Singapore is considering the need for various personal information, such as password and biometrics, to facilitate “non-face-to-face” verification for financial services. This comes amidst a rise in impersonation scam cases and risks of personal data theft.
In a consultation paper released Tuesday, the Monetary Authority of Singapore (MAS) mooted the mandatory use of at least one of a several types of information to verify individuals tapping an offsite financial service channel, such as phone or online banking, before processing any transaction or request.
These include information only the individual knows such as password or PIN, or only the individual has such as one-time password generated by a hardware token issued to the individual or software token activated on the individual’s mobile device. Information used for verification also can include the individual’s biometric data such as face or fingerprint recognition or information that is known only between the individual and the financial institution such as account transaction information.
Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
MAS also proposed that financial institutions be barred from using commonly used personal information such as NRIC number, residential address, and date of birth as the only means of identity verification.
Such requirements were necessary amidst the increasing impersonation scam cases and to address growing risks from theft and misuse of personal data.
MAS’ chief cybersecurity officer Tan Yeow Seng said: “Personal information such as NRIC number and date of birth are often provided by members of public for various purposes, such as filling in an application form. This information, if fallen into the wrong hands, can be used for impersonation fraud.
“Financial institutions already have in place these identity verification practices. The proposed Notice [outlined in the consultation paper] will further bolster consumer confidence in financial institutions by making these identity verification practices compulsory during non-face-to-face financial transactions,” Tan said. “Consumers should also play their part by not disclosing their online banking login credentials such as account username, PIN number, and one-time password.”
The industry regulator said it was seeking feedback on the proposed requirements, which should be submitted before December 9.
In a separate statement Tuesday, MAS also urged the need for financial institutions to review their security controls as remote work and other safe management measures, implemented due to the COVID-19 pandemic, could give way to added technology-related risks.
It recommended a list of added controls these organisations should consider adopting, such as reviewing whether their current risk profiles had changed and remained acceptable and if they had adequate risk mitigating measures. They also should step up oversight of third-party vendors and their controls, monitoring and securing remote access by third-parties to their systems.
In addition, MAS recommended that financial institutions strengthened the governance of the use of open source software, which vulnerabilities typically were targeted and exploited by threat actors. These organisations should establish policies and procedures on the use of open source software and ensure software codes were reviewed and tested before deployment.
MAS’ managing director Ravi Menon said: “As the [pandemic] prolongs, [financial institutions’] resilience will come under greater stress as cyber attackers look for new vulnerabilities. Financial institutions must remain alert and nimble and strengthen their defences against emerging cyber threats.”
The industry regulator in August last year implemented new legislation aimed at enhancing the cybersecurity posture of financial organisations, outlining mandatory requirements with which these businesses would have to comply by August 2020. The Notice on Cyber Hygiene outlined steps these businesses must take to mitigate the growing risk of cyber threats, including complying with six main requirements such as implementing robust security for IT systems, ensuring updates were applied “in a timely manner” to address system security flaws, and deploying security devices to restrict unauthorised network traffic.
it also would be mandatory for these companies to implement measures to mitigate risks of malware infection, secure the use of system accounts that have special privileges, and beef up user authentication for critical systems, including systems used to access customer data.
