Due to the recent spate of malware scams, banks have been implementing tighter security measures, particularly for those using Android phones.
OCBC got the ball rolling back in August, and other banks have since followed suit. But as bad as OCBCโs handling of the rollout was (customers were wrongly informed that all non-official apps would disable the OCBC banking app, instead of just apps with selected permissions), I think itโd be hard to beat HSBCโs current debacleโฆ
HSBCโs app debacle
If youโre using the HSBC banking app on your Android phone, you may have noticed that it keeps crashing every time you try to launch it, even after reinstalling the app or clearing your cache.
As it turns out, this is a feature, not a bug. In the latest version of the app, rolled out about two weeks ago, HSBC automatically crashes the app if either of these two conditions are met:
- The default keyboard is not selected
- Other apps have accessibility permissions
Itโd be one (annoying) thing if the app opened normally, then flashed a message that you couldnโt login until the above was done. But crashing the app quietly without showing any error message is just complete stupidity.
Needless to say, people arenโt happy- the HSBC Singapore app has a rating of 1.4 stars on Google Play, and falling fast. HSBCโs response to the complaints so far has been the following:
Malware scams are on the rise & we are working hard to protect you. Please follow the steps below:
1. Navigate to your phone โSystem settingsโ> โAccessibilityโ> look for an option labelled โInstalled appsโ > deactivate/toggle off all apps
2. Check your phone โKeyboard settingโ> ensure it is default phone keyboard (Gboard or Samsung keyboard)
You know, this is information that might have been helpful in the email blast that HSBC sent out on 21 November, which vaguely alludes to โdifficulties using our HSBC Singapore appโ, and advises customers to โdelete any unauthorised appsโ or โperform a factory reset of your deviceโ.
 |
| ๐ง HSBC mailer |
|
We are enhancing our HSBC Singapore mobile banking app to detect potentially high-risk apps downloaded from unofficial platforms (unauthorised apps) on Android devices. These unauthorised apps could compromise your personal data, giving scammers access to your bank accounts, and other information stored on your device. As a result of this enhancement, some customers using Android devices may be unable to access the mobile banking app. For most users, no action will be required. However, if you are an Android user and encounter difficulties using our HSBC Singapore app, please follow the steps below: (1) Delete any unauthorised apps from your device and launch the HSBC Singapore app again. If this is successful, please change your 6-digit PIN on the HSBC Singapore app, by going to the Profile icon on the top right of the app screen > Security> Manage Security > Change PIN. (2) If Step 1 does not work or you are unable to delete the unauthorised apps, please perform a factory reset of your device. You may then download the HSBC Singapore app from the Play Store and log on again. Letโs stay vigilant and #FendOffFraud together. |
Instead, customers were left in the dark, and many had to find the solutions on message boards or from reading other reviews.
In fact, why does HSBC require you to disable accessibility permissions for all apps anyway? This isnโt necessary for other banks, and prevents you from using useful features like password managers and certain authenticator apps. Thatโs not even mentioning screen readers like TalkBack, which are essential for those who are hard of seeing.
Conclusion
Whenever you express frustration with all the new anti-malware measures, thereโs invariably some people who raise straw man arguments like โso you donโt care about the old aunties and uncles who lose their life savings?โ as if itโs a binary choice between locking down your phone or scammers robbing grannie blind.
I have nothing against well-conceptualised ideas that strike a balance between protecting the vulnerable and minimising inconvenience to the general public. In fact, I think the recently-launched โmoney lockโ features by DBS, OCBC and UOB are great initiatives, and should have been introduced a long time ago.
What Iโm against are draconian policies which police how you use your phone and treat everyone like a breach waiting to happen- especially when theyโre implemented as haphazardly as HSBC (and before someone says โMAS told them to do thisโ, Iโm pretty sure MAS told them to take measures to protect customers from malware, not make their banking apps crash without explanation).
Unfortunately, itโs easy to measure the benefits of such initiatives (witness OCBC tooting its own horn about how much money its measures saved from scammers), and much harder to measure the costs (from lost productivity and user inconvenience).
I am using android phone and i dont encounter this problem. I think it is good that banks are taking measures to protect us.Too many people are not savvy and susceptible to scams and malware.
funny, itโs as though you didnโt read the entire article and parroting binary arguments that donโt make sense. But not reading and then commentingโฆsurely nobody would do that, right?? rightโฆ?
A bot?
If you have security software installed you may have to at least disable it to use the app. Its a complete joke really not just what they have done which has clearly not been thought through properly. What about companies who use managed environments and mandate the use of these security tools. More important is the way its been done and lack of information being redily available and proactive notification
Aha! So itโs a problem with my default keyboard! I had no clue but guess it might be an incompatibility issue with the latest Android version as I just recently received the update on my phoneโฆ
Thanks Aaron for shedding the light.
The way things are going, you are soon going to need 1 device for each banking app you use (because it is getting to the point where you canโt have anything else of any use on the phone at the same time) and another device for all your non-banking apps.
Banks are still grappling with basically pushing capabilities out with little consideration of UX.
For example, when you make a FAST transfer with Citi, sometimes it doesnโt go through. And the displayed message was highly cryptic โWe are unable to execute the transaction right now, try again laterโ โ which tells you NOTHING about the error, whether itโs at the originating bank, receiving bank, or the FAST network is down. The customer ends up trying repeatedly, and CSO also doesnโt know other than to read the statement from their system (which the customer can also).
How Simple Become Complicated
i can live w/o the app. The more disgusting thing is i cannot even transfer funds using desktop internet banking, as it still asks me for Digital Secure Code which is only accessible via app. No other authentication option is available. This is a major design fail!
Hi not just lost productivity, I am in thew process of just moving everything from HSBC to DBS so they will lost the revenue stream, credit card, deposits everything moving. So Swiftkey keyboard had to go well it did but it started working again after i disabled defender so it seems the accessibility service is the key element I had to switch off Microsoft Defender Accessibility Service which scans URLs and downloaded files so reduces the security on the device further โ some companies will mandate this as opart of an Intune deployment so they are screwed They also sayโฆ Read more ยป
Itโs retarded. I use Nova Launcher and Link to Windows and I have to disable accessibility settings each time I wanna use the app. And perhaps thatโs ok cos I donโt need accessibility settings all the time. Canโt imagine how it is like for people who have disabilities and require accessibility settings
Still not work after both action.
UOB also prompt โscreen sharing or recording activitiesโ even after turned off all other apps.
Itโs frustrating.
I have called HSBC about this โ itโs making a vast assumption that all apps that could read screen are malicious, this includes: LastPass, Microsoftโs Link to Windows, and Googleโs Reading mode.
They would โfeedback to the teamโ. Nothing has changed since Nov. Just a bunch of lazy product people who either take shortcuts or fail to manage up.
Ugh.
because of all these restrictions, now my citibank app doesnโt work when iโm paired with android auto. no more ibanking while driving, i suppose!