Singapore has emerged as a highly digitalized market post-pandemic and is widely regarded as an innovation hub in Southeast Asia. Research from Google, Temasek and Bain indicates that ASEAN’s digital economy will surpass S$396 billion (US$300 billion) in gross merchandise value by 2025, with financial services digitalization a primary growth factor.
Singapore’s financial services sector is one of the most innovative and competitive in the world; financial institutions are increasingly adding new offerings, features and interactive customer experiences. However, this rapid digital transformation has attracted cybercriminals seeking to exploit the growing digital landscape.
Financial institutions handle sensitive personal and business data for thousands of customers, including banking details, login credentials and high-value transactions. This makes these companies extremely vulnerable and frequent targets of cyberattacks in Singapore, often through malware or phishing attacks – making the financial services sector one of the most targeted industries by cybercriminals today.
Singapore’s financial services industry was the leading target of phishing attacks in 2022 according to the Cyber Security Agency (CSA) in Singapore, with more than 80% of reported phishing sites found to be impersonating financial institutions.
In most attempts, fraudsters spoofed banking and financial services, most of which were external threats, according to the 2024 DBIR by Verizon.
Huge losses from banks and pension funds
Nearly 2,000 Singaporean victims fell for a spate of Android malware scams and at least S$34.1 million was lost in 2023, according to the Singapore Police Force (SPF) annual scams and cybercrime brief in February 2024. Scammers have reportedly used Facebook, WhatsApp, Instagram and TikTok to phish their victims.
One of the highest-profile recent phishing scams was with OCBC in December 2021, with S$13.7 million lost. Several victims reported losing their life savings in minutes due to spoofed SMS messages appearing in the same conversation thread as real messages from their bank, which then redirected them to fake bank websites.
Out of goodwill, the bank reimbursed the affected customers in full, even though it was arguably not at fault. From a legal point of view, a user has no recourse to their financial service provider, where they are deemed responsible for the chain of events leading to losses.
Phishing scams that impersonate banks to steal users’ bank or pension account login credentials continue to make headlines in Singapore. However, this type of theft is preventable and the financial services industry and banking regulators can and should do more to protect Singaporeans from unauthorized access to their online accounts.
Fake ads lead to credential theft
The modus operandi of these scams has involved enticing victims with “investment opportunities” advertised on social media platforms. These ads, when clicked, lead to messaging apps or counterfeit investment websites. Here, victims are prompted to register for an account, unwittingly providing their personal and banking details, which are then used for fraudulent activities.
A best practice is that every financial institution is moving on from legacy forms of multi-factor authentication (MFA) tools like authenticator apps or one-time passcodes (OTPs) sent via SMS, which are vulnerable to phishing. While MFA can be a strong first line of defense, not all forms of MFA are equal.
Instead, companies need to adopt strong phishing-resistant MFA tools like hardware security keys. Phishing-resistant MFA processes rely on cryptographic verification between devices or between the device and a domain, making them immune to attempts to compromise or subvert the authentication process.
They require something you know (a PIN), something you have, (the key), and something you are (requiring a physical touch) to gain access to the account.
Unfortunately, the traditional authentication tools and reactive methods designed to protect customers are insufficient, and the financial services industry needs to move to a proactive approach to cybersecurity.
Poor reactive approach to cybersecurity
Activated through the CPF website, pension accounts in Singapore are now automatically locked, which disables all online withdrawals. Members can increase their daily withdrawal limit to re-enable online withdrawals, which requires enhanced authentication and a 12-hour cooling period.
Singaporean banks also offer this locking feature, but customers must phone their bank to unlock their accounts, which can be inconvenient and slow. There are better ways to authenticate the bank or pension account owner than just to lock their accounts altogether. These anti-malware security measures are impacting customers’ experience in performing banking transactions.
Financial institutions that fall on the wrong side of cyberattacks face regulatory implications. Singapore’s Financial Services and Markets Bill grants the Monetary Authority of Singapore the powers to enforce technology risk management requirements.
It has increased the financial penalty for local financial institutions that suffer a security breach due to oversight to S$1 million per incident.
Proactive cyber protection for customers with phishing-resistant passkeys
Singapore financial institutions can only react after a breach with this reactive approach to cyber security. If they adopt a proactive approach to cyber security, they can prevent the breaches in the first place.
A highly effective method of enhancing financial institutions’ security is to introduce mandatory modern phishing-resistant MFA for bank and pension accounts, which includes passkeys – a new name for FIDO2 passwordless-enabled credentials, a standard that replaces password-only logins with more secure passwordless experiences.
Modern MFA requires customers to provide a strong modern authentication method, such as a-passkey, which adds an extra layer of security that prevents unauthorized access and theft. However, there are key differences when it comes to the kinds of passkeys available.
A tale of two passkeys: syncable and device-bound
Unlike passwords, passkeys use public key cryptography, a process that uses a pair of related keys; the public key is stored by the site or app and the paired private key is on the user’s device and this helps protect it from unauthorized access.
It is important to understand that there are two types of passkeys: syncable and device-bound. Syncable passkeys are stored in the cloud and can be shared across multiple devices, offering convenience but posing risks if devices are stolen or compromised.
Once a malicious actor has control of someone’s phone through malware, they have access to their syncable passkeys. Device-bound passkeys, stored on devices like phones, computers, or hardware security keys, including YubiKeys, provide a much higher level of security.
For optimal security, Singaporean financial services companies should mandate device-bound passkey authentication for all customers, balancing convenience with strong security. Then, even if a customer falls for a phishing scam or clicks on a suspicious link via a social media channel, their passkey can’t be stolen and their money is safe.
Geoff Schomburgk is Vice President for Asia-Pacific & Japan at Yubico.