To protect its customers, OCBC Bank recently implemented a "kill switch" which allows customers to freeze their accounts over the phone or at an ATM (OCBC customers can freeze accounts with 'kill switch', Feb 17).
While I commend the bank's intentions, the process by which the kill switch can be activated over the phone seems flawed.
It currently requires either a 16-digit credit/debit card number or 10-digit ATM card number, and the customer's NRIC number.
These are pieces of information that are collected by organisations such as telcos and insurance companies for bill payment purposes.
Given the number of data breaches that have occurred, it would be naive to think that this information is not readily available on the Dark Web.
Furthermore, unlike a password, a customer's credit card number usually is not changed and his NRIC number remains constant.
The implication is that bad actors can essentially cause a nuisance by locking out account holders.
The freezing of accounts should be done only after securely authenticating a customer's identity. If not, I hope OCBC will let customers opt out of phone activation of the kill switch.
Lam Jer Wei