Following a spate of malware scams last year, MAS instructed the banks to harden security protocols for their phone banking apps, in order to protect those who had more cash than common sense.
That was the general directive, at least. The actual execution was left to the banks, and my goodness has it been farcical.
OCBC set things in motion back in August 2023 with a poorly-communicated rollout that creeped out its customers and flagged many legitimate apps as dangerous, but they were just the first out of the clown car. In the months that followed, we saw an outbreak of just-do-somethingitis, where banks decided it would be better to roll out half-baked measures that inconvenienced customers and drove them crazy, rather than be seen to be doing nothing.
Who can forget HSBCโs big brain moment, where they concluded that the best anti-malware approach was to automatically crash the app, without warning, if it detected any alternate keyboard or accessibility permission? *chefโs kiss* Never mind those permissions could actually be required for benign purposes, such as screen readers for the hard of seeing!
The list goes on. Maybank doesnโt work if it detects developer permissions. Citi and OCBC refuse to work if your phone is connected to Android Auto. Oh, and if youโre overseas and need to sideload a region-restricted app (like those needed for EV charging), better hope you brought a spare phone to ringfence it, or thereโs no ibanking for you otherwise.
The problem isnโt just the obsession with policing your phone. Itโs that whenever an issue arises, getting it resolved is a nightmare for customers. Iโve just run into another app-breaking problem today with OCBC (who else?), and apparently Iโm not alone.
|
Story update: The issue was finally resolved on the morning of 4 October. As it turns out, the offending app in my case was โFake GPSโ, an app which doesnโt even have remote administration tools access. Also on the naughty list: TikTok. Ironic, given that OCBC has an account. OCBC later pushed a new version of its app to the Google Play store (v20.0) which works just fine with Fake GPS. In other words, they made a bad update. |
OCBC โremote administration toolsโ error
The OCBC banking app on my phone was working perfectly fine until this morning, when I started getting an error message chiding me for having โremote administration toolsโ installed.
Now, my phone isnโt rooted. I only download apps from the official Google Play store. I have no alternate keyboards. So I had no idea what OCBC was talking about.
It would be one thing if told me which app offended its delicate sensibilities. Itโs another when it expects me to guess and check, uninstalling any recently downloaded apps and praying each time that Iโd found the right one.
I honestly had no idea what was getting its knickers in a twist, and systematically ran through the rest of my banking apps: American Express, BOC, Citibank, DBS, HSBC, Maribank, Maybank, Standard Chartered, UOB. Not one of them had issues with my phone; it was just OCBC that didnโt work.
Actually, correction. OCBCโs Business Banking app worked just fine. Basically, OCBC considered my phone too insecure for consumer grade banking, but seven-digit MEPS transfers? Bring it on!
Trial and error got me nowhere, so I picked up the phone to call OCBC- only I couldnโt. It was 6.30 a.m, and they donโt offer non-fraud support between 12 a.m and 8 a.m because this issue, apparently, is not urgent enough to warrant immediate attention. Heaven help you if you have important banking matters to settle late at night!
I finally got hold of a customer service officer, who told me what I already knew: there was some app on my phone which OCBC didnโt like. But as to what exactly that was, his guess was as good as mine.
He asked whether I had any screen sharing apps like TeamViewer or Zoom. I told him I had Zoom, and he said Iโd have to uninstall it.
I said that Zoom was important for work, to which he said something along the lines of โoh donโt worry, you can just uninstall it when you need to use the OCBC banking app, then reinstall it when youโre done.โ Ah, smart nation.
I highly doubted that Zoom was the issue, because it hadnโt caused any trouble up till now, but played along. Sure enough, uninstalling it didnโt fix the issue.
He then asked me if I had TikTok (no) or any mobile games (also no). He asked me to go to my settings and search for something called โremote administration toolsโ (which didnโt exist), and asked if I could send a screenshot of all my apps (with 255, that might prove challenging). Finally, he said what I was expecting from the start: that heโd need to call me back.
It was frustrating, but obviously not his fault. OCBC sets their staff up for failure in this respect, because the error messages are so generic that theyโre poking around in the dark as much as we are.
I got a call back later that afternoon, where the CSO asked whether I had an app called Instant Heart Rate or Droid VNC installed (both no). He also mentioned that I wasnโt the only one reporting this; apparently OCBC had done some โvalue-added servicesโ (his exact words) today which involved an โanti-scam scanโ of phones to find apps with screen sharing functions.
Long story short, Iโm still waiting for a resolution. Luckily, my funds are spread out over a few different banks, so losing access to my OCBC account, while annoying, isnโt an emergency. I imagine it could be very different for others.
And therein lies the problem. The rollout of these anti-malware measures has been so scatterbrained and haphazard that a given list of apps can be perfectly fine with one bank, yet trigger a five-alarm fire with another. And given how vital the app is to managing your bank account, your funds are essentially frozen if it throws a tantrum.
Conclusion
Banks like to toot their own horn about how much has been saved due to anti-malware measures, but whatโs left unsaid is how much has been lost because of their overzealousness. You canโt exactly measure the cost of lost productivity and user inconvenience, after all. And whenever anyone questions them about this, itโs all too simple to churn out a motherhood statement like โanti-malware measures are required because customer security is of utmost importance to usโ and brush the issue aside.
For the record, I have nothing against well-conceptualised ideas that strike a balance between protecting the vulnerable and minimising inconvenience to the general public. The โmoney lockโ features, for example, are great initiatives that should have been introduced a long time ago.
Whatโs happening with the banking apps now is far from well-conceptualised. It feels like a patchwork of solutions, each more paranoid than the previous, and at some point we have to ask: is the cure worse than the disease?
I would never put a dollar in this garbage bank.
Buy an iPhone!
actually, at this rate it might be the only solutionโฆ
Login via desktop?
login via desktop requires approval via ocbc banking app. ocbc banking app requiresโฆ
I found a solution for this issue on the current version 19.9 app. In the โsettingโ->โAppsโ->โManage Appsโ->โOCBCโ->โPermissionsโ->โOther Permissions->โGet info about installed appsโ->โDenyโ. And it works. Tried to open this permission again, found the same problem again. So just close the permission of getting infomation about other apps, and OCBC app has no authority to detect the other apps you installed and no overzealous alarm.
Unbelievable! I have been using computers since 1983 on CP/M the predecessor of MS DOS, had one of the first email accounts in Japan (still operated with an acoustic coupler 300 bits/s!!), wrote my first website on a text editor, fully coded, almost got a license for the ebay predecessor for Japanโฆ. just want to say, I know my way around with computers and the Internet. I administer without a hitch accounts online in Germany, the US, and Japan without problems.OCBCโs software drove me crazy. I had to discuss the matter for 30 minutes on an international phone call withโฆ Read more ยป
Not possible for whatever reason. Only phones with Android 10 and newer, which made it impossible for me to update the App, as my phone, which I love because it has dual SIM, was โstillโ on Android 9. BUT โ there was NO MESSAGE to that fact. Just โyour App needs an update.โ I had to discuss the matter for 30 minutes with the agent before we finally found the reason. Solution? You should buy a new phone. Forget it โ just to make YOU happy?
Faced exactly the same issue. Their FB team (after giving a 1 star on play store) even had the audacity to ask me to send the list of ALL the apps I have.
wait in line with the aunties/uncles at ocbc branches hahaha
fixes security at expense of user experience. poorly executed update by their team.
I had a similar exasperating experience with UOB a few nights ago, where the call centre was unable to reach the IT Fraud desk from 9:30pm onwards. The error message received was โYour request was detected as unusual. For your security, it was not processed. Please call xxxxxโ. This came after a 12-hour cool off period when I added a new payee in the morning. So on top of making me wait out a 12-hour cool off period, the bank felt it necessary to add additional โunusual patternโ detecting measures, and then not have IT people around to handle itโฆ Read more ยป
Iโve had 2 brushes with OCBC lately, in particular being locked out of my account and being unable to contact the customer after 6pm.
Calls to their service hotline typically puts me on wait for at least 30mins.
Yes, I have multiple banks, so thankfully Iโm not deadlocked to this one. But plenty of banks in Singapore, why stick with a bank that springs such nasty surprises with your money?
Closing my OCBC account this weekโฆ.
I want to put in my two cents, coming from the other side of the fences. From the consumeโs perspective, you are frustrated by the inconvenience. But the reality is, with AI, the amount of scams and fraud are insanely high. Banks are filing hundreds of suspicious transactions and thousand of recalls. If these controls are not in place, imagine the number of frauds that would have taken place. This is a losing battle to banks. Loose controls, more scams. Tighter controls, more customer complaints. I recently had to change my phone and need to reinstall everything. Ironically, I amโฆ Read more ยป
But see, reducing it to a binary choice between inconvenience and someone emptying your account is a false dichotomy. The alternative to draconian app controls is not scammers robbing granny blind. There are sensible things that can be done like money lock that donโt involve policing your phone.
I agree that reducing this to a binary choice is indeed a false dichotomy, but finding the right balance between security and convenience is a monumental challenge. Technology is advancing at such a rapid pace that itโs difficult for anyone, even experts, to keep up with the constantly evolving fraud schemes. While convenience is important, the reality is that no company has a perfect solution to tackle every new scam. Financial institutions are doing the best they can with the tools available to protect us, and sometimes that does mean additional controls and inconveniences. Iโd personally rather accept a bitโฆ Read more ยป
What is a phone? Itโs a work tool, an entertainment gadget, communications device, itโs also replacing the PC (Personal Computer). All of these use-cases require different apps. OK, we have lots of apps. So what are the banks trying to protect us from? Official apps? Risky behavior like someone using an unofficial app store? A bad actor sending you a direct link to credentials stealing app? Default phone settings on the phone protect from all that, and if you engage in risky behavior, you pay the price, like in real life. What weโre dealing with here is trying to enforceโฆ Read more ยป
In that case, please provide a working website for internet banking that does not require a smartphone.
Banks have forced customers to move to mobile apps to make more profit at the expense of customerโs security. Changed their T&Cs to make the customer more liable for fraud. Convenience or security? The customer should at least have the choice. I would get a separate physical RSA token like the โbadโ old days if they were still offered.
Physical RSA is too easy to hack. Regulators around the world are forcing banks to stop using them. Good luck if thatโs your preference.
???. Any authentication mechanism where the backend is hacked will fail. The problem with hardware tokens is the difficulty of remediation not a flaw in the mechanism itself. What do you think the token on your phone is?
Source please
https://www.straitstimes.com/singapore/singapore-banks-to-phase-out-use-of-otp-for-login-for-customers-using-digital-tokens
You should have a second phone (an Iphone) that contains ONLY banking Apps. And that phone is best left at home in a secure place, so that it is not easily misplaced or lost with all the issues that can also cause.
I hope you are being sacarsticโฆ
Not at all. This exactly that I do. For my own security (as well as avoiding bank issues). Carrying around a phone that I could potentially loose and have all the hassle that will then follow with banking and re-installing apps is not worth it. Keep a separate phone securely at home.
Whether or not sarcastic. Having a phone covered in a plethora of junk apps and visiting every dodgy website on a phone that contains direct access to all your money doesnโt seem like the wisest approach. Of course itโs normal and only to be expected and anyone who suggests differently is looked at like they have two heads โ but it isnโt exactly best practise.
ocbc and itโs garbage Bos are the embarrassment of our nation, despite the blowing of trumpets in public by sone LinkedIn posters
long story short, go get urself an iPhone!
I was having the exact same issue today. CSO was unable to provide any details. Kept asking me about Droid VNC, and was suggesting to just factory reset my phone.
It turned out Fake GPS is causing the detection (which is not a remote administration tool).
I work in cybersecurity, so Iโm all for good security controls, but this is just a rubbish implementation that probably wasnโt properly tested.
Thank you! I could use the OCBC app after deleting Fake GPS.
Hello, I have the same problem as you, what software is this fake GPS?
Rubbish all round. Trying to pay my OCBC credit card bill but with the recent update the app keeps crashing.
If this doesnโt go through in time and they refuse to waive the late fee, I will take out all my money from my 360 account and cancel the card.
There are more ways than one to pay for your credit card. You could even use other Bankโs internet banking to do it if you canโt be bothered to go the Bank, ATM/CDM or AXS.
When I studied IT security my lecturer told us IT Security is C-I-A
Confidentiality โ information stays secret
Integrity โ information is correct n accurate
Availability โ information is readily available
Most systems address C and I but forget about A.
He used to tell us whatโs the point of C and I if there is no A or canโt access what youโre securing. Then there is no security.
OCBC is a classic example of this
I encountered the same issue. I tried various troubleshooting steps and even uninstalled other apps, but nothing worked. Finally, I downloaded and installed the previous version (19.8) from APKPure, and the problem was resolved. Therefore, I believe the issue lies with the OCBC app version 19.9, not the userโs phone.
hi, how u get the apk 19.8? can share the link ?
download history version from apkpure
This is the reason why Iโm switching from Android to iPhone this year. Being able to sideload APKs were the draw for me to Android, but even my Pixel phone is starting to disallow installation of official APKs (yes, got it from official source, just that user canโt get it from local Google Play Store due to regional restrictions), much less to say for local banking apps detecting such apps. Looking at iOSโ SG App Store โ all the apps I want are there. So, forget about the wall garden meme for iOS, because Iโm starting to feel the sameโฆ Read more ยป
Appears that weโll need to disable play protect.
The offending app in my case was TickTock (sic) after I chatted with them via Facebook.
hilarious that OCBC has a tiktok account. how do they expect people to visit it, then?
Use web browser lo
can verify. itโs really tiktok. LOL what a joke ocbc
Ocbc was never an acceptable bank, even provide false report to mas and fired by top management, closing down is a better route
install app in secure folder? its what i do with my ocbc app specifically
This is amazing idea thank you lol
i think you should buy an iPhone
Hi, for the Android users, I found a solution for this issue on the current version 19.9 app. In the โsettingโ->โAppsโ->โManage Appsโ->โOCBCโ->โPermissionsโ->โOther Permissions->โGet info about installed appsโ->โDenyโ. And it works. Tried to open this permission again, found the same problem again. So just close the permission of getting infomation about other apps, and OCBC app has no authority to detect the other apps you installed and no overzealous alarm.
This is totally atrocious. And I believe they will soon be making OTP for 2FA unavailable as a phone SMS, so you STUCK.
Frankly, while OCBC/DBS/UOB all have lousy apps and such problems, the real blame is to be with MAS , the regulator, for allowing such stupid โsolutionsโ to be peddled to people.
Same for UOB. Even for iphone. Even on Beta OS also. Thus basically banks IT staff and not doing their job properly, and simply blanket crash their own app prevent customer from using.