In banking, security and convenience don’t mix

A couple of years ago, a family member discovered that her credit card was used to buy cryptocurrencies from a remote tax haven without her authorisation.

She immediately informed the bank, but was told a two-factor authentication SMS had been sent and acknowledged.

We later learnt, based on online forum discussions among people who faced a similar situation, that it was likely a case of the bank's online system getting compromised.

Since there was no way to prove otherwise then, we dealt with the ordeal for months until the bank fortunately reimbursed the lost savings in a gesture of goodwill.

 Recent news of major banks rolling out enhanced digital lock features, against a spate of scams, has triggered memories of this inconvenient episode.

The big three - DBS Bank, OCBC Bank and UOB - have committed to rolling out a new security feature that allows people to lock up accounts that can continue to remain open to incoming digital payments, but from which withdrawals can be made only physically from an ATM or a bank branch.

 The new digital lock initiative is meant to work as a shield to further protect customers' savings from scammers, malware, as well as a whole range of security loopholes and strategies hackers might employ against digital banking.

 This novel "digital in, physical out" approach is promising as it limits the exposure of customers and banks, while putting up more barriers against scammers intending to employ fraudulent transactions to gain access to bank accounts.

 This "phygital" approach to ringfence savings may be the first of its kind globally.

Banks have already shored up security enhancements in recent days. Banking apps have been re-engineered to deny customers access if malicious software is found on their phones. Scale of online scams

Such moves are necessary, given the growing trend of cybercrime in Singapore and internationally.

US-based cyber-security data platform Cybersecurity Ventures estimates cybercrime to cost the world about US$8 trillion (S$11 trillion) each year, or about US$253,000 every second.

If cybercrime syndicates were a nation, its "output" would amount to that of the third-largest economy in the world, after the United States and China, according to a Forbes India report.

In Singapore, the tide of cybercrime is growing. In the first half of 2023 alone, $334.5 million worth of savings have been lost to scams. Scam cases have spiked 64.5 per cent compared with the same period in 2022.

And despite countermeasures to shore up security, the tide is not turning. Victims of malware scams lost about $10.6 million in July and August alone, matching the amount they lost in the previous six months.

Even more worrying is the demographics of scam victims. More than half of scam victims are young adults aged 20 to 39. More On This Topic 'I carried around my piggy bank': Amid DBS, Citibank service outage, cash is king Gone in 15 minutes: Woman loses $72.5k after downloading third-party app to sell used kitchen items Need for physical verification

Full details of the new digital lock initiative are pending.

News reports suggest some type of cross-channel authorisation or multi-factor authentication would be involved.

In other words, to access these savings, customers must either combine something they know, like a password, with something they have, such as a smartphone, or something inherent to them, like their face, voice or fingerprint.

This is probably why customers may be required to visit their banks for an in-person verification to withdraw ringfenced savings.

Only one bank has mentioned the requirement for physical verification so far, but others may follow.

While such an initiative benefits customers, the implementation of such a system comes with drawbacks and confusion, at a time when banks are championing seamless customer experience and fully digital transactions.

Seniors may be able to spare time to queue at the bank for an in-person verification.

But for working adults, aligning work schedules with banking hours can be a significant hurdle. Already, some bank branches have lengthy queues, especially during the lunch peak.

This logistical complexity and added inconvenience are compounded for customers, especially those who choose to ringfence their savings across different banks.

This group will need to travel to multiple branches to access their locked funds. The big three - DBS Bank, OCBC Bank and UOB - have committed to rolling out a new security feature.

An in-person verification requirement may also mean that banks need additional personnel to manage the process - meaning higher operational costs, either through new hires or by stretching the capacity of existing staff.

Either way, banks may pass on a portion of the costs to customers, taking the form of fees, or a reduction in or the complete absence of interest rates on the locked-up savings, like a fixed deposit account without interest.

This will unfortunately deter customers from adopting the digital lock service, defeating its purpose altogether.

Furthermore, there is the issue of varying technological readiness. Younger, tech-savvy customers can easily navigate the new digital lock features, but the same may not be true for others.

Older folk and other slower adopters of technology may find the new features challenging to navigate and shun them.

While young adults form the majority of scam victims in Singapore, anecdotal instances suggest that the monetary loss incurred by older adults can be significant. Hard-earned retirement savings lost to online frauds, like the $1 million scam suffered by a retiree reported last week, are common.

Eliminating methods of identity theft through in-person verification is crucial.

Assuming, however, that banks do not require in-person verification and decide, for convenience, to do the necessary checks digitally, how then can they ensure the authenticity of off-site verification?

Deepfake technology, powered by artificial intelligence (AI), can fool security features in video calls.

AI programs such as Microsoft's VALL-E and Meta's Voicebox are capable of cloning voices after hearing just seconds of a voice clip, and impersonating someone based on their social media profiles. More On This Topic Want to fight scams? We may have to ditch some practices that make transactions easy Over $1m lost in 15 days: S'porean retiree loses life savings in scam by fake Facebook friend Interoperability versus vulnerability

A second conundrum revolves around interoperability versus vulnerability.

On the one hand, there may be a desire to unify all decentralised digital lock protocols and verifications rolled out by individual banks for consumer convenience and ease of use.

A standardised digital lock protocol, much like the 5G standard for telecommunications, might be on the cards.

This will require some work and much persuasion.

Banks traditionally maintain their own set of verification protocols, which are deeply rooted in the banks' histories, risk appetite and institutional practices, reflecting their unique identities.

For instance, some banks enforce stringent know-your-customer and anti-money laundering procedures, while others may have a more relaxed approach to these protocols.

Harmonising them into a standardised process has obvious benefits.

But achieving this ironically has larger drawbacks: A universal standard, once compromised, would expose the entire banking system to a catastrophic security breach. When bank officers are tested by Singlish-savvy AI 'assistants' Fintech without friction can be a very slippery slope Don't rely only on digital locks

Perhaps the best way forward is to bolster banking security systems by looking beyond digital locks. They could focus on pre-empting and identifying scams early.

Banks should consider establishing emergency response teams to provide immediate aid to scam victims. Operating round the clock, teams should have the authority to monitor and intervene in the event of any suspected fraudulent or unauthorised transactions.

An anonymous hotline or online reporting portal can provide a direct and immediate channel for customers to report suspicious activities to banks, even without lost funds.

Information collected can be a valuable resource for AI to identify fraud trends, patterns and techniques. No foolproof system in cyber security

All things considered, it is ultimately crucial for people to be aware of the growing sophistication of scams.

There is no foolproof online banking system, as criminal methods would evolve with technological advancement.

Banks cannot possibly ban customers from downloading malware-laden apps, just as they cannot stop customers from falling prey to scammers, who may devise new schemes to persuade customers to visit the banks in person to withdraw their savings or transfer them into fraudulent accounts.

We should also expect a new wave of scam victims, as a rush of customers seeking to ringfence their savings could paradoxically trigger a fresh slew of fraudulent activities.

Banks ought to proactively warn customers about the potential new scams, provide clear instructions on how to use the new features safely and ramp up scam awareness campaigns in tandem with the roll-out.

Scammers will likely exploit the opportunity to send phishing messages and make scam calls to offer new digital lock services. Customers could be misguided to visit fake bank websites to sign up for the digital lock features.

As we bid farewell to the days of hiding money under our pillows, we must recognise that a zero-risk online banking environment is non-existent.

Digital lock features are promising initiatives to slow down scammers, but the onus is still on us to stay ahead of the game, learn about cyber security, stay updated on scam tactics and always maintain a healthy dose of scepticism. Kelvin Law is associate professor of accounting at Nanyang Technological University's Nanyang Business School, and his research examines corporate sustainability and financial fraud. 

Source: The Straits Times