Bank customers advised to switch to push notifications as they are more secure than SMSes

OCBC Bank told its customers it will no longer use SMS as its default method to inform customers about banking activities. PHOTO: ST FILE
Ian Cheng
Correspondent
Updated
Oct 31, 2023, 06:52 PM
Published
Oct 30, 2023, 02:00 PM

SINGAPORE - Consumers should switch to push notifications instead of SMS alerts for digital banking because they are safer and more secure, experts told The Straits Times.

Last Thursday, OCBC Bank told its customers that it will no longer use SMS as its default method to inform customers about banking activities such as payments and fund transfers. Customers will instead receive alerts through push notifications and e-mails.

“SMS messages traverse the telecommunications network, and then land on a customer’s mobile phone. Unfortunately, the sender labels for these messages can be easily spoofed, a vulnerability that has given rise to scams,” said Mr Vivek Gullapalli, chief information security officer, Asia Pacific, Check Point Software Technologies.

He added that banks have recognised this weakness, and are exploring alternative, more secure communication methods that are not reliant on SMSes.

In the case of push notifications, the content is received on a mobile app that is owned and managed by the bank, said Mr Gullapalli. This ensures that the whole process is a closed loop, and therefore controlled and secure, offering an additional layer of security.

E-mails, however, remain susceptible to phishing attacks, as bad actors may impersonate the banks to deceive customers, he noted. Despite this, e-mails offer a backup security measure, for when the customer’s mobile device is compromised.

Mr Kelvin Lim, director of security engineering at Synopsys Software Integrity Group, noted that SMS protocols are based on a 30-year-old technology when the cyber-security landscape was largely different.

“Traditional SMS messages lack encryption and are inherently insecure,” said Mr Lim. This can result in attackers hijacking and reading the content of text messages without the user’s knowledge.

On the other hand, push notifications are encrypted and transmitted securely from the bank straight into the banking app, making it harder for hackers to intercept, said Mr Lim. This extra layer of security will also remove the risk of customers falling prey to SMS phishing, where hackers impersonate the banks and send malicious SMSes to customers.

Mr Lim added that the combination of push notifications and e-mails is a “nice combination” – as limited information can be sent via push notifications, e-mails are a good way to deliver non-confidential information, and an option for sending encrypted files for confidential information.

Switching from SMSes to push notifications would also help banks see potential savings, although the cost-saving aspect of the switch is secondary.

According to Mr Gullapalli, it is only natural that investment in these channels will be amped up, given the future reliance on push notifications and e-mails. Implementation of such features would incur a one-time set-up cost, in addition to recurring operational expenses.

With consumers today heavily dependent on their mobile phones for everything from entertainment to payments, risk levels are significantly elevated when a mobile device is compromised, or when the authenticity of an SMS is in question, he said.

A suggested framework by the Monetary Authority of Singapore and Infocomm Media Development Authority seeks to strengthen the direct accountability of financial institutions and telcos to consumers. The Shared Responsibility Framework places duties on financial institutions and telcos, making them liable to pay if they have fallen short of these duties.

“If a customer’s credentials are detected on an unfamiliar device, it’s crucial to alert the customer to this risk. An out-of-band e-mail communication, or even a direct phone call, can serve as an effective means to convey this essential information,” said Mr Gullapalli, who feels that Singapore is moving towards the right direction.

“There needs to be constant collaboration between the financial institutions, Government and its people to set regulations and guidelines, improve the processes, as well as education on cyber hygiene to maintain a high level of cyber alertness.”

Besides OCBC, other banks such as DBS and UOB have also started switching to e-mail and push notifications as their default channels of communication.

Correction note: In an earlier version of the story, we said Mr Vivek Gullapalli is cyber-security strategist and adviser at Cisco. This is incorrect. He is chief information security officer, Asia Pacific, at Check Point Software Technologies. We are sorry for the error.

More On This Topic
When can scam victims expect payout under the proposed shared liability framework?
$1.4 trillion lost to scams globally; S’pore victims lost the most on average: Study

Join ST's WhatsApp Channel and get the latest news and must-reads.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top