Due to the recent spate of malware scams, banks have been implementing tighter security measures, particularly for those using Android phones.Â
OCBC got the ball rolling back in August, and other banks have since followed suit. But as bad as OCBC’s handling of the rollout was (customers were wrongly informed that all non-official apps would disable the OCBC banking app, instead of just apps with selected permissions), I think it’d be hard to beat HSBC’s current debacle…
HSBC’s app debacle
If you’re using the HSBC banking app on your Android phone, you may have noticed that it keeps crashing every time you try to launch it, even after reinstalling the app or clearing your cache.
As it turns out, this is a feature, not a bug. In the latest version of the app, rolled out about two weeks ago, HSBC automatically crashes the app if either of these two conditions are met:
- The default keyboard is not selected
- Other apps have accessibility permissions
It’d be one (annoying) thing if the app opened normally, then flashed a message that you couldn’t login until the above was done. But crashing the app quietly without showing any error message is just complete stupidity.Â
Needless to say, people aren’t happy- the HSBC Singapore app has a rating of 1.4 stars on Google Play, and falling fast. HSBC’s response to the complaints so far has been the following:
Malware scams are on the rise & we are working hard to protect you. Please follow the steps below:
1. Navigate to your phone ‘System settings’> “Accessibility’> look for an option labelled ‘Installed apps’ > deactivate/toggle off all apps
2. Check your phone ‘Keyboard setting’> ensure it is default phone keyboard (Gboard or Samsung keyboard)
You know, this is information that might have been helpful in the email blast that HSBC sent out on 21 November, which vaguely alludes to “difficulties using our HSBC Singapore app”, and advises customers to “delete any unauthorised apps” or “perform a factory reset of your device”.Â
 |
| 📧 HSBC mailer |
|
We are enhancing our HSBC Singapore mobile banking app to detect potentially high-risk apps downloaded from unofficial platforms (unauthorised apps) on Android devices. These unauthorised apps could compromise your personal data, giving scammers access to your bank accounts, and other information stored on your device. As a result of this enhancement, some customers using Android devices may be unable to access the mobile banking app. For most users, no action will be required. However, if you are an Android user and encounter difficulties using our HSBC Singapore app, please follow the steps below: (1) Delete any unauthorised apps from your device and launch the HSBC Singapore app again. If this is successful, please change your 6-digit PIN on the HSBC Singapore app, by going to the Profile icon on the top right of the app screen > Security> Manage Security > Change PIN. (2) If Step 1 does not work or you are unable to delete the unauthorised apps, please perform a factory reset of your device. You may then download the HSBC Singapore app from the Play Store and log on again. Let’s stay vigilant and #FendOffFraud together. |
Instead, customers were left in the dark, and many had to find the solutions on message boards or from reading other reviews.Â
In fact, why does HSBC require you to disable accessibility permissions for all apps anyway? This isn’t necessary for other banks, and prevents you from using useful features like password managers and certain authenticator apps. That’s not even mentioning screen readers like TalkBack, which are essential for those who are hard of seeing.
Conclusion
Whenever you express frustration with all the new anti-malware measures, there’s invariably some people who raise straw man arguments like “so you don’t care about the old aunties and uncles who lose their life savings?” as if it’s a binary choice between locking down your phone or scammers robbing grannie blind.Â
I have nothing against well-conceptualised ideas that strike a balance between protecting the vulnerable and minimising inconvenience to the general public. In fact, I think the recently-launched “money lock” features by DBS, OCBC and UOB are great initiatives, and should have been introduced a long time ago.
What I’m against are draconian policies which police how you use your phone and treat everyone like a breach waiting to happen- especially when they’re implemented as haphazardly as HSBC (and before someone says “MAS told them to do this”, I’m pretty sure MAS told them to take measures to protect customers from malware, not make their banking apps crash without explanation).
Unfortunately, it’s easy to measure the benefits of such initiatives (witness OCBC tooting its own horn about how much money its measures saved from scammers), and much harder to measure the costs (from lost productivity and user inconvenience).
I am using android phone and i dont encounter this problem. I think it is good that banks are taking measures to protect us.Too many people are not savvy and susceptible to scams and malware.
funny, it’s as though you didn’t read the entire article and parroting binary arguments that don’t make sense. But not reading and then commenting…surely nobody would do that, right?? right…?
A bot?
If you have security software installed you may have to at least disable it to use the app. Its a complete joke really not just what they have done which has clearly not been thought through properly. What about companies who use managed environments and mandate the use of these security tools. More important is the way its been done and lack of information being redily available and proactive notification
Aha! So it’s a problem with my default keyboard! I had no clue but guess it might be an incompatibility issue with the latest Android version as I just recently received the update on my phone…
Thanks Aaron for shedding the light.
The way things are going, you are soon going to need 1 device for each banking app you use (because it is getting to the point where you can’t have anything else of any use on the phone at the same time) and another device for all your non-banking apps.
Banks are still grappling with basically pushing capabilities out with little consideration of UX.
For example, when you make a FAST transfer with Citi, sometimes it doesn’t go through. And the displayed message was highly cryptic “We are unable to execute the transaction right now, try again later” – which tells you NOTHING about the error, whether it’s at the originating bank, receiving bank, or the FAST network is down. The customer ends up trying repeatedly, and CSO also doesn’t know other than to read the statement from their system (which the customer can also).
How Simple Become Complicated
i can live w/o the app. The more disgusting thing is i cannot even transfer funds using desktop internet banking, as it still asks me for Digital Secure Code which is only accessible via app. No other authentication option is available. This is a major design fail!
Hi not just lost productivity, I am in thew process of just moving everything from HSBC to DBS so they will lost the revenue stream, credit card, deposits everything moving. So Swiftkey keyboard had to go well it did but it started working again after i disabled defender so it seems the accessibility service is the key element I had to switch off Microsoft Defender Accessibility Service which scans URLs and downloaded files so reduces the security on the device further – some companies will mandate this as opart of an Intune deployment so they are screwed They also say… Read more »
It’s retarded. I use Nova Launcher and Link to Windows and I have to disable accessibility settings each time I wanna use the app. And perhaps that’s ok cos I don’t need accessibility settings all the time. Can’t imagine how it is like for people who have disabilities and require accessibility settings
Still not work after both action.
UOB also prompt “screen sharing or recording activities” even after turned off all other apps.
It’s frustrating.
I have called HSBC about this – it’s making a vast assumption that all apps that could read screen are malicious, this includes: LastPass, Microsoft’s Link to Windows, and Google’s Reading mode.
They would “feedback to the team”. Nothing has changed since Nov. Just a bunch of lazy product people who either take shortcuts or fail to manage up.
Ugh.
because of all these restrictions, now my citibank app doesn’t work when i’m paired with android auto. no more ibanking while driving, i suppose!