Where cybersecurity is concerned, governments and businesses often tout the importance of "shared responsibility", with consumers urged to also practise good cyber hygiene to help stave off attacks and protect their own assets. A recent spate of online scams in Singapore, however, reveals that blame will be placed on individuals when possible and demonstrates that regulations sometimes are the only way to shake organisations out of complacency.
People, process, and technology. How often has this trinity been preached as the three fundamentals of any successful digital adoption and the holistic approach to ensure good security posture? Which of the three, though, bears greater weight? Does technology play the biggest role in cybersecurity? Or are processes the most critical component of this equation?
When it comes to blame, it appears that significant onus is placed on consumers to safeguard their personal data and bear the consequences should they fall for online scams.
A recent series of online scams involving at least 469 customers of OCBC Bank resulted in losses of more than SG$8.5 million ($6.32 million), with S$2.7 million scammed over the recent three-day Christmas weekend alone. Several of the victims reportedly lost their life savings, including a 43-year-old man whose account was wiped of S$500,000, a 38-year-old software engineer who lost S$250,000, and 33-year-old finance executive who had her account emptied of S$68,000.
In these cases, which first surfaced December 1 last year, scammers manipulated SMS Sender ID details to push out messages that appeared to be from OCBC. These SMS messages prompted the victims to resolve issues with their accounts, redirecting them to phishing websites and instructing them to key in their bank login details, including username, PIN, and One-Time Password (OTP).
Because OCBC's legitimate Sender ID was successfully cloned, and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe they were legitimate.
In its statement released December 30, OCBC made clear that customers were "the first line of defence" against such scams and that once funds were moved from their account, the possibility of recovery was "very low". The bank said it had issued its first advisory on December 23, warning the public about the scams and cautioning customers against clicking on links embedded in the SMS messages.
Upset over how the breach was handled, affected OCBC customers expressed frustration over the lengthy time they were put on hold in their efforts to contact the bank's hotline and have their accounts locked to stem the leaks. Several noted a lack of urgency amongst OCBC's customer agents when told about the security breach.
In his interview with local media platform Mothership, the 43-year-old male victim added that the bank staff he corresponded with did not even appear to be aware of the ongoing scams. Noting that his account was breached on December 20, he questioned whether OCBC had done enough to alert its own staff and customers of the growing security risks when the attacks had been escalating since early-December.
Inundated with the bad press that followed, OCBC on Wednesday said all customers affected by the scams would receive "full goodwill payouts" comprising the amount they lost. This came after its previous statement on Monday that it had begun to make "goodwill payouts" since January 8, but did not specify if this applied to all customers or whether they would receive the entire amount they lost.
OCBC probably sees this $8.5 million writeoff as a necessary cost in crisis management, but it will likely take much more before the bank is able to regain the trust of its customers and brand reputation.
It also faces possible repercussions from industry regulator Monetary Authority of Singapore (MAS), which said it would "consider appropriate supervisory actions" after the bank conducted a "thorough" investigation to identify and plug deficiencies in its processes.
Meanwhile, MAS on Wednesday introduced several measures that banks would have to implement as a result of the phishing scams. These include the removal of hyperlinks from email or SMS messages sent to consumers, a 12-hour delay in activating mobile software tokens, and setting up a dedicated and "well-resourced" customer assistance team to deal with customer feedback on potential fraud cases.
Noting that these new measures aimed to strengthen the security of digital banking in Singapore, MAS added that financial institutions should implement further safeguards, such as enforcing a cooling-off period before requests for key account changes, including a customer's contact details.
More permanent solutions also are in the works to combat SMS spoofing, including the adoption of the SMS Sender ID registry by all relevant stakeholders, MAS said.
Stronger regulatory hand needed for businesses to take security seriously
These steps, in my view, are a long time coming.
Too many organisations, including banks, for far too long have adopted bad business practices that put customers at risk of security attacks. They also have been increasingly heavy-handed in the amount of personal data they demand from customers in return for access to services, including critical services.
More importantly, as the number of cyber attacks and breaches continues to grow, businesses still lack a proper plan to help them more quickly respond to security incidents and stem any potential data leak.
OCBC clearly did not have a cybersecurity incident framework in place. If it did, it would have been able to better handle calls from frantic customers alerting them of the scams and more swiftly block affected accounts to stop further fraudulent transactions from taking place.
There are further questions about why the bank's SMS header was so easily spoofed and whether it took any prior measures to prevent, or even to investigate, the phishing scams when these first surfaced.
Local law enforcement had published multiple advisory notes, including one as early as last April and another in November, about fake SMS messages with spoofed SMS headers of banks.
Did OCBC heed these alerts? Or did the bank deem it okay to ignore them since the advisory notes served as warning for consumers to take the necessary measures and be "the first line of defence"?
Shouldn't OCBC have been the very first line of defence instead in this case?
In a January 17 reply to reports on the SMS phishing scams, Infocomm Media Development Authority's (IMDA) director of communications and marketing Foo Wen Dee said a pilot was launched last August to enable organisations to register SMS Sender ID headers they wished to safeguard. Doing so with SMS Sender ID protection registry would help ensure messages sent via unauthorised use of the protected SMS Sender ID would be blocked.
Foo wrote: "The success of this measure, however, requires organisations such as banks to participate in the pilot, which would include registering the SMS Sender IDs they wish to protect and choosing the approved SMS aggregators that are allowed to send SMSes on the banks' behalf.
"When the registry was initiated, some banks signed up for the registry. Other organisations such as Lazada and SingPost also signed up. We urge more businesses that use SMS Sender IDs to do so," she said. She added that IMDA was working with telcos in Singapore to roll out other measures, including blocking commonly spoofed numbers.
It's interesting that Foo chose not to list examples of banks that participated in the pilot, when she did for organisations in other sectors.
So, did OCBC put its SMS Sender ID in the registry? And if it did, did it do so before or only after the phishing scams surfaced in December? And why was it the only bank hit, and hit so severely, by the onslaught of attacks?
These are questions that cannot afford to go unanswered, especially as Singapore is about to push its digital banking regime into full gear. The four successful bidders of the country's digital bank licences are expected to begin operations from early-2022.
Scarred by the numerous reports of life savings wiped clean from bank accounts, with blame put on the victims, how many will rush to sign up for services offered by digital banks? If scammers are able to find holes in the systems and processes of established traditional banks such as OCBC, what more can they do with banks that run entirely on online infrastructures?
Furthermore, several victims of the OCBC scams were not from vulnerable groups that were less tech-savvy and more susceptible to cyber scams. They were young, presumably already familiar with consuming online services, and professionals from both the financial and IT industries.
If even they were fooled by the cyber scammers, what hope is there for others less accustomed to digital banking services?
Consumer trust plays a key role in driving adoption and, if left unaddressed following the latest series of events, may put a spanner on Singapore's hopes of a thriving digital banking era. On a flip side, it could actually result in a new competitive advantage for new digital players, now that the trusted relationship between incumbent banks and customers may have somewhat eroded.
While it remains to be seen how the industry will recover from the OCBC saga, what has become clear is the need for stronger regulations to shake companies out of inertia.
For one, MAS' inclusion of incident response as some of the measures banks must adopt is a positive step forward.
A ZDNet report I published last week discussed the importance of cybersecurity incident response in bolstering cyber resilience and network availability. As mentioned previously, a robust incident response plan could have helped OCBC stem funds from leaking further and saved its customers, as well as the bank, from losing S$8.5 million.
There should be clear guidelines, and mandates if necessary, that ensure businesses and banks respond within a stipulated time when customers call their hotline about a potential security breach. Failure to meet this should result in financial penalties or the inability of breached organisations from renouncing liability.
Companies also should be required to release an incident report, following its investigation into the service breach, that highlights the cause of the breach and remediation steps taken to plug the security holes, if any. Where necessary, this report should include additional measures customers may need to take to better protect their personal data with the organisation.
For instance, it has been two months since DBS suffered its most serious service disruption last November, during which its customers could not log into or access the bank's online and mobile services for the bulk of two days. DBS later blamed the fault on its access control servers, but offered few details about what caused the issue with the systems.
Does it plan to release a report detailing its review of the incident soon? Has it at least submitted its findings to MAS? If not, how then will DBS customers be certain the bank's processes and systems did not trigger the service disruption, and that their data and accounts are adequately secured?
In addition, the implementation of security measures deemed critical to combat growing threats, such as registering and protecting SMS Sender IDs, should be mandated and enforced, rather than left as optional.
If MAS can release guidelines disallowing the marketing of crypto services to safeguard consumers against trading "on impulse", then surely it can do the same to mandate the adoption of steps critical to protect people's life savings?
While concerns that over-regulating can stifle innovation are valid, laws and rules are necessary when there is blatant failure, on the part of businesses, to do what is required in their customers' interest.
Yes, cybersecurity is a shared responsibility, but it doesn't mean companies get to throw their arms up at first chance and say, "we told you so", when customers make a mistake and fall for--to use a term breached organisations commonly point to--"increasingly sophisticated" online scams.
Equal efforts also should be made to immediately address and contain the impact of security incidents, regardless of how the breach happened. Assume breach position does not mean businesses get to skip due diligence.
And the next time someone mentions the tradeoff between convenience and security, remind them about the bank accounts that were drained of life savings over one link in an SMS message.