Singapore bank gives customers ‘kill switch’ to freeze accounts in case of fraud
Hit by a recent spat of SMS phishing scams, OCBC Bank has introduced a “kill switch” that it says will let its customers cut access to all their accounts if they suspect their personal data have been compromised. When activated, the kill switch will immediately freeze all accounts including digital banking, e-payment, ATM access, and credit cards.
Customers will need to call the Singapore bank’s hotline and use option “8” to trigger the kill switch, OCBC said in a statement Wednesday. They also will be able to do so via the bank’s network of 500 ATMs next month.
“Once the kill switch is activated, no transactions–whether done digitally, via an ATM or at branches–can be made. Even recurring or pre-arranged fund transfers will be disabled,” OCBC said.
A customer service representative then would contact the customer to remove compromised bank account access or replace compromised cards with new ones.
Only a bank branch employee or customer service executive would have the authority to deactivate the switch, according to OCBC. This also would be carried out only after the bank staff received verified instructions from the customer to do so.
Access to all accounts as well as settings, including GIRO arrangements and scheduled funds transfers, would be reinstated once the kill switch was deactivated.
OCBC added that the new feature would be offered alongside the bank’s fraud hotline, introduced last month, to guide customers who needed assistance in scam incidents, such as in making a police report.
The safeguards come in the heels of a recent spate of SMS phishing scams, which wiped out SG$13.7 million ($10.17 million) from the accounts of 790 OCBC Bank customers. Scammers had manipulated SMS Sender ID details to push out messages that appeared to be from OCBC, urging the victims to resolve issues with their bank accounts. They then were redirected to phishing websites and instructed to key in their bank login details, including username, PIN, and One-Time Password (OTP).
Describing the incident as the country’s most serious phishing scam involving spoofed SMSes impersonating banks, Singapore’s Minister for Finance Lawrence Wong said Tuesday that various steps would be taken to better mitigate the risks of such scams. These would span the entire ecosystem, including banks, telecommunications, law enforcement, and consumer education.
Banks, for example, would be working to further bolster their fraud monitoring capabilities to better identify suspicious and anomalous transactions, including credit card transactions. They would develop more versatile algorithms employing AI and machine learning to detect suspicious transactions. Wong said. “Such algorithms should be based on multiple sources of information, including customer profile and vulnerabilities, past transaction patterns, account activity, and mobile device identification.”
In addition, SMS service providers and telcos would be required to check against the national Sender ID registry and only send through messages when the sender details match the registry records. All organisations also must have a valid UEN (unique entity number) if they want to send SMS messages through registered IDs, to phone subscribers in Singapore.
All major retail banks in Singapore are required to register their Sender ID details with the registry, as are government agencies.
Wong on Tuesday had eluded to the possibility of a kill switch for customers to freeze their own accounts without needing to contact the banks.