Safeguards to Prevent Loss of CPF Savings Through Malware-related Scams

3 Mr Melvin Yong Yik Chye asked the Minister for Manpower with regard to the recent cases of Android users losing close to $100,000 of CPF savings through malware-related scams (a) how many similar malware-related scams has the Ministry detected in the past three years; (b) what are the safeguards that the Ministry intends to implement to prevent CPF savings being lost to scammers; and (c) what recourse will the victims have with regard to their lost CPF savings.

The Minister for Manpower (Dr Tan See Leng): Mdm Deputy Speaker, my response to this Parliamentary Question will also address the Parliamentary Question filed by Mr Zhulkarnain Abdul Rahim as a written Parliamentary Question for yesterday's Sitting.

Since January 2023, the Police received more than 700 reports of victims having downloaded malware onto their phones, with more than $8 million worth of savings lost through unauthorised withdrawals from the victims' bank accounts and so on. Based on the investigations thus far, nine of these cases involved unauthorised Central Provident Fund (CPF) withdrawals, amounting to a net loss of $124,000 in CPF savings. I would like to add that the ninth case did not result in loss of CPF savings. So, even though nine involved unauthorised CPF withdrawals, the ninth case itself did not result in the loss of CPF savings because the Singapore Police Force (SPF) managed to stop the transfer out from the bank account of the CPF member.

CPF monies were paid from members' CPF accounts to their own bank accounts and then they were subsequently withdrawn from these bank accounts by the scammers.

The modus operandi of these malware-related scams has been extensively covered in an earlier joint advisory from the Police, Government Technology Agency (GovTech) and CPF Board on 29 June 2023. In gist, the victims downloaded malware-infected Android Package Kits, or APK, from unauthorised sites and they subsequently turned on accessibility services when told by the scammer to purportedly facilitate the purchase of items at a steep discount. Doing so allowed the scammer to take full control of the phone, steal banking and Singpass credentials stored in the phone and perform unauthorised CPF log-ins and withdrawals.

I urge all Singaporeans to stay vigilant. We should update our phones regularly with the latest security patches and we should only download apps from official app stores and exercise the greatest of caution when we are prompted to turn on accessibility services. These accessibility services are mainly meant to assist users with disabilities to use their devices, such as by allowing apps to read and control your screen.

As a further precaution, CPF Board and GovTech have introduced additional authentication measures since 22 June 2023 to increase the protection for CPF members. Members may be asked to perform Singpass Face Verification (SFV) or other checks when accessing CPF e-services. This provides additional security in addition to the existing two-factor Singpass authentication required for accessing CPF e-services. Members who require assistance on CPF services and the SFV can visit the CPF service centres and Singpass counters respectively. They may also call the Singpass helpdesk.

These additional safeguards may make it slightly less convenient for members to perform certain CPF e-services but I think members would agree that it is better to be safe than sorry. This is especially so in light of new threats. The Government will continue to review and monitor these threats closely and work closely alongside the banks to introduce more precautionary measures where necessary.

The Police will spare no effort in tracking down those responsible for such malware incidents and will take tough action against them. I urge anyone with information on such crimes to contact the Police immediately.

Mdm Deputy Speaker: Mr Melvin Yong.

Mr Melvin Yong Yik Chye (Radin Mas): Madam, I thank the Minister for his reply. I am heartened that the Government has placed this additional precaution to require CPF members who log in to their accounts using their Singpass to go through face verification. I believe this will go some way in patching one of the vulnerabilities inherent in the Android platform that allows scammers to install malware on the users' phone.

I would like to ask what is the demographic profile of the victims who have suffered losses from these malware-related scams. My constituency, Radin Mas, has a large proportion of seniors aged 60 and above. So, while we actively encourage our seniors to embrace digitisation, I am also well aware that they will also become vulnerable to such scams. So, what is the Ministry's estimate or projection on the proportion of such malware scams that can be prevented or thwarted with the implementation of such face verification? I think the Minister earlier mentioned a ninth case was successfully prevented by the Police. So, how is the Ministry of Manpower (MOM) or CPF Board working with SPF to better detect and prevent unauthorised transfers of CPF monies?

Dr Tan See Leng: I thank the Member for his supplementary question. For the demographics of the victims – the victims are between the ages of 55 and 80. Based on investigations, the net loss of CPF savings amounts to $124,000.

From the CPF safeguards, there are the additional precautionary measures that we have now undertaken, even though we constantly monitor many of these scams because they get very creative. Thus far, we think that it is sufficient to effectively limit the convenience in terms of the withdrawal of monies from the CPF accounts to their own bank accounts.

I understand that the Monetary Authority of Singapore (MAS) – with GovTech, the banks and also SPF – are separately working on a parallel initiative to see how to protect banking customers from allowing unauthorised withdrawals from their bank accounts. So, there are two parallel tracks here. From the CPF Board's perspective, the additional steps that we have put in as a precautionary measure, allowing the member to separately require Singpass Face Verification, is an added step.

And some members would inevitably say that that has resulted in a lot more inconvenience for them to withdraw their amount. But we think that this is actually necessary to protect their hard-earned monies.

For the separate track, that would probably require a separate Parliamentary Question with regard to the banking relationships with the account holders; how the steps have been effective in limiting withdrawal or unauthorised withdrawal from these banking accounts.

Mdm Deputy Speaker: Assoc Prof Jamus Lim.

Assoc Prof Jamus Jerome Lim (Sengkang): I am wondering if the Minister can share a little bit about whether the Government has also considered initiatives along the lines of insurance. I mention this, in part, because as I am sure his is aware, in usual banking related frauds, insurance plays a big part in helping to recover fraudulent monies and in this case, CPF is both mandatory savings scheme but is also a very, very big supplier. So, it may be possible to secure a fairly competitive insurance rate for the purposes of doing this kind of additional protection.

Dr Tan See Leng: I thank Assoc Prof Lim for his question. Indeed, we are considering that part of it. This is under the Shared Responsibility Framework, which involves the financial institutions, the telcos and many other participating entities. Currently, the Government is engaging very closely with all the different industry stakeholders and we will continue to do so. There is a plan for a public consultation paper to come out in the third quarter of this year. So, I suggest that perhaps, at that particular point in time, we can delve deeper into the details. [Please refer to "Clarification by Minister for Manpower", Official Report, 4 July 2023, Vol 95, Issue 106, Correction By Written Statement section.]

Mdm Deputy Speaker: Mr Gerald Giam.

Mr Gerald Giam Yean Song (Aljunied): Madam, just now I heard the Minister said that the scammers were able to obtain the victims' Singpass credentials from their phones after they managed to install the app on their phone. Is MOM working with GovTech to patch this vulnerability if it, indeed, is about the vulnerability?

Dr Tan See Leng: I thank Mr Gerald Giam for his question. Perhaps, Mr Giam may not have an appreciation of the different steps that these scammers sort of would navigate to actually get the CPF members to download these apps. Today, the vulnerability appears to be in the Android phones and generally our members may have just gone online, whether it is on Facebook or some other form of social media, and come across some particular app which purportedly gives him a steep discount; a very, very good deal, in which they have to download that particular app. And once they download the app, they will, more often than not, get phone calls from someone helping them to navigate and to use the app.

And they then hand over some of the navigational options to this and turn on the accessibility services on their Android phone itself. That then exposes themselves to all these scammers to then undertake and take over their information.

So, the added precautionary measure that we have put up is that for vulnerable members, they would need an additional step of using the Singpass Face Verification. We have these identities stored, because the NRICs, the passports, we have that. Based on our records, we can then ensure that the person who is logging in and making these withdrawals actually corresponds to the actual member and not through some scam account.

So, we believe that, today, that added step, which to some members cause a lot of inconvenience, is sufficient as a precautionary measure. I hope that addresses your concern.

Mdm Deputy Speaker: Mr Gerald Giam.

Mr Gerald Giam Yean Song: To clarify, I understand the process in which the scammers use to access the phone. But just now the Minister said that once the accessibility is enabled, the scammers are able to read the passwords that are stored in Singpass. Typically, these passwords should not be stored at all inside the phone. So, I just want to understand whether or not this is something that is being looked into, as to why is it that passwords are stored inside the phone for that reason?

Dr Tan See Leng: I think there are a myriad of reasons why people store their passwords on the phones, in their notepads and so on. There are also members who write it down somewhere in a booklet and they put it at home.

I cannot tell you how members will want to store their passwords to remind themselves. But I think the added measure today, first of constantly educating our public to not download any form of innocuous-looking apps from unauthorised stores, unauthorised sites and also to not just switch on the accessibility services; and at the same time, not release details to someone who is unknown over the phone and at the same time adding on the additional security verification through the Singpass Face Verification step, I think it is sufficient for us to prevent, today, unauthorised withdrawals from the CPF account. Of course, I said that there are also parallel initiatives to deal with what happens after the money goes into the banking account.

So, there are all these measures that we are doing.

I would not want to be in a position of hubris where we say that we have got it all figured out. Because today, cybersecurity constantly evolves – scammers and hackers are getting more and more creative. So, we have to constantly work at nudging our people, working with one another to keep reminding all of our members, all of our citizens to always be vigilant. At the same time, the Government will also constantly find new ways to step up our precaution to protect our members. I hope that gives you the reassurance.

Mdm Deputy Speaker: Senior Minister of State Janil.

The Senior Minister of State for Communications and Information and Health (Dr Janil Puthucheary): Thank you, Mdm Deputy Speaker. I raised my hand, but I think Minister Tan had already made the point. The information is being taken from other parts of the phone, not as Mr Giam had asked about. But the point has been made by Dr Tan already.