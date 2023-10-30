SINGAPORE - Consumers should switch to push notifications instead of SMS alerts for digital banking because they are safer and more secure, experts told The Straits Times.

On Thursday, OCBC Bank told its customers it will no longer use SMS as its default method to inform customers about banking activities such as payments and fund transfers. Customers will instead receive alerts through push notifications and e-mails.

“SMS messages traverse the telecommunications network, and then lands on a customer’s mobile phone. Unfortunately, the sender labels for these messages can be easily spoofed, a vulnerability that has given rise to scams,” said Cisco’s cyber security strategist and advisor Vivek Gullapalli.

He added that banks have recognised this weakness, and are exploring alternative, more secure communication methods that are not reliant on SMSes.

In the case of push notifications, the content is received on the mobile app that is owned and managed by the bank, said Mr Gullapalli. This ensures that the whole process is a closed loop, and therefore controlled and secure, offering an additional layer of security.

E-mails, however, remain susceptible to phishing attacks, as bad actors may impersonate the banks to deceive customers, he noted. Despite this, e-mails offer a backup security measure, for when the customer’s mobile device is compromised.

Mr Kelvin Lim, director of security engineering at Synopsys Software Integrity Group, noted that SMS protocols are based on a 30-year-old technology when the cybersecurity landscape was largely different.

“Traditional SMS messages lack encryption and are inherently insecure,” said Mr Lim. This can result in attackers hijacking and reading the content of text messages without the user’s knowledge.

On the other hand, push notifications are encrypted and transmitted securely from the bank straight into the banking app, making it harder for hackers to intercept, said Mr Lim. This extra layer of security will also remove the risk of customers falling prey to SMS phishing, where hackers impersonate the banks and send malicious SMSes to the customers.

Mr Lim added that the combination of push notifications and e-mails are a “nice combination” - as limited information can be sent via push notifications, e-mails are a good way to deliver non-confidential information, and an option for sending encrypted files for confidential information.

Switching to push notifications from SMSes would also help banks see potential savings, although the cost-saving aspect of the switch is secondary.

According to Mr Gullapalli, it is only natural for such channels to be invested in, given the future reliance on push notifications and e-mails Implemenation of such features would incur a one-time setup cost, in addition to recurring operational expenses.

With consumers today being heavily dependent on their mobile phones for everything from entertainment to payments, risk levels are significantly elevated when a mobile device is compromised, or when the authenticity of an SMS is in question, he said.

A suggested framework by the Monetary Authority of Singapore and Infocomm Media Development Authority seeks to strengthen the direct accountability of financial institutions and telcos to consumers. The Shared Responsibility Framework places duties on financial institutions and telcos, making them liable to pay if they have fallen short of these duties.

“If a customer’s credentials are detected on an unfamiliar device, it’s crucial to alert the customer to this risk. An out-of-band e-mail communication, or even a direct phone call, can serve as an effective means to convey this essential information,” said Mr Gullapalli, who feels that Singapore is moving towards the right direction.

“There needs to be constant collaboration between the financial institutions, government and its people to set regulations and guidelines, improve the processes and education on cyber hygiene to maintain a high level of cyber alertness.”

Besides OCBC, other banks like DBS and UOB have also started switching to e-mail and push notifications as their default channels of communication.