OCBC, maybe through no direct fault of theirs, became the unfortunate bank that is being associated with scams and phishing. In the aftermath, every bank, and indeed numerous other organisations, are rushing to tell people that SMS web links are bad. Actually, they aren’t bad per se, but the problem is hard to explain.
To just summarily condemn SMS web links like what is happening now seems to be missing the forest for the trees. Web links in SMS could be legitimate. Just a few days back, I received an SMS from LTA about an e-letter I needed to read by clicking on the provided web link. The Monetary Authority of Singapore had instructed banks to stop sending web links in SMS, but other parts of the governemnt still do it.
The recent publicity over the OCBC scam seems to leave the impression on everyone (or at least the less tech-savvy ones) that SMS web links are dangerous. That’s like saying the Internet is a highly dangerous place beause of malware lurking around waiting to take over control of your computer, so we should stop using the Internet. Or, that roads are extremely dangerous because accidents can happen, and people die, so let’s all stop using roads.
I get it. It is hard to explain to less tech-savvy people what these online scams are, how to identify them, and how one can protecth oneself from them. The easy way seems to be to make a sweeping statement, like “don’t click on web links”. Don’t cross the road is much easier to say than to explain all kinds of dangers one needs to look out for when crossing a road.
We must not forget that malicious web links are but just one kind of danger one could encounter in the online world. These SMS web links are the hot topic last month. But even before the month ended, we learnt of a new wave of SMS going around telling people to call a fake bank call-centre number. To summarily condemn all SMS text messages is, again, missing the point. The same scams can also play out over emails, and they have already happened in the past.
We have been dealing with these scams mostly in a reactive manner. Something bad has already happened, then we send warnings about how that thing is bad, so that others know how to avoid them when they see them. It’s simple for scammers to create variants of the same scam idea, be it using a different background story, different communication medium, or solicit different kinds of information, responses, or actions from victims. The better solution is to help people understand the modus operandi of scams, so that they can identify suspicious activities, and know how to deal with them appropriately.
For the techies: This is like how anti-virus software worked decades ago. We call this a signature-based system. While we can generalise these signatures to a certain extent to catch simple variants of malware, the better solution would be a behavioural-based mechanism to catch malware.
I ranted on this last December, that banks are part of the problem by making it feel normal that a random caller should be able to ask to “verify your particulars”. This absolutely makes no sense, and while I understand why banks think they have a need to do it to properly verify their customer, my take on it is that they should find some other better solution to this need.
The current public messaging to equate SMS web links to scam is inherently wrong. Some people are taking that literally, unfortunately, and that also sadly includes people whom I’d not have considered to be tech-illiterate.
For example, I am in a WhatsApp group where some members condemned a legitimate DBS SMS about confirming a GIRO application as a scam. I tried to put in my two cents that, considering the circumstances (time, the purpose of the message, and assumed context given the members of the group), it may be legitimate, and surely they could call the bank to verify. One person did do that, and confirmed the message is legit. Unfortunately, the overwhelming majority of the group members have already decided it was a scam, and they were very proactively warning everyone about it. They even forwarded a news article of an emerging DBS warning at that time of a SMS scam of a totally different nature as confirmation that these legit messages were in fact scams.
Those were people who should have known better, but they did not. So I worry about more other people who are less savvy.
In fact, the current public messaging may result in some wrong interpretation. For example, that other kinds of fishy-looking communications are probably legit as long as they aren’t SMS web links.
Again, for techies: This is a common flaw in human logic. If A is bad, then anything other than A must be good. This follows because not-A must be not-bad, and not-bad is basically good. (Which is totally wrong.)
I also want to posit that in this increasing treacherous online environment that is rife with malicious and hostile actors, our online systems need to be redesigned to be more robust and secure against well-planned attacks.
The proper education for less tech-savvy people on online security is one part of the problem. The other part, which I also mentioned in my last rant, has to be with organisations. I want to posit that in this increasing treacherous online environment that is rife with malicious and hostile actors, organisations need to redesign their online systems to be far more robust and resilient.
Consider the use of OTPs. Has anyone wondered if the OTP we are sending across is indeed for verifying a transaction which we are actually making? Some banks do this better, but others are at best ambiguous about what the OTP is about.
Consider the mobile banking apps on our phones. Has anyone thought that the whole point of two-factor authentication (2FA) is moot when the same device is used to both transact and to verify the transaction? (I know the technical discussion behind this can get somewhat complicated, but I think we should be able to agree that such a design is centred on convenience rather than robust security.)
The processes we have had in the past mostly seem to work, because generally bad things aren’t that prevalent. But for many years now, online scams are getting quite ingenious. We know the Internet, for over the last decade, has become so different from its birth in the 1980s. Plaintext authentication was considered good enough security back then, but these days, you don’t just need to apply strong encryption algorithms, but also need to design robust security protocols and processes around them.
While our banks’ internal systems may be secure, and our devices may also be secure, the problem we need to address is the transaction processes that have to be strengthened to prevent exploits by a malicious third parties.
I don’t doubt that banks have the technical expertise to get the security right. Unfortunately, they seem to think that their scope of responsibility is limited to their own internal systems, and maybe to some extent, their app that runs on customer devices. That’s why scams are considered to be the customer’s fault. I don’t disagree that customers should at least partly be faulted, but I also think that banks, for the most part, cannot be said to be blameless.
We probably need an appropriate government authority, like the Monetary Authority of Singapore, to prescribe mandatory standards that banks must meet. Again, just to be clear, I’m not just talking about internal bank systems that need to be secure, but that the entire customer-bank interaction needs to be more robustly protected. As online payments and banking are such a ubiquitous part of our lives, it is necessary to take steps to ensure that they remain secure, robust, and dependable.