OCBC have implemented a security feature on OCBC Digital app to further safeguard their customers from malware

[touchring1]

Actually, you can no need to use their app, just uninstall it and use ocbc.com for banking. Or change to another bank which they probably don't care also.

ibanking was created for ease of convenience.

When ocbc come out with this, it add extra layer of protection and also cause inconvenience to users.
The funny part is users can just bypass it.

Before u ask that question, u need to understand what is the role of bank? do they got rights to our phone content? their purpose is just to shove off their responsibilities.
Secondly, they aren't blocking malicious apps.... they are blocking all third party apps.

Lastly, u can go think 101 ways to secure the apps.... but the scammers can think 102 ways to scam.
Nothing is full proof from hacking..... Even if u come out with ocbc standalone phone, it is still hackable. It all voice down to user issue.

 

[koreanlover]

Actually, you can no need to use their app, just uninstall it and use ocbc.com for banking.

If you are using the digital token for authentication, you still need the app.

 

[SantyBalls]

ibanking was created for ease of convenience.

security is a game of how much convenience you are willing to give up for security.

When ocbc come out with this, it add extra layer of protection and also cause inconvenience to users.
The funny part is users can just bypass it.

they can bypass it with secondary environment because the app lets you do so. the victims of scam are unlikely to be savy enough to use secondary env too, thats why it's still allowed.

Before u ask that question, u need to understand what is the role of bank? do they got rights to our phone content? their purpose is just to shove off their responsibilities.
Secondly, they aren't blocking malicious apps.... they are blocking all third party apps.

the android api to scan customer's apps have to be specially approved by google before developers can use it and publish their app on the appstore.
such approvals usually comes with the support of local authorities

you wait and see how soon all other sg banks have this feature once ocbc's poc is successful la

fyi, this is come down from on top 1. not smth ocbc suddenly want to do

Lastly, u can go think 101 ways to secure the apps.... but the scammers can think 102 ways to scam.
Nothing is full proof from hacking..... Even if u come out with ocbc standalone phone, it is still hackable. It all voice down to user issue.

then they need to think of 200 ways of preventing ways to scam

 

[wongminmin]

u go watch crime watch, the victim give their token passwords to scammer directly.

OCBC rolled out the digital token in 2019, a move that was expected to save it around $25 million over five years by eliminating the need to issue physical tokens and reducing one-time passwords that are sent by SMS.

 

[touchring1]

If you are using the digital token for authentication, you still need the app.

Still can use SMS right? If they are imposing such restrictions on apps, they need to provide SMS authentication or hardware token.

 

[testart]

OCBC got 2 big guys backing as support or shield

MAS and SPF

Time to uninstall DouYin.

 

[duckne55]

android api dont provide app scanning down to that level leh.

OCBC say they can do it leh, not me. https://www.ocbc.com/personal-banki...security?pid=OnlineSecurity::MBApp::08Aug2023

i take it that you have no understanding of the scope these malicious apps are capable of. these apps have no issue getting your pin. fingerprint, all the hacker need is to trick their victim to unlocking it once, which many are falling for.

There is no way the malicious app can access fingerprint or bypass a fingerprint screen, it is protected by TPM. The pin yes, accessibility can read, which is why I suggested both fingerprint+pin. I am also suggesting multiple fingerprint+pin sections that the attacker needs to pass, (1 at login, 1 to transfer)

the safest way is a separate device for mfa. which in this case would be a hardware token.

This I agree.

 

[wongminmin]

Actually, you can no need to use their app, just uninstall it and use ocbc.com for banking. Or change to another bank which they probably don't care also.

of coz u can use website, but app is more user friendly and optimized for phone usage.

According to this, more banks will follow....if is true....
https://www.todayonline.com/singapo...snt-conduct-surveillance-users-phones-2228931

 

[SantyBalls]

OCBC say they can do it leh, not me. https://www.ocbc.com/personal-banki...security?pid=OnlineSecurity::MBApp::08Aug2023

thats their reason for blocking what. the api itself doesnt provide THAT much info, like what you described.

There is no way the malicious app can access fingerprint or bypass a fingerprint screen, it is protected by TPM. The pin yes, accessibility can read, which is why I suggested both fingerprint+pin.

you didnt read what i said ar? fingerprint can easily trick users to unlock lol. that's what is currently being done.

somemore most ppl would instinctively put their finger on their fingerprint scanner when prompted to

 

[Mecisteus]

OCBC say they can do it leh, not me. https://www.ocbc.com/personal-banki...security?pid=OnlineSecurity::MBApp::08Aug2023

There is no way the malicious app can access fingerprint or bypass a fingerprint screen, it is protected by TPM. The pin yes, accessibility can read, which is why I suggested both fingerprint+pin.



This I agree.

Yes banking apps should disable user ID and password to login mobile browser or app. This is really very insecure due to phishing scam.

Can only login mobile IB through fingerprint or face only.

I believe remote hackers cannot bypass the fingerprint and face login.

 

[wongminmin]

security is a game of how much convenience you are willing to give up for security.

they can bypass it with secondary environment because the app lets you do so. the victims of scam are unlikely to be savy enough to use secondary env too, thats why it's still allowed.


the android api to scan customer's apps have to be specially approved by google before developers can use it and publish their app on the appstore.
such approvals usually comes with the support of local authorities

you wait and see how soon all other sg banks have this feature once ocbc's poc is successful la

fyi, this is come down from on top 1. not smth ocbc suddenly want to do


then they need to think of 200 ways of preventing ways to scam

this is why i objecting now.
smart people indeed.

 

[wongminmin]

can request token!!!

 

[SantyBalls]

this is why i objecting now.
smart people indeed.

what apps you have that make you wanna object to such a security feature? are they that important?

 

[SantyBalls]

can request token!!!

hardware token has always been an option ever since the security incident with ocbc

 

[xdivider]

can request token!!!

only ocbc. tried for uob, said cannot........

 

[spinning_quirK]

Still can use SMS right? If they are imposing such restrictions on apps, they need to provide SMS authentication or hardware token.

It's possible to kope and spoof the IMEI to hijack the incoming SMS

 

[spinning_quirK]

OCBC got 2 big guys backing as support or shield

MAS and SPF

Time to uninstall DouYin.

No need, just use Ice Box to freeze DouYin, then proceed to run OCBC app.
When banking done, open DouYin normally using the special shortcut.

 

[crystalnox]

Bringing back the hardware token won’t help much, the root problem isn’t being resolved.

And that is the person falling for scams and fake apps/sites masquerading as the real thing. And these victims will still happily hand over their otp from the hardware tokens.

 

[touchring1]

I am unconvinced that a hardware token is effective against scams. The low-ses, non-techsavvy will gladly enter the 2FA generated by a hardware token into the scammer's website to authorise the transaction, which was what they did with the SMS OTP.

Letting the bank decide the IT requirements to use their online banking should be more effective. Another way will be allowing only people that fits a certain profile use online banking (such as tertiary educated) but this will cause more political backlash.

For some reason, I'm usually more careful if need to use hardware token as opposed to SMS OTP. Especially those that need to enter an SMS key sent by SMS to generate the token key. Will double check.

 

[koreanlover]

Still can use SMS right? If they are imposing such restrictions on apps, they need to provide SMS authentication or hardware token.

Cannot after activating digital token. Need to complain!

https://www.ocbc.com/personal-banking/help-and-support/digital-banking/online-banking-onetoken