Human coding error identified as cause of digital bank service outage
Human error has been identified as the cause of DBS Bank's hours-long service outage in May this year but unrelated to a previous disruption in March.
In the May 5 incident, the Singapore bank's customers were unable to access their online and mobile banking services, including DBS' mobile wallet PayLah. ATM (automated teller machines) services also were impacted.
Also: The best identity theft protection and credit monitoring services
Affected services were restored after 6.5 hours, with DBS then attributing the disruption to a "systems issue." The service outage was the bank's second in two months and third in just over a year.
In its rebuke of the bank, the Monetary Authority of Singapore (MAS) described the multiple disruptions as "unacceptable" and short of the regulator's expectation for banks to deliver reliable customer services.
Human error now has been identified as the cause of the May 5 outage, according to a written parliamentary reply by Tharman Shanmugaratnam, Senior Minister and Minister in charge of MAS.
Citing the bank's preliminary investigation into the incident, Tharman said the error was found in software used for system maintenance and had resulted in a "significant reduction" in system capacity. This affected its ability to process online and mobile banking, electronic payment, and ATM transactions.
Also: The best apps for planning your budget
The error was unrelated to the earlier service outage in March 2023, which DBS said was due to inherent software bugs, Tharman revealed.
The bank had set up a special board committee following the March incident to lead the investigations into the cause and a review of DBS's IT resilience.
When the May disruption occurred, MAS instructed the committee to extend its review to include the latest incident and to engage qualified independent third parties for the review.
DBS would provide further details on the disruptions following the completion of the review, Tharman said.
"MAS requires all retail banks in Singapore to ensure their mission-critical systems supporting digital banking are resilient. This includes having the ability to recover quickly from any system disruptions," the minister said. He noted that banks were subject to regular inspections and off-site reviews by MAS to ensure their "adherence to regulatory requirements and expectations."
Also: The single best way to protect yourself against credit card fraud
In a separate parliamentary reply on the use of OTP (One-Time Password) for online transactions, Tharman said Singapore banks were directed to phase out the use of SMS OTP as the only factor for authenticating high-risk transactions. These included online banking activities such as changing of fund transfer limits and adding payees, as well as online card payments.
The move is part of the country's efforts to adopt a "multi-layered" strategy to combat scams.
MAS, though, currently sees no need to mandate that banks provide customers a way to opt out of SMS OTPs, since this will limit the banks' authentication toolkit, according to Tharman. Doing so also will dilute the effectiveness of a multi-layered security approach to safeguard customers, he said.
"When used in combination with other authentication factors such as biometrics or digital tokens, SMS OTP provides an additional layer of security that fraudsters have to overcome," he noted. "SMS OTP is an authentication method that is accessible by all customers, as it can be received on any type of mobile device. It allows all customers to perform low-risk activities, such as viewing of account balance and paying bills, conveniently without the need for an additional device."
Also: How to add a credit card as a Bitwarden vault item and why you should
Removing this form of authentication completely would exclude a significant number of online banking customers who might not own mobile devices capable of installing digital tokens, he added.
Singapore earlier this year began tagging SMS messages sent from businesses not on the Singapore SMS Sender ID Registry (SSIR) as "Likely-SCAM." Registering with the SSIR allows organizations to use alphanumeric Sender IDs when they push out SMS messages to customers.
The move better safeguards consumers against potential scams as well as facilitates tracking when scam messages are sent to local mobile users, said industry regulator Infocomm Media Development Authority (IMDA). Scam cases initiated via SMS accounted for some 8% of scam reports in the second quarter of last year, compared to 10% in 2021. Since the registry was set up last March, the number of SMS scams had dipped by 64% between fourth quarter 2021 and second quarter 2022, IMDA said.