You are here
MAS tells financial institutions to tighten customer verification
ADDRESSING the potential risk that information stolen during the cyber attack on SingHealth may be used by fraudsters to impersonate customers and perform unauthorised financial transactions, the Monetary Authority of Singapore (MAS) has ordered financial institutions to tighten their customer-verification processes.
With immediate effect, all financial institutions should not rely solely on the types of information stolen (name, NRIC number, address, gender, race and date of birth) for customer verification. Additional information must be used for verification before undertaking transactions for the customer. This may include One-Time Password, PIN, biometrics, last transaction date or amount.
The latest reminder comes in the wake of what is the most serious breach of personal data in Singapore to date. Hackers stole the personal particulars of 1.5 million patients of SingHealth, Singapore's largest group of healthcare institutions.
Of these, 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, had their outpatient prescriptions stolen as well. The data theft happened between June 27 and July 4.
The Business Times understands that most banks already have a stringent verification process in place.
For access to online financial services, banks are already required to put in place two-factor authentication like PIN and One-Time-Password at log-in to identify their customers. They are required to implement an additional layer of control to authorise high-risk transactions such as the opening of beneficial accounts, registration of third-party payee details and revision of funds-transfer limits.
Financial institutions also generally do not use personal information like name, NRIC number, address and date of birth as the sole means of verification. This is because these are often freely given out by members of the public for various purposes, such as when filling out lucky draw coupons or surveys.
On Tuesday, MAS also directed all financial institutions to conduct a risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including transaction and inquiry functions.
Tan Yeow Seng, MAS' Chief Cyber Security Officer, said the central bank will work closely with the financial institutions to ensure that robust cyber defences are in place so that customers can carry out online financial transactions with confidence.
"But customers must also play their part. They must safeguard their passwords and practise good cyber hygiene. If they suspect any fraudulent transactions in their accounts, they should notify their banks immediately," he advised.
When contacted, DBS said the bank uses industry-leading security technology and protocols to ensure that customers' information and money are safe.
"We also constantly monitor credit/debit card transactions in real time for any suspicious activities.
"Following news of the SingHealth data breach, we immediately enhanced our customer verification measures used for customer phone queries. We have also been urging customers to be on the alert for scam calls or phishing emails," a DBS spokesman said.
Koh Ching Ching, who heads Group Corporate Communications at OCBC Bank, said the bank has in place a set of rigorous authentication measures to validate a customer's identity before proceeding with a request.
"However, to combat the risks arising from the SingHealth incident, we have further enhanced our customer-verification process to prevent any unauthorised financial transactions," she said.
Similarly at United Overseas Bank (UOB), robust policies, processes and practices are in place to safeguard customers against any unauthorised access to or instructions for their accounts. Customers are reminded that UOB does not send unsolicited SMS or emails asking them to provide their personal or account details.
Speaking to the British Chamber of Commerce's Orient magazine following the SingHealth hack, Jim Fitzsimmons, director of Cyber Security at Control Risks, a global risk consultancy, suggested that governments look closely at "the balance between guidance and penalties for cyber security, as getting the balance right is critical to ensuring accountability for securing citizen's data without over taxing organisations". He also suggested that sharing of past breaches would raise awareness to prevent future ones.