Combating Rising Cybersecurity Crimes in Singapore Financial Fraud
Amid the COVID-19 pandemic, cyber crimes have become an increasing cause of concern. It has not been a good start to 2022 for at least 469 people who have fallen prey to phishing scams involving Bank A*, with reported losses totalling at least $8.5 million6.
While technology has eased fund transactions, it is also a double-edge sword in facilitating cyber criminals in carrying out fraudulent transactions. In the case of phishing scam involving Bank A*, the modus of operation has been largely similar. Victims received unsolicited SMSs purporting to be from the bank, claiming there were issues with their bank accounts, and they had to click on a link to resolve the issues. The link led the victims to the trap where they were asked to key in their Internet banking account login credentials to resolve the issues. The victims only realised the scam when they received notifications that there were unauthorised transactions in their bank accounts which by then, have already resulted in monetary losses.
Figure 1: Scams SMS not originated from Bank A*
Readiness of Financial Institutions (FIs) Against Cyber Attacks?
The pandemic has accelerated the adoption of real-time payments due to restricted facetime and greater demand for contactless payments. While the convenience of real-time payments has benefited many bank consumers, it also opened a new window of opportunity for fraudsters. This is concerning as 4 out of 5 Asia Pacific (APAC) banks (78%) in Asia Pacific region have faced increased fraud losses with the increased adoption of real-time payments3. An explanation will be that most banks do have the most advanced fraud analytics for fraud prevention.
Even with the advancement in technology, fraud and financial crime technology will still need to adjust quickly to combat cyber criminals. Fraud detection analytics based prior pre-pandemic purchase behaviour might be insufficient in predicting consumer behaviour due to the rapidly shifting geo-environment and uncertainties. Apart from the financial costs of missing fraud, these systems could also produce many false positives that inaccurately identify legitimate consumer behaviour as suspected fraud which led to causing frustrations in consumers and creating friction with the usage of payment cards.
Majority of APAC banks surveyed, have a strategy of multifactor authentication (84%). The commonly used authentication methods include biometrics (64%), normal passwords (62%) and behavioural authentication (38%). Interestingly, nearly half of the respondents (46%) are currently only using one or two of these strategies, potentially leaving them more exposed to cyber attacks3.
Figure 2: Strategies of FIs to prevent fraud loss
Combating Cyber Attacks - A Combination of Efforts
MAS Legislation
While digital transformation brings significant benefits to the financial sector, FIs are more exposed to a range of technology risks, including cyber risk. On 18 Jan 2021, Monetary Authority of Singapore (MAS) revised the MAS Technology Risk Management (TRM) Guidelines to establish sound and robust technology risk governance and maintaining cyber resilience for FIs. The Guidelines also provided additional guidance on the roles and responsibilities of the board of directors and senior management for managing technology and cyber risks as well as having relevant knowledge to provide effective oversight of technology and cyber risks. Clause 14.1.1 states that FIs should implement security and control measures which commensurate with the risks involved to ensure the security of data and online services.
Technology
Clause 14.3.1 of MAS TRM highlighted that FIs should implement real-time fraud monitoring systems to identify and block suspicious/ fraudulent online transactions to bolster security of digital banking. To combat cyber scams and fraud, FIs must keep up with technology and prepare for any unprecedented events. A layered fraud defence framework with advanced behavioural analytics for instance, can be deployed to detect out-of-pattern payments. Using two-way consumer communication services can also help FIs in scam interventions before it is too late. By leveraging Artificial Intelligence (AI) and Machine Learning (ML) technologies such as Robotic Process Automation (RPA), FIs can identify scams through typically used keywords. RPA can also improve the productivity of employees working in FIs by automating routine processes and workflows.
Collaboration of FIs and agencies
Besides having the necessary technology to combat cyber attacks, another method will be having cross industry collaborations and partnerships between FIs and government agencies to protect consumers from financial losses. For instance, Project Frontier, which was launched in 2021, was a collaborative effort between the Singapore Police Force (SPF) and 20 FIs to combat fraudulent activities by reducing the time needed to freeze scammers’ bank accounts to under 24 hours from the previous timeline of 14 to 60 days5.
Educating consumers
Consumers play an important role in the prevention of falling to financial frauds. There is a need to educate and communicate to consumers on the dangers of cyber attacks to prevent them from falling victims to financial frauds. Clause 14.4 of MAS TRM Guidelines highlighted the importance of consumer education and communication by FIs for the prevention of cyber crimes. The Cyber Security Agency of Singapore (CSA) has also launched the “Better Cyber Safe than Sorry”, a national cybersecurity awareness campaign which is currently still ongoing. CSA adopted a mix of out-of-home, digital and free-to-air media platforms to increase cybersecurity awareness and to improve the adoption of good cybersecurity practices in our daily lives2.
Trade-off between convenience and security
The recent phishing scam that affected hundreds of Bank A* customers has also highlighted the trade-off between convenience and banking security. Cybersecurity experts are concerned about Singapore's reliance on passwords for online banking which includes the two-factor authentication methods such as one-time passwords (OTPs) sent via SMS, which are vulnerable to phishing attacks7. The cyber criminals were successful in prying information out of from an unassuming consumer's hands by preying on human emotions. Clause 14.2.5 of MAS TRM mentioned to implement time-based OTPs and FIs should establish a validity period that is short and practicable to lower the risk of a stolen OTP being used for fraudulent transactions.
Experts viewed cryptographically secure, possession-based authentication to be more secured than knowledge-based authentication. Though it is seen as a more secured form of authentication method, it could cause inconvenience in customers’ transactions if they misplaced their authentication devices or being too over reliant on knowledge-based authentication. Convenience of transactions should not compromise security, and vice versa. In MAS TRM Guidelines, Clause 14.2.3 mentioned implementing transaction-signing (digital signature) in authorising high-risk activities such as high value transactions. This would have greatly prevented the succession of the scam.
Moving Ahead - Enforcing Stricter Legislation to FIs?
In the latest update in enforcing regulations on 19th Jan 2022, MAS with Association of Banks in Singapore (ABS) announced several changes to be implemented by Banks to bolster security4. The most prominent changes are the removal of clickable links in emails or SMS messages by banks sent to retail customers and setting the threshold for funds transfer notifications to customers by default at S$100 or lower. MAS will also be working closely with SPF, Infocomm Media Development Authority (IMDA) and other relevant parties to ensure a safe and secure environment for digital banking.
In addition, MAS and IMDA has collaborated to initiate the Singapore SMS Sender ID protection registry pilot. This registry enables organisations to register the SMS sender ID headers that they wish to protect. When there is an unauthorised use of this protected SMS sender ID, the messages will be blocked. Considering the recent SMS phishing scams involving Bank A*, a petition was started for IMDA to enforce SMS sender ID pre-registration as cyber criminals could easily abuse the lack of a SMS sender ID pre-registration requirement in Singapore1. It remains to be seen if IMDA will enforce the Singapore SMS Sender ID protection registry pilot and what will then be the impact to FIs and as well for the consumers.
Conclusion
Financial crime syndicates are constantly innovating new ways of infiltrating the financial systems to illegally profit. There is simply no room for complacency as anyone can be a target to cyber crimes. FIs, regulators, and consumers must remain vigilant and work collaboratively to adapt to the ever-evolving fraud and financial crime threats. FIs should leverage digital technologies to make banking solutions more convenient and accessible for their consumers, without having to make the security trade-offs. Concurrently, consumers are also responsible for practising good cyber hygiene, such as setting a strong password and keeping their security systems up to date.
*Name of Bank to be masked in accordance with anonymity under PDPA.
References:
1https://www.businesstimes.com.sg/banking-finance/petition-calls-for-imda-to-enforce-sms-sender-id-pre-registration-in-wake-of-ocbc
2https://www.csa.gov.sg/gosafeonline/Go-Safe-For-Me/HomeInternetUsers/Spot-Signs-Of-Phishing
3https://www.fico.com/en/newsroom/fico-survey-real-time-payments-platforms-have-increased-fraud-losses-4-out-5-apac-banks
4https://www.mas.gov.sg/news/media-releases/2022/mas-and-abs-announce-measures-to-bolster-the-security-of-digital-banking
5https://www.mha.gov.sg/mediaroom/parliamentary/committee-of-supply-debate-2021-on-securing-singapore-with-the-community-speech-by-mr-desmond-tan-minister-of-state-ministry-of-home-affairs-and-ministry-of-sustainability-and-the-environment/
6https://www.straitstimes.com/singapore/courts-crime/ocbc-bank-customer-lost-120k-in-fake-text-message-scam-another-had-250k-stolen
7https://www.todayonline.com/singapore/ocbc-phishing-scam-underscores-trade-between-convenience-and-security-bank-customers-risk-experts-1789236