Mitigating Risk Exposure of Bank Clients to Scammers
Practically every other day there is a scam story oaffecting people who may have accidentally clicked on a Malware link unknowingly.
Once their phones are controlled by the hackers, the money in their bank accounts will disappear in no time, because of the banking apps are installed on their phones.
There is a way that the government and the public can reduce the risks of such problem: making it mandatory for people to keep their money in bank accounts where the apps are only installed on a safe device dedicated only for the use of banking apps.
-----------------------------------
Terminology
For the sake of this discussion, we shall use two terms to differentiate the phones used to install and operate bank apps.
- DEDICATED DEVICE: This device can be either an older phone or notepad, usually with a lower version of iOS or Android operating system. This is usually a device that is left abandoned in the house after the user upgrades the device to a newer model.
This DEDICATED DEVICE can be kept in a safe place at home, turned on only when needed to use the bank apps. It should NOT carry other apps that may have malware. Access to the bank app which has the bigger sums of money (we call it "MAIN ACCOUNTS") should be via a safe Wifi connection. - DAILY USE DEVICE: This is the mobile device e.g. mobile phone or notepad that bring along in our daily activities. It will have all the other apps that we use, BUT only ONE bank app needs to be installed here. The bank account is used as a "PETTY CASH VAULT". The amounts can be determined by the individual. If the phone is hacked, the maximum amount lost is only the the amount kept in the petty cash vault.
Unfortunately, this idea cannot be implemented fully UNLESS:
- DEDICATED DEVICE
Currently, as banks upgrade their bank apps, a higher version of iOS or Android operating system is often required.
To date, only CIMB bank app can be installed on an old phone with iOS 12 or below. Before installing the bank apps, suggest to reset the phone to factory defaults and erase all possible Malware hiding in the phone. - Multi users Accessibility: Allow the DEDICATED DEVICE to be used freely by members in the same family. This will reduce the need to have a few DEDICATED DEVICES, one for each person. The problem I see now is that the latest bank apps require users to "bind" to a phone for certain aspects of security; hence, other people will not be able to use the same app to log into their own bank accounts.
--------------------------------------------
Other risk mitigation measures that can be taken by the banks:
- Banks should have ways to lock, for example, one's Fixed Deposits. If access can be done via one set of login credentials, at the very least, have another two levels of security before the huge amounts can be transferred out.
- Currently, use of biometrics is good BUT it will become a problem when the client is kidnapped. The use of biometrics, for example, will make it easier to access all the accounts by just putting the phone in front of the face of victim. Or force the victim to put his finger on the sensor.
- Risk Mitigations: Banks should allow different accounts within the same bank to be using different login IDs. Or, at least to have another level of security before allowing the user to have withdraw their Fixed Deposits.
Currently, a single set of login credentials grants access to all accounts, including fixed deposits, which significantly increases security risks and exposes users to potential threats.
At the same time, implementing device-based authentication for individual accounts would greatly enhance security and reduce vulnerability.
Comments
Post a Comment