With market figures indicating cybersecurity attacks are increasing in volume and sophistication, it’s not surprising that businesses will seek ways to better safeguard their assets. Banks, in particular, want bigger moats since they have more to lose.
However, fortified defenses inevitably mean legitimate users will have to burrow deeper to get access to services. The result is a perennial debate about finding the right balance between security and usability.
And it seems one bank in Singapore might need to address that balance after it introduced a security function that left several of its customers frustrated.
OCBC last week rolled out a feature that locks out access to its digital banking services if mobile apps that have not been downloaded from unofficial app stores, such as Google Play Store and Huawei AppGallery, are detected on the user’s device.
Citing the need to protect customers against malware, the bank said this “enhancement” enables its app to identify errant apps on the customer’s device. The security feature also checks the permission settings of apps against what the bank deems to present potential risks or that are commonly used by malware-laced apps.
When apps that do not meet both criteria are detected, customers will not be able to log in to their account via OCBC’s mobile app or online-banking site until they uninstall or remove the “rogue” apps.
This high level of security sounded great — until complaints started popping up. Customers found themselves locked out, even though apps flagged by the bank’s new security feature had actually been downloaded from official app stores. These apps included Microsoft Authenticator, LG ThinQ, CCleaner, and Trend Micro. Even apps that were cleared by customers’ own antivirus mobile apps were tagged as risky by the OCBC security feature.
Affected customers said the bank’s recommended solution of deleting and reinstalling the specific apps from official app stores did not work.
For most cases, OCBC’s response was standard — the new security feature is part of an efforts to combat fraud and “safeguard our customers” from suspected malicious apps. “We apologize for any inconvenience caused,” it said several times over to irate customers on its Facebook page. “We seek your patience as this feature is aimed to safeguard customers from malware scams.”
This situation seems like a case where security has trumped usability. I was relieved, having read the anecdotes of aggrieved OCBC customers, that I had chosen to bank with another firm. But then industry regulator Monetary Authority of Singapore (MAS) stepped up to voice its support for the bank’s security feature.
“Security measures will come with some measure of added inconvenience for customers, but they are necessary to maintain security of and confidence in digital banking,” MAS said. “Coupled with a vigilant and discerning public, robust security measures will help us strengthen our defense against scams.”
In view of the regulator’s cheerleading role, I’m now anticipating that the remaining two major local banks, including mine, will follow suit some time in the very near future and roll out a similar security “enhancement”.
Perhaps OCBC is serving penance for taking centerstage in last year’s phishing scams, or maybe it lost a game of rock, paper, scissors, and was picked to be the first bank to roll out the security feature — and, hence, had to bear the brunt of customer ire?
Whatever the case, OCBC’s muddled launch leaves much to be desired and throws up questions that the whole industry, including its regulator, will need to address collectively.
Consumer trust and shared responsibility
First, let’s get one thing straight. This isn’t simply a question of privacy, but of user trust. When things don’t work the way they’re supposed to work, trust will erode.
Use only apps from official app stores and you’re good, OCBC customers were assured. But that approach turned out to be problematic.
‘Oh, then your app’s permission settings are the issue,’ customers were told. However, the bank has remained coy about the details of what these permission settings are, presumably so the bad guys aren’t tipped off about how to circumvent these flags.
More generally, the lack of information, and transparency, means users are left wondering what exactly is so wrong with the apps — apps that they had downloaded from official stores and that were built by legitimate companies. Does that mean the likes of Microsoft, LG, and Trend Micro are releasing apps that contain security risks, as deemed by OCBC?
And if that isn’t the case, does that mean apps are being mistakenly identified by a major bank’s security ‘enhancement’? A security enhancement that should have been rigorously checked and tested and checked again before it’s released to the public?
How much trust, therefore, should consumers put in a security feature that is unable to properly distinguish between legitimate apps and those that carry actual risks?
To top it off, users are being told their decisions on how they want to operate their devices are invalid. In other words, this security enhancement is implying ‘remove your naughty apps or you can’t use ours’.
So, when businesses override a customer’s decision on how they want their devices to be secured, does it make them fully liable when a breach occurs? I believe it potentially should, since the customer has little say in the apps, including antivirus tools, that they can have on their phone if they wish to continue accessing their bank account.
I recently had a similar conversation with some industry folks, during which I mentioned a personal peeve with regards to app permissions and organizations’ inability, or unwillingness, to explain why they need access to features that are unnecessary to facilitate their services.
It was then suggested to me that the lack of transparency might be buffered by the assurance that these businesses, in their own interests, would not want to develop an app that put their customers at risk, hence, damaging their own brand reputation.
I would argue that this stance shouldn’t absolve customers from taking responsibility for their own security posture.
In fact, the Singapore government, perhaps to the delight of businesses, has repeatedly emphasized the need for consumers to assume shared responsibility in safeguarding their cyber hygiene.
“The ongoing fight against scams requires an ecosystem approach, with all stakeholders playing their part in staying vigilant and guarding against scams,” MAS had said. The regulator is working on a liability framework that it says will make clear the roles and responsibilities of financial institutions, telcos, and customers to be vigilant against online scams.
If consumers are made to assume responsibility, and liability, for their online hygiene, shouldn’t they then have the right to make their own decisions on how they can best protect themselves?
And shouldn’t there be more transparency and access to information on how the organizations consumers transact with are securing their services?
For the sake of their customers (and my sanity), I hope the other banks set to follow in OCBC’s footsteps have been taking notes and working to ensure they avoid a similarly messy rollout.
For instance, could OCBC have mitigated some of the issues by offering customers a personal ‘whitelist’ to which they can include apps initially flagged by the bank’s security feature? These apps could be checked and assessed against security policies, and added to the whitelist only after they’ve been ascertained to be safe.
Banks could put a cap of, say, three apps in the whitelist, so customers are motivated to prioritize apps that are absolutely necessary and banks can manage the resources needed to facilitate this approach. They can also use artificial intelligence tools to automate some processes and optimize the app assessment cycle, as well as maintain a repository of approved ones, further reducing the effort required to upkeep the whitelist.
And if they’re not already doing so, banks should be in touch with major app developers, including antivirus software vendors, on how their permission settings may or may not pass their security checklist. That’s assuming they, too, are choosing not to divulge specifics behind app permissions they consider to be risky.
Above all, the one key question all banks will want to ask themselves is whether they’re prepared to take full liability in the event of a security breach, should they choose to override their customers’ security choices.