Following the recent cybersecurity breach involving the personal particulars and medical data of 1.5 million SingHealth patients, including those of Prime Minister Lee Hsien Loong, the Monetary Authority of Singapore (MAS) has circulated a reminder to all banks to “tighten their customer verification processes”.
In a press release dated 24 July, MAS declared that banks in Singapore are “already required to put in place two-factor authentication (e.g. PIN and One-Time-Password) at login” in the process of identification through online financial services.
Additionally, MAS has also instructed financial institutions to “implement an additional layer of control to authorise high-risk transactions”, such as the “opening of beneficial accounts, registration of third party payee details and revision of funds transfer limits”.
MAS also noted that personal particulars — name, NRIC number, address, date of birth, etc — are “generally not used as the sole means of verification by financial institutions”, as such details are “freely given out by members of the public for various purposes, such as when filling out lucky draw coupons or surveys”.
Consequently, MAS has specified that supplementary details such as “a One-Time Password, PIN, biometrics, and the last transaction date or amount” must be utilised for the purposes of verifying transactions made by clients.
MAS has instructed all financial institutions to carry out “a risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including transaction and inquiry functions”.
The Authority also stated that it will “engage financial institutions on their risk assessments and mitigation steps” which are to be carried out immediately by the institutions.
MAS’ Chief Cyber Security Officer, Mr Tan Yeow Seng, said: “MAS will work closely with the financial institutions to ensure that robust cyber defences are in place so that customers can carry out online financial transactions with confidence.”
“But customers must also play their part. They must safeguard their passwords and practise good cyber hygiene.”
If they suspect any fraudulent transactions in their accounts, they should notify their banks immediately,” he concluded.