OCBC’s new anti-scam measure upsets some users; bank clarifies only apps with risky permission settings flagged
The bank's new security feature prevents users from logging onto their Internet banking and OCBC Digital app on their phone if it detects potentially risky apps downloaded from unofficial portals.
SINGAPORE: OCBC said that only Android apps with risky permission settings that could put a user’s mobile phone under the threat of malware will be flagged by the bank’s new security feature.
It said not all apps from unofficial platforms will be flagged by its latest security update.
Mr Beaver Chua, head of anti-fraud at OCBC group financial crime compliance, made the clarification on Tuesday (Aug 8), two days after the bank announced its new security feature that prevents users from logging onto their Internet banking and OCBC Digital app on their mobile phones if it detects apps downloaded from unofficial portals.
The security feature has resulted in negative feedback from some users.
“(The feature) will only block apps that are not downloaded from official app stores, and which also have risky permissions settings that could cause the phone and mobile banking apps to be compromised,” said Mr Chua.
He added that other sideloaded apps that do not have the risky permission settings will not be affected.
“This particular permission setting exposes the users to a security loophole that allows (scammers) to exploit, take over the phone remotely and jeopardise banking accounts,” he said, highlighting recent cases of malware scams targeting Central Provident Fund (CPF) savings.
The bank said the security measure was implemented to safeguard customers from malware and alert them to these apps that could expose their devices to scammers.
Some users took to the bank’s social media accounts after the security update kicked in on Saturday. Those with high-risk apps on their mobile phones were unable to access their OCBC online banking services.
Users shared screenshots on the bank’s Facebook with a prompt that read: “As the following apps are not from official app stores (eg. Google Play Store and Huawei AppGallery), they may be malicious or harmful”. The message then identified the apps and requested users uninstall them before proceeding with their online banking.
Users complained that apps such as popular Chinese video-sharing platform Douyin, online payment platform Alipay, and LG's smart appliance control app are among those flagged by OCBC’s security feature.
The bank has advised users to reinstall them from the official app stores to access their banking services.
Mr Chua explained that some apps are available on both official app stores and third-party websites, but users should only download these apps from official stores as they would have gone through more stringent checks.
In response to customers who were concerned about their privacy, Mr Chua stated: “There is a misunderstanding that users think we can scan their phones and see their content but that is an absolute no, the user’s information does not go to the bank. It is localised on your phone and only you can see it.”
The Association of Banks in Singapore (ABS) said malware-related scams are often carried out through apps downloaded from third-party or dubious sites, and reminded consumers that they will be expected to bear losses arising from such scams.
The organisation reiterated OCBC’s stance on privacy, saying the bank’s security features do not monitor customers’ phone activity, collect any personal data, or identify the owner of the mobile device.
DEFENDING AGAINST MALWARE
OCBC said that since it rolled out the security enhancement on Saturday, the bank has not received any malware scam reports from customers who have updated their app with the new feature. It added this is in contrast to before Aug 5 when the bank received at least one malware scam report a day.
One elderly OCBC customer who supports the initiative said he likes the additional layer of protection.
“I have seen many people get scammed over the years, so I see this feature as a way to protect those of us who may not be so savvy or alert to spot non-legitimate and suspicious apps,” said Mr HY Leong, 71, the director of a travel company.
Mr Chua said the bank is still seeking customer feedback on the security feature and is looking at ways to make it more convenient for users.
He added that the security feature is an opportunity for users to take a closer look at the OCBC-flagged apps and make an informed decision if they should continue allowing those apps on their devices.
“At the same time, we want the customers to (think about) why OCBC has flagged these apps as high-risk. We (should) question why certain apps need permission and access to (certain functions on your phone). Malicious apps often pose as innocent services or e-commerce apps,” he said.
However, one cybersecurity firm said that this approach might not fully protect consumers.
“Malicious applications do find their ways into the official Google Play Store, which means that you can have a malicious app on your mobile phone that would be from official sources,” said Mr Kevin Reed, chief information security officer of software technology firm Acronis.
“At the same time, you can have a non-malicious, really useful application that would come from a third-party source.”
Mr Chua acknowledged that while apps on the official app stores are not completely risk-free, the “chances of malware are lower because there is a review process, in comparison to apps from websites or other unknown sources”.
OTHER BANKS EXPECTED TO FOLLOW SUIT
OCBC said that other banks are expected to introduce their own updated anti-scam security measures in time.
ABS said its members are rolling out a stronger security feature to protect their customers from malware and scams.
“Banks have been working closely with government and law enforcement authorities to fight malware scams … and pro-actively implementing new security measures to protect customers,” said Mrs Ong Ai Boon, the organisation’s director.
The Monetary Authority of Singapore (MAS) said it supports initiatives by local banks to strengthen the security of digital banking.
The central bank added that OCBC's latest security feature is a new innovation that may have caused unintended inconveniences.
“Security measures will come with some measure of added inconvenience for customers, but they are necessary to maintain security of and confidence in digital banking,” said an MAS spokesperson.
MAS said it will work with the banks to learn from these experiences and continue to enhance their security features.