This bank’s new app security feature irks customers

OCBC has left several of its customers frustrated after introducing a security feature that locks out access if mobile apps downloaded from unofficial app stores are detected on the user’s device. 

The Singapore bank rolled out the security feature on its mobile app early this week, citing the need to protect its customers against malware. 

Also: 4 ways to avoid clicking malicious links that everyone online should know

The “enhancement” allows its app to identify apps that are not downloaded from official app stores, such as Google Play Store and Huawei AppGallery. Once detected, customers will not be able to log into their account via OCBC’s mobile app or online banking site until they uninstall or remove the “rogue” apps. 

Customers who want to continue using these apps are advised to download and reinstall them from official app stores, OCBC said on its Facebook page. 

OCBC further noted that the new security feature does not monitor its customers’ phone activities or conduct surveillance on the mobile device — neither does it collect nor retain customers’ personal data. 

“This technology detects apps that are not downloaded from official app stores only when the OCBC Digital app is opened,” the bank added. “It does not identify the owner of the device. All it does is to alert customers to apps that could compromise the device to malware scams.”

Also: The best VPN services (and tips to choose the right one for you)

“We apologize for any inconvenience caused. We seek your patience as this feature is aimed to safeguard customers from malware scams,” it said. 

Its customers, though, were left frustrated after finding themselves unable to access their banking services, prompting several to air their grievances on the bank’s Facebook page. These included users who said apps they had downloaded from official app stores were identified as malware by OCBC’s security feature. 

One such customer said Microsoft Authenticator was singled out, even though the two-factor authenticator app was published by Microsoft and downloaded from Play Store. The customer added that they still were unable to access OCBC’s app even after uninstalling and reinstalling Microsoft Authenticator from the Google app store, as recommended by an OCBC administrator. 

Others said apps for their smart home devices, such as LG ThinQ, also were highlighted even though they were downloaded from official app stores. System optimizer apps such as CCLeaner did not make the cut either. 

Also: How to use ChatGPT to create an app

Another reported that even their Trend Micro antivirus mobile app was flagged since it was not downloaded from an official app store. 

Most said OCBC’s recommended solution of deleting and reinstalling the specific apps from official app stores did not work. 

One customer also noted that apps developed out of China appeared to be blocked, even though the apps were not detected as security risks by their own antivirus tool. 

A customer highlighted the oft-cited need to balance convenience and security, or businesses such as OCBC will risk losing their customers instead. Another put it more plainly: “What right does OCBC have to decide what we can install?”

The bank was the center of a spate of SMS phishing scams last year, which wiped out SG$13.7 million ($10.17 million) from the accounts of 790 OCBC customers. Scammers had manipulated SMS Sender ID details to push out messages that appeared to be from OCBC, urging the victims to resolve issues with their bank accounts. They then were redirected to phishing websites and instructed to key in their bank login details, including username, PIN, and One-Time Password (OTP).  

Also: How to protect and secure your password manager

This prompted the Singapore government to step up security measures to bolster local banking and communications infrastructures, which included the need for SMS service providers to check against a registry before sending through messages. Banks also are expected to develop “more versatile” artificial intelligence (AI) models to detect suspicious transactions. 

In addition, Singapore banks were instructed to provide a “kill switch,” allowing customers to quickly suspend their accounts should they suspect a security breach.

Consumers also were urged to use mobile banking apps, instead of web browsers, to access their accounts in order to minimize the risks of navigating to fraudulent websites. The Singapore government had underscored the need for customers to assume responsibility for their own cyber hygiene by taking “necessary precautions.”