OCBC have implemented a security feature on OCBC Digital app to further safeguard their customers from malware

[twosix]

Seems like this is a govt initiative and more banks will follow suit?

 

[SantyBalls]

Yes banking apps should disable user ID and password to login mobile browser or app. This is really very insecure due to phishing scam.

Can only login mobile IB through fingerprint or face only.

I believe remote hackers cannot bypass the fingerprint and face login.

true multifactor authentication is achieved when using web browser. unlike mobile app which everything is thru the app

 

[SantyBalls]

I am unconvinced that a hardware token is effective against scams. The low-ses, non-techsavvy will gladly enter the 2FA generated by a hardware token into the scammer's website to authorise the transaction, which was what they did with the SMS OTP.

Letting the bank decide the IT requirements to use their online banking should be more effective. Another way will be allowing only people that fits a certain profile use online banking (such as tertiary educated) but this will cause more political backlash.

if you ever used hardware token before, it requires that users enter some combi onto the device, and then enter the generated response from the token.

it's much more secure than pressing approve and placing your thumb on your fingerprint sensor

 

[twosix]

if you ever used hardware token before, it requires that users enter some combi onto the device, and then enter the generated response from the token.

it's much more secure than pressing approve and placing your thumb on your fingerprint sensor

Provided you dun bring the hw token out. If not it is not secure too if someone stole it and know your account name and password.

If use fingerprint, even if you lose your phone, no one can enter the phone.

Hw tokens are using 2FA. Whereas fingerprints are like passkeys. Passkeys are the preferred login method now.

 

[SantyBalls]

Provided you dun bring the hw token out. If not it is not secure too if someone stole it and know your account name and password.

If use fingerprint, even if you lose your phone, no one can enter the phone.

Hw tokens are using 2FA. Whereas fingerprints are like passkeys. Passkeys are the preferred login method now.

How the hell ppl know that token is yours if a random fella picked it up? You write your user id and pw on it ar LOL

Use fingerprint, lose phone, noone can enter your phone?
You never see before how to lift a fingerprint from a phone surface and use it to unlock the phone?

Just bcoz 1 is preferred, doesn’t mean its more secure

 

[turtle2018]

if you ever used hardware token before, it requires that users enter some combi onto the device, and then enter the generated response from the token.

it's much more secure than pressing approve and placing your thumb on your fingerprint sensor

Yes, this is what Bank Of China hardware token does. It's not a simple OTP, but some lengthy digits (with some logic). It's harder for scammers to perform social engineering, unless you are really dumb or blurred.

 

[zobrak]

it's more secure by not using banks to save money

 

[twosix]

How the hell ppl know that token is yours if a random fella picked it up? You write your user id and pw on it ar LOL

Use fingerprint, lose phone, noone can enter your phone?
You never see before how to lift a fingerprint from a phone surface and use it to unlock the phone?

Just bcoz 1 is preferred, doesn’t mean its more secure

You really show ur ignorance. Please go and read more on 2FA and passkeys.

If u think hw token is the way, then you better dun bring it out and haolian..

 

[szeli]

the banks should really implement passkeys. it would solve some issues present at the moment

 

[zhanhuju]

How the hell ppl know that token is yours if a random fella picked it up? You write your user id and pw on it ar LOL

Use fingerprint, lose phone, noone can enter your phone?
You never see before how to lift a fingerprint from a phone surface and use it to unlock the phone?

Just bcoz 1 is preferred, doesn’t mean its more secure

Exactly a lot of jokers wet their pants at fancy security keywords
Out of band is always more secure.
If you do threat modeling, who are the scammers?
They are remote operators operating from other countries.
They are not able to hire some guy in Singapore to track you down steal your token, it is too much effort.
There are really jokers here who really know nuts but want to comment on InfoSec.
The only way hardware token fails is the random seed is leaked, at backend or at the token, but the token is designed to fail when tampered, if the banking server backend is compromised the 2FA would be the least of your worries.

 

[zhanhuju]

Anyway so many OCBC/MAS IBs here.
Look, when their banking app detected officially safe applications as malware then it is a false positive which mean MEGA FAIL, no excuses.
Whether an app is malicious or not is not determined by whether you use this app/android or not.
It is if the application exhibit malicious behaviour, not because some loser ah beng on EDMW think so.

 

[SantyBalls]

Anyway so many OCBC/MAS IBs here.
Look, when their banking app detected officially safe applications as malware then it is a false positive which mean MEGA FAIL, no excuses.
Whether an app is malicious or not is not determined by whether you use this app/android or not.
It is if the application exhibit malicious behaviour, not because some loser ah beng on EDMW think so.

ocbc app is not an antivirus leh. how you expect it to monitor for malicious behaviour?

all it can do is scan your app list and not allow you to use the app if there are any that comes from unknown sources?

 

[SantyBalls]

You really show ur ignorance. Please go and read more on 2FA and passkeys.

If u think hw token is the way, then you better dun bring it out and haolian..

it's funny i said something similar to you but decided to be kind and edited and removed it.

you are funny.

you can only see that little piece of sky above your well. you dont even bother taking into account the vectors of attack.
all you know is PaSsKeYs ArE bEtTeR tHaN mUlTiFaCtOr AuThEnTiCaTiOn

 

[hwsstx]

OCBC’s new anti-scam measure upsets some users; bank clarifies only apps with risky permission settings flagged
https://www.channelnewsasia.com/sin...malware-anti-scam-permission-settings-3687336
Huh? Now something new, only apps with risky permission settings flagged...it said not all apps from unofficial platforms will be flagged by its latest security update.

He added that other sideloaded apps that do not have the risky permission settings will not be affected.

So OCBC dug deep enough to check on all the apps' permission? Wow!... invasion of privacy!

WT!

 

[jas1701]

if other banks implement same thing, I might jus go for 2phones instead. 1 phone especially for banking apps use only, OTP will send to phone 2 which is daily usage. not sure if this way hackers can still put malware through.

 

[Nevereatrice]

if other banks implement same thing, I might jus go for 2phones instead. 1 phone especially for banking apps use only, OTP will send to phone 2 which is daily usage. not sure if this way hackers can still put malware through.

Cannot use paynow. Song bo

 

[crystalnox]

OCBC’s new anti-scam measure upsets some users; bank clarifies only apps with risky permission settings flagged
https://www.channelnewsasia.com/sin...malware-anti-scam-permission-settings-3687336
Huh? Now something new, only apps with risky permission settings flagged...it said not all apps from unofficial platforms will be flagged by its latest security update.

He added that other sideloaded apps that do not have the risky permission settings will not be affected.

So OCBC dug deep enough to check on all the apps' permission? Wow!... invasion of privacy!

WT!

I feel OCBC should give the option of signing a waiver to be able to use the ocbc app no matter what is installed on their phone, in return if the user does get scammed or hacked, it's entirely on the user. OCBC will bear no responsibilities.

 

[pokipoki08]

if you ever used hardware token before, it requires that users enter some combi onto the device, and then enter the generated response from the token.

it's much more secure than pressing approve and placing your thumb on your fingerprint sensor

I believe hardware tokens have some hidden issues
(apart from cost)
its been in use for years
but no succession in place
limited circulation and availability
with no proper explaination for discontinuation
its strange for a tech product

issues are not made known
to protect those currently using

usa gov agencies and contractors
use fido2 keys now
which can generate pin for authentication
support in-key biometrics

reference
https://fidoalliance.org/u-s-general-services-administrations-rollout-of-fido2-on-login-gov/https://www.identiv.com/products/logical-access-control/utrust-fido2-security-keys/gov

 

[SantyBalls]

I feel OCBC should give the option of signing a waiver to be able to use the ocbc app no matter what is installed on their phone, in return if the user does get scammed or hacked, it's entirely on the user. OCBC will bear no responsibilities.

Such waiver no use 1 if found the cause is the bank's fault for lack of security measures. Mas will just force bank to compensate. Whether is mas help to compensate, or bank compensate, only they know.

Worldwide, all companies are by law required to report data breaches and hacking, except banks. Banks will only need to report to the respective country's monetary authority. And they sort out the issues internally.
This is to prevent a classic nationwide bankrun.

Ocbc is the bank with the most old ppl with their entire life savings inside. That's why they were ordered to do this first.

I believe hardware tokens have some hidden issues
(apart from cost)
its been in use for years
but no succession in place
limited circulation and availability
with no proper explaination for discontinuation
its strange for a tech product

issues are not made known
to protect those currently using

usa gov agencies and contractors
use fido2 keys now
which can generate pin for authentication
support in-key biometrics

reference
https://fidoalliance.org/u-s-general-services-administrations-rollout-of-fido2-on-login-gov/https://www.identiv.com/products/logical-access-control/utrust-fido2-security-keys/gov

There's a higher security hardware token than the ones bank use, but very costly. Usually given to vips or staff
Not really feasible for mass market.

Now the problem with these apks is they are able to click accept on your bank app for you lol. And these ppl are tricking ppl to unlock their fingerprint

 

[kennyboy]

No need to dig. All apps need to request permissions to the OS, which is then available to apps that ask for it.

Most probably apps that allow remote access will get it. Even apps from the store also kenna like Rustdesk. Not sure why MS Authenticator kenna also. My wife also pissed off cos she needs it for work.