Banks should devote more resources to thwart cyber theft, and take their fair share of responsibility

DIGITAL banking is by now ubiquitous and that is a good thing. Until recently most individuals would profess confidence in the security of online banking where the most common precaution used by banks is 2-factor authentication. This means that after a client accesses his or her digital account via a user name and password, a second layer of verification kicks in where a one-time password (OTP) is sent via SMS, or by a physical or digital token. The vulnerabilities of this framework were thrown into sharp relief in the recent phishing debacle that engulfed 470 clients of OCBC, where roughly S$8.5 million was siphoned from their accounts last December.

To be sure, phishing isn't a new phenomenon. This mode of cyberattack, involving fraudulent communication that looks like it is from a reputable source, is in fact among the common today. The attack steals customer data such as credit cards, bank accounts or instals malware into people's devices. Customers are often warned not to click on links sent by SMS from unknown parties, but the rub in this case is that the fraudulent messages came in the same thread as genuine OCBC messages.

The Monetary Authority of Singapore has stepped up to say it will consider supervisory action against OCBC. On its part, OCBC has promised the bank's phishing scam victims their money back. It called the scam "particularly aggressive and highly coordinated'', and conceded that its customer service and response had fallen short. Some affected customers reported a long waiting time on OCBC's hotline, during which accounts were emptied within minutes.

In today's highly digital world, cybersecurity cannot be taken for granted, yet there are actually few mechanisms to protect individuals. Cyber cover for identity theft, for instance, includes phishing risk, but the protection benefit for a standard policy at around S$25,000 is very modest. At the same time, financial institutions' terms and conditions are weighted in their favour and feature exclusions to protect them from liability, even in the case of a slow response time.

Additional precautions should be considered. These include phasing out the use of SMS OTPs which are easily intercepted by scammers, the use of biometric solutions and the imposition of more verification steps for overseas fund transfers. Organisations may also protect their sender SMS IDs by signing onto a registry set up by the Infocomm Media Development Authority to prevent scams.

On their part, financial institutions should devote more resources such as a dedicated 24-hour help line for fraud reporting and step up their response time. Even the most robust internal system against cyberattacks goes to naught if the response is so slow as to effectively leave the gates open for cyber theft. Ultimately it will be impossible to thwart all forms of cyber crime which only grows in sophistication. While customers should take reasonable precautions, banks must also own up to their share of responsibility if they are to maintain customers' trust.