Following a spate of malware scams last year, MAS instructed the banks to harden security protocols for their phone banking apps, in order to protect those who had more cash than common sense.
That was the general directive, at least. The actual execution was left to the banks, and my goodness has it been farcical.
OCBC set things in motion back in August 2023 with a poorly-communicated rollout that creeped out its customers and flagged many legitimate apps as dangerous, but they were just the first out of the clown car. In the months that followed, we saw an outbreak of just-do-somethingitis, where banks decided it would be better to roll out half-baked measures that inconvenienced customers and drove them crazy,ย rather than be seen to be doing nothing.
Who can forget HSBC’s big brain moment, where they concluded that the best anti-malware approach was to automatically crash the app, without warning, if it detected any alternate keyboard or accessibility permission? *chef’s kiss* Never mind those permissions could actually be required for benign purposes, such as screen readers for the hard of seeing!
The list goes on.ย Maybank doesn’t work if it detects developer permissions. Citi and OCBC refuse to work if your phone is connected to Android Auto.ย Oh, and if you’re overseas and need to sideload a region-restricted app (like those needed for EV charging), better hope you brought a spare phone to ringfence it, or there’s no ibanking for you otherwise.ย
The problem isn’t just the obsession with policing your phone. It’s that whenever an issue arises, getting it resolved is a nightmare for customers. I’ve just run into another app-breaking problem today with OCBC (who else?), and apparently I’m not alone.ย
| ย |
Story update: The issue was finally resolved on the morning of 4 October. As it turns out, the offending app in my case was “Fake GPS”, an app which doesn’t even have remote administration tools access. Also on the naughty list: TikTok. Ironic, given that OCBC has an account. OCBC later pushed a new version of its app to the Google Play store (v20.0) which works just fine with Fake GPS. In other words, they made a bad update. |
OCBC “remote administration tools” error
The OCBC banking app on my phone was working perfectly fine until this morning, when I started getting an error message chiding me for having “remote administration tools” installed.
Now, my phone isn’t rooted. I only download apps from the official Google Play store. I have no alternate keyboards. So I had no idea what OCBC was talking about.
It would be one thing if told me which app offended its delicate sensibilities. It’s another when it expects me to guess and check, uninstalling any recently downloaded apps and praying each time that I’d found the right one.
I honestly had no idea what was getting its knickers in a twist, and systematically ran through the rest of my banking apps: American Express, BOC, Citibank, DBS, HSBC, Maribank, Maybank, Standard Chartered, UOB. Not one of them had issues with my phone; it was just OCBC that didn’t work.
Actually, correction. OCBC’s Business Banking app worked just fine. Basically, OCBC considered my phone too insecure for consumer grade banking, but seven-digit MEPS transfers? Bring it on!
Trial and error got me nowhere, so I picked up the phone to call OCBC- only I couldn’t. It was 6.30 a.m, and they don’t offer non-fraud support between 12 a.m and 8 a.m because this issue, apparently, is not urgent enough to warrant immediate attention. Heaven help you if you have important banking matters to settle late at night!
I finally got hold of a customer service officer, who told me what I already knew: there was some app on my phone which OCBC didn’t like. But as to what exactly that was, his guess was as good as mine.
He asked whether I had any screen sharing apps like TeamViewer or Zoom. I told him I had Zoom, and he said I’d have to uninstall it.
I said that Zoom was important for work, to which he said something along the lines of “oh don’t worry, you can just uninstall it when you need to use the OCBC banking app, then reinstall it when you’re done.” Ah, smart nation.
I highly doubted that Zoom was the issue, because it hadn’t caused any trouble up till now, but played along. Sure enough, uninstalling it didn’t fix the issue.
He then asked me if I had TikTok (no) or any mobile games (also no). He asked me to go to my settings and search for something called “remote administration tools” (which didn’t exist), and asked if I could send a screenshot of all my apps (with 255, that might prove challenging). Finally, he said what I was expecting from the start: that he’d need to call me back.ย
It was frustrating, but obviously not his fault. OCBC sets their staff up for failure in this respect, because the error messages are so generic that they’re poking around in the dark as much as we are.
I got a call back later that afternoon, where the CSO asked whether I had an app called Instant Heart Rate or Droid VNC installed (both no). He also mentioned that I wasn’t the only one reporting this; apparently OCBC had done some “value-added services” (his exact words) today which involved an “anti-scam scan” of phones to find apps with screen sharing functions.
Long story short, I’m still waiting for a resolution. Luckily, my funds are spread out over a few different banks, so losing access to my OCBC account, while annoying, isn’t an emergency.ย I imagine it could be very different for others.ย
And therein lies the problem. The rollout of these anti-malware measures has been so scatterbrained and haphazard that a given list of apps can be perfectly fine with one bank, yet trigger a five-alarm fire with another. And given how vital the app is to managing your bank account, your funds are essentially frozen if it throws a tantrum.
Conclusion
Banks like to toot their own horn about how much has been saved due to anti-malware measures, but what’s left unsaid is how much has been lost because of their overzealousness. You can’t exactly measure the cost of lost productivity and user inconvenience, after all. And whenever anyone questions them about this, it’s all too simple to churn out a motherhood statement like “anti-malware measures are required because customer security is of utmost importance to us” and brush the issue aside.
For the record,ย I have nothing against well-conceptualised ideas that strike a balance between protecting the vulnerable and minimising inconvenience to the general public. Theย โmoney lockโ features, for example, are great initiatives that should have been introduced a long time ago.
What’s happening with the banking apps now is far from well-conceptualised. It feels like a patchwork of solutions, each more paranoid than the previous, and at some point we have to ask: is the cure worse than the disease?
I would never put a dollar in this garbage bank.
Buy an iPhone!
actually, at this rate it might be the only solution…
Login via desktop?
login via desktop requires approval via ocbc banking app. ocbc banking app requires…
I found a solution for this issue on the current version 19.9 app. In the “setting”->”Apps”->”Manage Apps”->”OCBC”->”Permissions”->”Other Permissions->”Get info about installed apps”->”Deny”. And it works. Tried to open this permission again, found the same problem again. So just close the permission of getting infomation about other apps, and OCBC app has no authority to detect the other apps you installed and no overzealous alarm.
Faced exactly the same issue. Their FB team (after giving a 1 star on play store) even had the audacity to ask me to send the list of ALL the apps I have.
wait in line with the aunties/uncles at ocbc branches hahaha
fixes security at expense of user experience. poorly executed update by their team.
I had a similar exasperating experience with UOB a few nights ago, where the call centre was unable to reach the IT Fraud desk from 9:30pm onwards. The error message received was “Your request was detected as unusual. For your security, it was not processed. Please call xxxxx”. This came after a 12-hour cool off period when I added a new payee in the morning. So on top of making me wait out a 12-hour cool off period, the bank felt it necessary to add additional “unusual pattern” detecting measures, and then not have IT people around to handle it… Read more »
Iโve had 2 brushes with OCBC lately, in particular being locked out of my account and being unable to contact the customer after 6pm.
Calls to their service hotline typically puts me on wait for at least 30mins.
Yes, I have multiple banks, so thankfully Iโm not deadlocked to this one. But plenty of banks in Singapore, why stick with a bank that springs such nasty surprises with your money?
Closing my OCBC account this weekโฆ.
I want to put in my two cents, coming from the other side of the fences. From the consumeโs perspective, you are frustrated by the inconvenience. But the reality is, with AI, the amount of scams and fraud are insanely high. Banks are filing hundreds of suspicious transactions and thousand of recalls. If these controls are not in place, imagine the number of frauds that would have taken place. This is a losing battle to banks. Loose controls, more scams. Tighter controls, more customer complaints. I recently had to change my phone and need to reinstall everything. Ironically, I am… Read more »
But see, reducing it to a binary choice between inconvenience and someone emptying your account is a false dichotomy. The alternative to draconian app controls is not scammers robbing granny blind. There are sensible things that can be done like money lock that don’t involve policing your phone.
I agree that reducing this to a binary choice is indeed a false dichotomy, but finding the right balance between security and convenience is a monumental challenge. Technology is advancing at such a rapid pace that it’s difficult for anyone, even experts, to keep up with the constantly evolving fraud schemes. While convenience is important, the reality is that no company has a perfect solution to tackle every new scam. Financial institutions are doing the best they can with the tools available to protect us, and sometimes that does mean additional controls and inconveniences. I’d personally rather accept a bit… Read more »
What is a phone? It’s a work tool, an entertainment gadget, communications device, it’s also replacing the PC (Personal Computer). All of these use-cases require different apps. OK, we have lots of apps. So what are the banks trying to protect us from? Official apps? Risky behavior like someone using an unofficial app store? A bad actor sending you a direct link to credentials stealing app? Default phone settings on the phone protect from all that, and if you engage in risky behavior, you pay the price, like in real life. What we’re dealing with here is trying to enforce… Read more »
In that case, please provide a working website for internet banking that does not require a smartphone.
Banks have forced customers to move to mobile apps to make more profit at the expense of customer’s security. Changed their T&Cs to make the customer more liable for fraud. Convenience or security? The customer should at least have the choice. I would get a separate physical RSA token like the “bad” old days if they were still offered.
Physical RSA is too easy to hack. Regulators around the world are forcing banks to stop using them. Good luck if thatโs your preference.
???. Any authentication mechanism where the backend is hacked will fail. The problem with hardware tokens is the difficulty of remediation not a flaw in the mechanism itself. What do you think the token on your phone is?
Source please
https://www.straitstimes.com/singapore/singapore-banks-to-phase-out-use-of-otp-for-login-for-customers-using-digital-tokens
You should have a second phone (an Iphone) that contains ONLY banking Apps. And that phone is best left at home in a secure place, so that it is not easily misplaced or lost with all the issues that can also cause.
I hope you are being sacarstic…
Not at all. This exactly that I do. For my own security (as well as avoiding bank issues). Carrying around a phone that I could potentially loose and have all the hassle that will then follow with banking and re-installing apps is not worth it. Keep a separate phone securely at home.
Whether or not sarcastic. Having a phone covered in a plethora of junk apps and visiting every dodgy website on a phone that contains direct access to all your money doesn’t seem like the wisest approach. Of course it’s normal and only to be expected and anyone who suggests differently is looked at like they have two heads – but it isn’t exactly best practise.
ocbc and itโs garbage Bos are the embarrassment of our nation, despite the blowing of trumpets in public by sone LinkedIn posters
long story short, go get urself an iPhone!
I was having the exact same issue today. CSO was unable to provide any details. Kept asking me about Droid VNC, and was suggesting to just factory reset my phone.
It turned out Fake GPS is causing the detection (which is not a remote administration tool).
I work in cybersecurity, so I’m all for good security controls, but this is just a rubbish implementation that probably wasn’t properly tested.
Thank you! I could use the OCBC app after deleting Fake GPS.
Hello, I have the same problem as you, what software is this fake GPS?
Rubbish all round. Trying to pay my OCBC credit card bill but with the recent update the app keeps crashing.
If this doesn’t go through in time and they refuse to waive the late fee, I will take out all my money from my 360 account and cancel the card.
There are more ways than one to pay for your credit card. You could even use other Bankโs internet banking to do it if you canโt be bothered to go the Bank, ATM/CDM or AXS.
When I studied IT security my lecturer told us IT Security is C-I-A
Confidentiality – information stays secret
Integrity – information is correct n accurate
Availability – information is readily available
Most systems address C and I but forget about A.
He used to tell us whatโs the point of C and I if there is no A or canโt access what youโre securing. Then there is no security.
OCBC is a classic example of this
I encountered the same issue. I tried various troubleshooting steps and even uninstalled other apps, but nothing worked. Finally, I downloaded and installed the previous version (19.8) from APKPure, and the problem was resolved. Therefore, I believe the issue lies with the OCBC app version 19.9, not the userโs phone.
hi, how u get the apk 19.8? can share the link ?
download history version from apkpure
This is the reason why I’m switching from Android to iPhone this year. Being able to sideload APKs were the draw for me to Android, but even my Pixel phone is starting to disallow installation of official APKs (yes, got it from official source, just that user can’t get it from local Google Play Store due to regional restrictions), much less to say for local banking apps detecting such apps. Looking at iOS’ SG App Store – all the apps I want are there. So, forget about the wall garden meme for iOS, because I’m starting to feel the same… Read more »
Appears that we’ll need to disable play protect.
The offending app in my case was TickTock (sic) after I chatted with them via Facebook.
hilarious that OCBC has a tiktok account. how do they expect people to visit it, then?
Use web browser lo
can verify. it’s really tiktok. LOL what a joke ocbc
Ocbc was never an acceptable bank, even provide false report to mas and fired by top management, closing down is a better route
install app in secure folder? its what i do with my ocbc app specifically
This is amazing idea thank you lol
i think you should buy an iPhone
Hi, for the Android users, I found a solution for this issue on the current version 19.9 app. In the “setting”->”Apps”->”Manage Apps”->”OCBC”->”Permissions”->”Other Permissions->”Get info about installed apps”->”Deny”. And it works. Tried to open this permission again, found the same problem again. So just close the permission of getting infomation about other apps, and OCBC app has no authority to detect the other apps you installed and no overzealous alarm.
This is totally atrocious. And I believe they will soon be making OTP for 2FA unavailable as a phone SMS, so you STUCK.
Frankly, while OCBC/DBS/UOB all have lousy apps and such problems, the real blame is to be with MAS , the regulator, for allowing such stupid ‘solutions’ to be peddled to people.
Same for UOB. Even for iphone. Even on Beta OS also. Thus basically banks IT staff and not doing their job properly, and simply blanket crash their own app prevent customer from using.