Bolstering the Security of Digital Banking

2.00 pm

The Minister for Finance (Mr Lawrence Wong): Mr Speaker, Sir, I am speaking in my capacity as Finance Minister and also as the Deputy Chairman of the Monetary Authority of Singapore (MAS). Today, Minister Josephine Teo, Minister of State Desmond Tan and I will address a total of 39 Parliamentary Questions (PQs) that have been posed to MAS, MCI and MHA arising from the recent OCBC phishing scams. They cover a wide range of issues – from whether the banks can do more to mitigate the risks of such scams, to how the telco infrastructure, enforcement actions and consumer education can be enhanced to deal with this growing problem. The breadth of the issues raised underscores that we need to take an ecosystem approach to strengthen our collective defence against phishing scams and scams in general. Everyone in this ecosystem must play their part.

The Ministerial Statements will explain the Government’s comprehensive approach, working with each party in the ecosystem, to counter the threat of phishing scams. I will provide more details on the OCBC phishing scam and on the steps that MAS and the banks are taking to strengthen safeguards against such scams. Minister Josephine Teo will then set out the measures being taken to enhance the broader communications infrastructure. And Minister of State Desmond Tan will elaborate on measures to strengthen enforcement and consumer education.

None of these measures can be foolproof in and of themselves, but, collectively, they should work to significantly reduce the scope for scams to succeed and their cost. With everyone on guard, including individuals, the industry and infrastructure providers, we hope not to see a recurrence of a large-scale scam as was seen in the OCBC case.

Taken together, Minister Josephine Teo, Minister of State Desmond Tan and I will address Oral Question Nos 7 to 32 and Written Question Nos 1, 2 and 8 on yesterday’s Order Paper, Oral Question Nos 1 to 5 and Written Question Nos 1, 2, 9 and 27 on today’s Order Paper. Mr Mohd Fahmi Bin Aliman has filed an Oral Question scheduled for a future Sitting on these issues. As today’s Ministerial Statements will address these questions, Mr Speaker, I would like to invite these Members to seek clarifications should they have any on these issues after the Statements.

Let me first round up the key facts regarding the recent OCBC SMS phishing scam. Seven hundred ninety OCBC customers lost a total of $13.7 million to the scammers, mostly over the year-end festive period from 23 December to 30 December. This is by far the most serious phishing scam we have seen involving spoofed SMSes impersonating banks.

Spoofed SMSes were sent with a fake sender ID, which, in many cases, made them appear in the same message thread as genuine SMSes. The victims, having received the spoofed SMSes in the same thread of messages from OCBC, were deceived into clicking the links in these SMSes that led them to scam websites. These scam websites were almost indistinguishable from the real OCBC website, such that people could not tell the difference unless they compared the URL of the scam website with that of the genuine one. Hence, many keyed their login credentials and one-time passwords (OTPs) into the scam websites. The scammers used these credentials and OTPs to take control of the victims’ bank accounts and made fraudulent transfers.

I should add that this was not a cyber attack on OCBC but a phishing scam on OCBC’s customers who were deceived into providing their banking credentials and OTPs at scam websites set up by the scammers. At no time was the bank’s own systems breached.

In its efforts to stem the phishing scam, OCBC took various actions. It warned customers to be alert to spoofed SMSes, initially through general advisories on its website, and then, subsequently, through SMSes and emails to customers; it worked with the Singapore Police Force and the Cyber Security Agency to block and take down the scam websites; it ceased sending customers SMSes with clickable links; it enhanced its anti-scam controls; and it verified through a phone call every customer who submitted a request for digital token activation.

These actions were taken at various stages during the month as the phishing scams built up. OCBC should, however, have responded faster and more robustly at the first sign of the scams, which the bank had picked up in early December. OCBC informed MAS on 24 December that it had activated its incident response team. By then, the OCBC call centre was overwhelmed. It faced a surge in calls from affected customers as well as other worried customers who had not themselves received phishing messages. Despite the bank deploying additional resources, some affected customers experienced delays in reaching the bank to report the scams. To address Dr Tan Wu Meng’s query, prior to the OCBC incident, MAS had received only a few complaints concerning delays in customer service related to similar scams, in other words, the spoofed SMSes that impersonated banks.

OCBC has apologised for falling short of its own expectations in customer service and response. As a one-off goodwill gesture, the bank has undertaken to reimburse in full all customers affected by this phishing scam. It has made arrangements to do so with all the affected customers. To date, more than 90% of them have received reimbursements and the remaining reimbursements should be disbursed soon.

OCBC has also engaged an independent external party to conduct a thorough review of its anti-scam processes, including fraud surveillance, incident management and customer service, and to recommend necessary remedial actions, on top of what it has already done.

MAS will review these findings, take appropriate supervisory actions against the bank and closely monitor the bank’s implementation of remedial measures.

MAS has long had in place expectations for banks to have measures to secure the risk of digital banking. For example, banks have to implement multi-factor authentication, such as dynamic passwords or OTPs that can only be used once, to verify the customer’s identity and to authorise online transactions; they must maintain fraud monitoring systems to facilitate timely detection and blocking of suspicious transactions; and they must send notification alerts to customers for outgoing transactions, including credit card transactions, that exceed a threshold that customers can determine, so that they can report unauthorised transactions as soon as possible.

SPF, MAS and banks have also been issuing regular advisories to alert the public to online scams. Minister of State Desmond Tan will touch on that later.

In view of the increase in the number of scam cases, particularly in the last two years, MAS had, in the third quarter of last year, carried out a focused supervisory review of the adequacy of fraud controls in the digital banking channels of the three local banks.

The review surfaced a number of gaps. In October 2021, MAS conveyed to each of the banks its specific findings and recommendations for the remediation of the gaps observed.

The banks had committed to timelines to take these remedial actions, with most measures to be fully implemented by June 2022, while those requiring extensive changes in IT systems to be completed by December 2022, at the latest. In agreeing to the timelines for implementation, MAS was mindful that the banks had multiple priorities, including mitigating the overarching cybersecurity threat that has been rising and ensuring business continuity and robust risk management, amidst COVID-19.

When faced with the escalation in phishing scams in December 2021, OCBC fast-tracked the implementation of some of the measures identified in MAS’ supervisory review. For example, it extended the cooling period after a digital token is set up on a new mobile device, during which, higher risk transactions cannot be carried out.

The recent OCBC scam signifies a step-up in the persistence and deceptiveness of phishing scams involving banks. The scammers used a combination of well-orchestrated tactics, to achieve a level of realism not seen in previous phishing scams. The Government is, therefore, further strengthening the safeguards in digital banking channels and the broader ecosystem to help thwart this enhanced threat.

MAS has accelerated the process of strengthening anti-scam control standards across all retail banks. As an urgent first step in this process, MAS and the Association of Banks in Singapore (ABS) announced a set of additional measures on 19 January 2022 for immediate implementation by retail banks in Singapore. These measures will substantially bolster the security of digital banking against scammers employing similar tactics as the OCBC scam cases. The measures include removing clickable links in all bank emails and SMSes sent to retail customers; delaying by at least 12 hours before a new soft token can be activated on a mobile device; lowering to $100 or below the default threshold for sending transaction notifications to customers; sending a notification alert to the customer’s existing mobile number or email registered with the bank whenever there is a request for change; sending scam alerts directly to customers through email or SMS; and setting up dedicated call centre teams on a 24/7 basis to assist customers facing a potential scam and to freeze compromised accounts immediately to prevent further illicit withdrawals.

These measures have reduced the risk of successful phishing scams. But they do not eliminate them altogether. Beyond these immediate measures, banks can and should do more to safeguard their customers.

MAS and ABS have stepped up work on further measures to comprehensively strengthen banks’ ability to deter, detect and combat phishing scams. Members have also raised some useful suggestions on additional measures that can be put in place. Let me outline the key measures that are being considered with regard to banks.

First, banks are working to further strengthen their fraud surveillance capabilities to identify suspicious and anomalous transactions. This includes credit card transactions. Most banks do have some rule-based parameters to trigger suspicion, for example, large transfers to a new recipient. But these parameters need to be expanded to take account of a broader range of scam scenarios. Beyond pre-defined parameters, MAS will expect banks to develop more versatile algorithms employing artificial intelligence and machine learning to detect suspicious transactions. Such algorithms should be based on multiple sources of information, including customer profile and vulnerabilities, past transaction patterns, account activity and mobile device identification. I must caveat that while these advances will help, fraud monitoring systems are not a silver bullet. It is not possible to detect every scam.

Second, banks should step up their ability to immediately block suspicious transactions and reach out to their customers to verify their authenticity. The transactions will be unblocked and processed only upon confirmation by the customer. Banks today do have some of these capabilities, but they are not consistent across various types of transactions. We are also looking into enabling customers to trigger a freeze on their own accounts without having to contact the banks if they suspect their accounts have been compromised.

Third, MAS and the banks are looking to introduce additional customer confirmations – not just notifications – for significant changes to their accounts or high-risk transactions, such as changes in account holder details, activating a token on another device, fund transfers that are large relative to their overall balances and overseas transfers. This will introduce some friction to customers carrying out genuine transactions. But we will all need to adapt and get used to these inconveniences, in order to strengthen the security of digital banking.

Fourth, banks are exploring expanding the use of biometric technology, in addition to passwords and OTPs, as a means of authentication. This will add one more layer of security that cannot be easily phished by scammers to access a customer’s account.

Fifth, banks will accelerate the shift towards the use of mobile banking apps for customer authentication, transaction authorisation and delivery of bank notifications. If implemented well, it will be harder for scammers to abuse mobile banking apps. At the same time, MAS and the banks are reviewing the use of SMS to deliver OTPs and the potential measures that should be taken to reduce risk if such a practice should continue.

Sir, there is no single measure that can guarantee the security of digital banking. The techniques employed by scammers are constantly evolving and gaining in sophistication. This is why in the fight against scams, banks need to employ a combination of measures in prevention, detection, response and recovery, and constantly review and recalibrate these measures.

Most of our banks already have many of these measures in place in one form or another. MAS will work with the banks to strengthen these measures and set minimum parameters. But it would be counter-productive to publish the specific calibration of these controls. This is no different from why the red flags that banks look out for to detect money laundering transactions are not published in full.

The enhanced measures that banks are taking will mitigate the risks posed by phishing scams. But realistically, it will not be possible to eliminate such scams completely.

MAS has set out expectations for banks to treat their customers fairly when looking into reports of fraudulent transactions. These include comprehensively investigating all cases and suspending late fees for disputed card transactions. Disputed transactions will not adversely affect consumers’ credit records with licensed credit bureaus during the investigation period.

Beyond this, it is important to establish a common and equitable framework for sharing the losses incurred by the customer. No matter which bank you go to, you should still receive the same fair treatment. OCBC’s recent goodwill payouts to fully cover customer losses were made as a one-off gesture and do not set a general precedent for future cases.

The Payments Council chaired by MAS has been working on a framework for equitable sharing of losses arising from scams. Under this framework, both banks and their customers have their respective responsibilities and the share of losses each party bears will depend on whether and how the party has fallen short of its responsibilities. Financial institutions should bear an appropriate share of losses arising from scams, but care must also be taken to ensure that any compensation paid to customers does not weaken their incentive to be vigilant.

MAS aims to publish the framework for public consultation within the next three months. Other than financial institutions, the players operating the communications infrastructure play a key role in digital security against scams. So, MCI and MAS will consider the shared responsibilities of all the key parties in the ecosystem to ensure that there is proper accountability.

To conclude, Sir, let me assure Members that digital banking itself is safe and secure. The threat we are facing is one of deception of customers, where scammers mimic bona fide communications and transactions to gain the trust of victims, induce in them a heightened state of anxiety or excitement, and exploit their lapse of attention to steal their credentials and passwords.

In the same way that we are all vulnerable to misinformation, we are also vulnerable to scams and must not be complacent. The digital world we live in today demands a posture of constant vigilance. The additional measures put in place by banks will mean more controls that a scammer will have to overcome, but they cannot guarantee that a customer will not be deceived.

SPF and MoneySense, the national financial education programme, will continue to step up their public education efforts to provide useful tools and tips that can help members of the public avoid falling prey to scams. There is no dominant customer profile of scam victims across different scam types, whether by education, wealth, age or gender. Everyone needs to be on their guard.

The problem of scams requires robust responses at the individual, industry and infrastructure levels – in short, an ecosystem approach where the various measures work in synergistic fashion. We are addressing the risks at every part of the digital ecosystem, so that, taken together, the measures will significantly mitigate risks for the entire system and enable us to operate safely in a digital world.

As I had explained earlier, this must involve the financial sector but it must go beyond it. MAS has been working in close coordination with MHA and MCI on a Government-wide approach towards scams. So, Minister Josephine Teo and Minister of State Desmond Tan will elaborate on this in their Statements.

Mr Speaker: Minister for Communications and Information and Minister of State for Home Affairs will be making related Ministerial Statements. I will allow Members to raise points of clarifications on all three Statements after the third Statement. Minister Josephine Teo.