OCBC has left several of its customers frustrated after introducing a security feature that locks out access if mobile apps downloaded from unofficial app stores are detected on the user’s device.
The Singapore bank rolled out the security feature on its mobile app early this week, citing the need to protect its customers against malware.
The “enhancement” allows its app to identify apps that are not downloaded from official app stores, such as Google Play Store and Huawei AppGallery. The new security feature also checks the permission settings of apps against what the bank deems to present potential risks or that are commonly used in malware-laced apps.
When apps that do not meet both of the criteria are detected, customers will not be able to log into their account via OCBC’s mobile app or online banking site until they uninstall or remove the “rogue” apps.
Customers who want to continue using these apps are advised to download and reinstall them from official app stores, OCBC said on its Facebook page.
OCBC further noted that the new security feature does not monitor its customers’ phone activities or conduct surveillance on the mobile device — neither does it collect nor retain customers’ personal data.
“This technology detects apps that are not downloaded from official app stores only when the OCBC Digital app is opened,” the bank added. “It does not identify the owner of the device. All it does is to alert customers to apps that could compromise the device to malware scams.”
“We apologize for any inconvenience caused. We seek your patience as this feature is aimed to safeguard customers from malware scams,” it said.
Its customers, though, were left frustrated after finding themselves unable to access their banking services, prompting several to air their grievances on the bank’s Facebook page. These included users who said apps they had downloaded from official app stores were identified as malware by OCBC’s security feature.
One such customer said Microsoft Authenticator was singled out, even though the two-factor authenticator app was published by Microsoft and downloaded from Play Store. The customer added that they still were unable to access OCBC’s app even after uninstalling and reinstalling Microsoft Authenticator from the Google app store, as recommended by an OCBC administrator.
Others said apps for their smart home devices, such as LG ThinQ, also were highlighted even though they were downloaded from official app stores. System optimizer apps such as CCLeaner did not make the cut either.
Another reported that even their Trend Micro antivirus mobile app was flagged since it was not downloaded from an official app store.
Most said OCBC’s recommended solution of deleting and reinstalling the specific apps from official app stores did not work.
One customer also noted that apps developed out of China appeared to be blocked, even though the apps were not detected as security risks by their own antivirus tool.
A customer highlighted the oft-cited need to balance convenience and security, or businesses such as OCBC will risk losing their customers instead. Another put it more plainly: “What right does OCBC have to decide what we can install?”
Amid the complaints, industry regulator Monetary Authority of Singapore (MAS) released a statement voicing its support for the bank’s security feature, which it said aims to address risks associated with downloading applications from unauthorized sources, since these may contain malware.
“It is in the nature of new innovations that they may cause unintended inconveniences,” the regulator said, adding that it would work with banks in Singapore to learn from such experiences so security features can be continuously enhanced.
MAS said it had been working with these organizations on measures to combat risks related to malware scams, to which customers increasingly had fallen victim, and “strongly supports” banks’ initiatives to strengthen the security of digital banking activities.
The regulator noted that the Association of Banks in Singapore also will review the effectiveness of existing anti-scam measures as the threat landscape evolves.
“Security measures will come with some measure of added inconvenience for customers, but they are necessary to maintain security of and confidence in digital banking,” MAS said. “Coupled with a vigilant and discerning public, robust security measures will help us strengthen our defence against scams.”
OCBC was the center of a spate of SMS phishing scams last year, which wiped out SG$13.7 million ($10.17 million) from the accounts of 790 customers. Scammers had manipulated SMS Sender ID details to push out messages that appeared to be from OCBC, urging the victims to resolve issues with their bank accounts. They then were redirected to phishing websites and instructed to key in their bank login details, including username, PIN, and One-Time Password (OTP).
This prompted the Singapore government to step up security measures to bolster local banking and communications infrastructures, which included the need for SMS service providers to check against a registry before sending through messages. Banks also are expected to develop “more versatile” artificial intelligence (AI) models to detect suspicious transactions.
In addition, Singapore banks were instructed to provide a “kill switch,” allowing customers to quickly suspend their accounts should they suspect a security breach.
Consumers also were urged to use mobile banking apps, instead of web browsers, to access their accounts in order to minimize the risks of navigating to fraudulent websites. The Singapore government had underscored the need for customers to assume responsibility for their own cyber hygiene by taking “necessary precautions.”