Commentary: In an age of scams, why are banks still asking users for personal information over the phone?
It is convenient for banks to authenticate users over the phone, but users have limited means of verifying the legitimacy of who they are dealing with, says Steve Kerrison of James Cook University, Singapore.
SINGAPORE: Singapore has been gripped by an epidemic of scammers who will use every technological and psychological trick in the book to part innocent victims from their money.
To combat scams, local banks have introduced protections such as money-locking features and restricted user access if sideloaded apps are detected on customer’s devices.
The former allows customers to create designated accounts from which funds cannot be digitally transferred out without in-person verification. The latter, primarily targeted at weaknesses in the security of Android phones, prevents hackers from taking control of a user’s device and accessing their banking apps.
The prospect of additional regulation looms over banks, with a framework on how losses from scams will be shared between consumers and companies in the works. So with potentially increased liability, institutions will be looking to minimise risks to themselves and by extension their customers.
With a significantly digitalised economy and a reputation as a smart nation to maintain, Singapore must do everything it can to help consumers fight back against scammers. So what more can it do?
To answer that question, we have to consider the ways we commonly do business, and how they might still leave us vulnerable.
TOO MUCH TRUST IN ONE DEVICE
Part of the problem is that the smartphone has become the gateway to everything in a user’s life, including their bank accounts.
Banks have been leaning into phone-based authenticators, which prompt the user for authorisation through SMS or an app notification before proceeding with online transactions. This is convenient, but merges authentication and application into one device. It is a problem if that one device falls under the control of an attacker.
Netizens have suggested that banks could bring back physical security tokens to overcome this problem. However, security tokens are an additional device that you must carry with you if you want to be able to authorise activities. You may need a unique device for each bank or organisation, so they may stack up and become confusing to manage.
In an ideal secure smartphone, banking apps would be able to completely isolate themselves from anything else that may run on the phone, including malware. However, if any holes are discovered in the technologies that provide this isolation, this could still be a problem. So perhaps a re-think about authentication factors is in order.
MALICIOUS APPS AREN’T THE ONLY THREAT
Beyond the smartphone screen, there are other areas of concern. Some may find a phone call to be a more personal - and perhaps safer - method of doing business. That’s not always true, with phone scams being prevalent in recent years.
In fact, receiving a verification phone call from a banking office is jarring in an age of scams. Singapore customers have complained that while banks can authenticate users through one-time passwords or security questions, customers have no way of verifying the legitimacy of a banking officer when one contacts them.
Banks could lean upon their other communication methods, such as notifications within their own apps, to allow the customer to verify the authenticity of requests, and even authorise the sharing of data. At a minimum, a customer should always be able to call back using a publicly verifiable contact number, such as one listed on an official website, before continuing a conversation.
More limits could also be placed on the information businesses can ask from a user for verification purposes. If we look to the regulations in Singapore, the protections of the NRIC are a good example of safer sharing of sensitive data with businesses. The Personal Data Protection Act restricts its collection and storage to cases determined to be necessary under the law, such as seeking medical treatment or getting a new phone line.
Partial recording of the NRIC is allowed in some circumstances, although collecting more than the last three digits and final character is cautioned to be too revealing. Given how much of Singaporean life hinges on the NRIC, it’s understandable that it should be strongly safeguarded.
MORE TECHNOLOGY COULD BE A SOLUTION
Perhaps we can look back to technology to solve some of these problems. While we’re increasingly used to Singpass to log in to services and use Myinfo to approve the sharing of data with companies, these tend to happen only in an online setting.
It would be possible, though, to use these mechanisms in in-person and phone-based settings as well, to establish trust between a customer and an authorised company representative. This would help us be sure of who we’re interacting with, and that the information we’re handing over is going directly into a secure system.
Staying safe in the coming months and years requires everybody to adapt. Businesses need to embrace new security technologies and data collection methods regardless of communication mode. Smartphone manufacturers need to take a closer look at how scammers might turn people’s devices against them and provide mitigations rather than leaving it to individual apps to do the job.
The public needs to keep apprised of the latest scams and not be afraid to distrust by default, even when presented with a familiar voice or face, especially when there’s money involved.
And for the super paranoid, keep using that physical token, if you have one, or dedicate a second (perhaps cheaper) smartphone to having a very limited set of apps running on it, such as your banking apps. This would minimise the chance of encountering malware on the device, while having peace of mind that if one’s primary device is compromised, it is safely separated from your bank accounts.
Steve Kerrison is Senior Lecturer of Cybersecurity at James Cook University, Singapore.