Due to the recent spate of malware scams, banks have been implementing tighter security measures, particularly for those using Android phones.
OCBC got the ball rolling back in August, and other banks have since followed suit. But as bad as OCBC’s handling of the rollout was (customers were wrongly informed that all non-official apps would disable the OCBC banking app, instead of just apps with selected permissions), I think it’d be hard to beat HSBC’s current debacle…
HSBC’s app debacle
If you’re using the HSBC banking app on your Android phone, you may have noticed that it keeps crashing every time you try to launch it, even after reinstalling the app or clearing your cache.
As it turns out, this is a feature, not a bug. In the latest version of the app, rolled out about two weeks ago, HSBC automatically crashes the app if either of these two conditions are met:
- The default keyboard is not selected
- Other apps have accessibility permissions
It’d be one (annoying) thing if the app opened normally, then flashed a message that you couldn’t login until the above was done. But crashing the app quietly without showing any error message is just complete stupidity.
Needless to say, people aren’t happy- the HSBC Singapore app has a rating of 1.4 stars on Google Play, and falling fast. HSBC’s response to the complaints so far has been the following:
Malware scams are on the rise & we are working hard to protect you. Please follow the steps below:
1. Navigate to your phone ‘System settings’> “Accessibility’> look for an option labelled ‘Installed apps’ > deactivate/toggle off all apps
2. Check your phone ‘Keyboard setting’> ensure it is default phone keyboard (Gboard or Samsung keyboard)
You know, this is information that might have been helpful in the email blast that HSBC sent out on 21 November, which vaguely alludes to “difficulties using our HSBC Singapore app”, and advises customers to “delete any unauthorised apps” or “perform a factory reset of your device”.
|📧 HSBC mailer
We are enhancing our HSBC Singapore mobile banking app to detect potentially high-risk apps downloaded from unofficial platforms (unauthorised apps) on Android devices. These unauthorised apps could compromise your personal data, giving scammers access to your bank accounts, and other information stored on your device.
As a result of this enhancement, some customers using Android devices may be unable to access the mobile banking app. For most users, no action will be required. However, if you are an Android user and encounter difficulties using our HSBC Singapore app, please follow the steps below:
(1) Delete any unauthorised apps from your device and launch the HSBC Singapore app again. If this is successful, please change your 6-digit PIN on the HSBC Singapore app, by going to the Profile icon on the top right of the app screen > Security> Manage Security > Change PIN.
(2) If Step 1 does not work or you are unable to delete the unauthorised apps, please perform a factory reset of your device. You may then download the HSBC Singapore app from the Play Store and log on again.
Let’s stay vigilant and #FendOffFraud together.
Instead, customers were left in the dark, and many had to find the solutions on message boards or from reading other reviews.
In fact, why does HSBC require you to disable accessibility permissions for all apps anyway? This isn’t necessary for other banks, and prevents you from using useful features like password managers and certain authenticator apps. That’s not even mentioning screen readers like TalkBack, which are essential for those who are hard of seeing.
Whenever you express frustration with all the new anti-malware measures, there’s invariably some people who raise straw man arguments like “so you don’t care about the old aunties and uncles who lose their life savings?” as if it’s a binary choice between locking down your phone or scammers robbing grannie blind.
I have nothing against well-conceptualised ideas that strike a balance between protecting the vulnerable and minimising inconvenience to the general public. In fact, I think the recently-launched “money lock” features by DBS, OCBC and UOB are great initiatives, and should have been introduced a long time ago.
What I’m against are draconian policies which police how you use your phone and treat everyone like a breach waiting to happen- especially when they’re implemented as haphazardly as HSBC (and before someone says “MAS told them to do this”, I’m pretty sure MAS told them to take measures to protect customers from malware, not make their banking apps crash without explanation).
Unfortunately, it’s easy to measure the benefits of such initiatives (witness OCBC tooting its own horn about how much money its measures saved from scammers), and much harder to measure the costs (from lost productivity and user inconvenience).