just imposing technological restrictions, perhaps a more holistic approach - combining technology with user education - would be more effective. By fostering a user base that is informed about the dangers of third-party downloads and equipped to discern app permissions, the bank can bolster its defences.

BANKS AND USERS MUST SHARE RESPONSIBILITY

OCBC’s move underscores a broader, industry-wide debate in which banks are walking the tightrope in an era of relentless digital transformation to maintain trust, especially as financial institutions will be expected to share liabilities in scam cases under an upcoming government framework.

The financial sector has thrived on customer trust. Security measures they implement, while ensuring safety, must not compromise this integral relationship.

It's a complex interplay of trust, security, and convenience. It's not just about stopping potential threats but also about ensuring that in doing so, the banks do not alienate their customers.

Banks need to understand that in the age of digitisation, customer expectations are evolving. They desire a mix of security, which protects them, and autonomy, which doesn't make them feel surveilled or restricted. The challenge here lies in combining the two.

OCBC’s decision, while well-intentioned, highlights the intrinsic challenge digital banks face between ensuring a harmonious user experience and robust security. This measure might come off as overbearing to some, yet it underscores an immutable fact - in the realm of digital banking, both the institution and its users bear the responsibility of safeguarding against cyber threats.

The task of ensuring robust security isn't solely the bank's prerogative; users too need to be vigilant and well-informed.

Dr Jonathan Chang is CEO of Fintopia Indonesia - a digital lending fintech unicorn. He is also a lecturer, public policy advisor and an award-winning researcher.

Source: CNA/ch

Advertisement

Also worth reading

Advertisement