Recently, SG Budget Babe wrote a very interesting article on online frauds in Singapore and I thought it would be useful to share a quick post on the same topic.
But before that, it is important to note that like many fraud victims, I share the same perspective and argument if I am in their shoes. But for argument sake, this article shall attempt to strike a balanced viewpoint from the perspective of the service provider (the bank) and the consumer. Hopefully readers can benefit from this sharing and avoid the undesirable fate of being a fraud victim.
Understanding the law
In Singapore, the law that governs electronic transactions is the Electronic Transaction Act (ETA). This law covers two important components of online transactions – Electronic Signature and Secured Electronic Signature. For an electronic signature to be legally recognized, it needs to be able to authenticate the person signing the document and ensure integrity of the document signed. However, if the service provider implemented secured electronic signature, the law automatically presume that these requirements are fulfilled.
The 2-FA authentication used by many local banks is deemed as a form of secured electronic signature and the system works based on “what you know (PIN or password)” and “what you have (two factor authentication token)”. There are two types of tokens – hardware key-chain size token and SMS. The former generates One Time Passwords. Each time you log in, press the button on the hardware token to generate the One-Time Password. This will be displayed on the screen. An SMS containing your password will be sent to the mobile phone number registered with your bank whenever you log in with your user ID and PIN.
Hardware token is considered more secured than SMS because unless you lost your token, it is almost impossible for hackers to get hold of your OTP from your token. On the other hand, if a hacker managed to access your mobile through malware, they can obtain your credit card details and SMS OTP to perform mobile online frauds.
Who is liable?
Beyond feeling shell-shocked, I guess the first thing that came to an angry victim’s mind must be being held responsible for the frauds committed by the hackers. Many victims were told to pay for the transactions that they did not commit, otherwise they faced legal actions from the banks. Arising from these, many experts blasted the banks for putting the liabilities on consumers when the system can be compromised by hackers.
On the surface, it might seem really ridiculous for banks to hold victims responsible for the frauds being committed by hackers. Depending on the circumstances, sometimes the bank may waive off the damage out of goodwill. But in most cases, fraud victims are requested to pay for purchases made by hackers – which can range from thousands upwards. Otherwise, the banks would take legal action against the fraud victims.
This approach doesn’t make sense for many people (including myself) and drive home the point on who is actually liable for paying up in fraud cases.
But what many people didn’t realize is that it is not the 2-FA process that is being compromised, but rather the security system of the mobile phones belonging to the victims that were compromised. The 2-FA, being considered a secured electronic signature by the law, is not considered been compromised because it is presumed that the fraud victims had authenticated the processes, never mind they were being made by fraudsters. Effectively, the law places the liability on consumer to ensure their actions do not result in security vulnerabilities.
This law actually make sense because how can you expect the banks to be liable for your actions if you downloaded malware into your mobile phone and resulted in mobile online frauds? Is it reasonable for the banks to be responsible for the security of your mobile phone? Fundamentally, this means that consumers also need to play a part in ensuring that they are not vulnerable to mobile online frauds through responsible online practices.
Mobile online frauds can happen to anyone. So we, as consumers, need to learn how to protect ourselves. According to the Association Banks of Singapore (ABS), consumers should be careful to not let their smartphones be infected by malware. They should:
(1) install an anti-virus/anti-malware software on the smartphone.
(2) only install applications from trusted sources such as “Google Play”, or other reputable app stores, and avoid downloading pirated applications from unauthorized/illegitimate app stores, or random download locations on the internet as the latter could be laced with malware.
(3) only click on hyperlinks from messages and emails if they are from a trusted source.
(4) not “root” or “jailbreak” the smartphone, as this could compromise smartphone security.
Basically, always be vigilant and download applications only from trusted sources. If there is an update for your device, make sure you download and install it. This is because manufacturers, carriers, and Google are constantly pushing out updates with bug fixes, enhancements, and new features that can make your device more secure.
Also, make it a point to secure your smartphone with a password, pin or a relevant mechanism to prevent unauthorized use.
Subscribe to Blog via Email
SG Wealth Builder