January 11, 2024
SINGAPORE – The authorities are calling on app developers here to better secure online transactions through stronger authentication and malware detection tools, as part of renewed efforts to protect online spaces.
Spelt out in the newly launched Safe App Standard by the Cyber Security Agency of Singapore (CSA), the guidelines aim to make high-risk transactions via all kinds of apps, including e-commerce ones, more secure.
Announcing this on Jan 10, Minister for Communications and Information Josephine Teo said: “As apps are the most common way to transact online, we also need app developers to design for security.”
The Safe App Standard also aims to better protect app users against common malware and phishing attempts by malicious actors exploiting weaknesses in the app design.
“For example, apps could be designed to require additional authentication of a user before authorising high-risk transactions, such as those providing access to our assets or savings,” she added.
Mrs Teo was responding to a parliamentary motion filed by five members of the Government Parliamentary Committee (GPC) for Communications and Information, together with five other MPs from the People’s Action Party (PAP), urging the Government to strengthen efforts to build an inclusive and safe digital society.
The 10 MPs asked for 13 specific actions to be taken, including calling on digital service providers to strengthen safeguards against malware, as well as encouraging all banks and e-commerce platforms to adopt stronger authentication solutions.
Speaking in Parliament, Ms Tin Pei Ling (MacPherson) – who chairs the Communications and Information GPC – said issues such as the rising prevalence of scams had undermined public trust in digital services.
Ms Hany Soh (Marsiling-Yew Tee GRC) said banks and e-commerce platforms could do more to prevent losses from online scams.
Ms Soh, who is also a member of the GPC, related the example of a couple in their 60s, residents of her Woodgrove ward, who lost $800,000 in life savings due to two large transactions related to an impersonation scam.
“The bank should have made calls to them to seek confirmation on the abnormal request before releasing the funds,” she said.
Associate Professor Jamus Lim (Sengkang GRC) pointed out that in the Monetary Authority of Singapore’s (MAS) loss-sharing framework for phishing scams, consumers would have to bear the full cost of a scam if financial institutions and telcos had fulfilled certain criteria.
Describing this arrangement – set out in a consultation paper released in October – as “fundamentally unfair”, the Workers’ Party MP suggested that scam victims should bear no more than $100 to $500 in losses, with banks and telcos bearing the rest of the costs instead.
This would be a “reasonable amount of loss” to encourage consumers to take precautions, while preventing financial institutions from passing on most of the costs of losses, he said.
Nominated MP Ong Hua Han noted that banks in Singapore have removed clickable links in e-mails and text messages sent to customers, as part of efforts to enhance the security of digital banking.
He asked if non-bank financial institutions such as digital investment platforms, which are currently not subject to such conditions, could also be required to conform to the same standards.
As part of the standard, developers will be encouraged to include malware detection capabilities in their apps, said Mrs Teo, noting that this has proven to be effective in disrupting unauthorised transactions using compromised devices.
The Safe App Standard also recommends the use of biometric authentication and multi-factor authentication code generators. The standard will be updated to include more such practices as they emerge or as technology evolves, Mrs Teo noted.
CSA will also consider how best to help users easily identify apps that meet the standard, she added.
“As the standard is new, we will assess its usefulness in due course and whether to keep it voluntary or make it mandatory,” she said.
Over more than four hours, 20 MPs spoke on the matter.
They included Workers’ Party chairwoman Sylvia Lim (Aljunied GRC), Non-Constituency MP Hazel Poa and Nominated MP Razwana Begum Abdul Rahim.
Separately, Deputy Prime Minister Lawrence Wong said the “money lock” feature, which allows customers to block funds in their bank accounts from being transferred digitally, has been activated on about 38,000 accounts, protecting more than $3.2 billion in savings in local banks since its launch in November.
In a written response to a parliamentary question by Mr Saktiandi Supaat (Bishan-Toa Payoh GRC), he said MAS is working with other major retail banks to introduce the feature.
MAS works with financial institutions to introduce technology to counter increasingly sophisticated scams, he added, pointing to an enhancement that blocks access to banking apps if apps from unverified app stores with access permissions turned on are installed.
“This enhancement has led to a significant reduction in the number of malware-enabled scams in recent months,” said DPM Wong.
Calls to action
As part of the motion on Building an Inclusive and Safe Digital Society, the Communications and Information GPC, together with other PAP MPs, set out 13 calls to action, urging a whole-of-nation approach to make online spaces safer and more inclusive.
1. Government to take the lead to set up an information-sharing mechanism with industry, modelled after “Stop Scams UK”.
2.Government to further integrate expertise and prioritise resources to regulate and enforce online safety.
3. Device manufacturers and digital service providers to strengthen safeguards against malware, and ensure their offerings are safe by design and default.
4. Banks and e-commerce platforms to adopt stronger authentication solutions like Fast Identity Online passkeys to keep people’s accounts secure.
5. Everyone can play his or her part in making Singapore’s digital society safe, gracious and inclusive.
6. Holding social media services accountable for the proliferation of harmful content and malicious advertisements.
7. Reviewing the approach to victims of scams linked to unauthorised transactions, with larger players doing more to prevent losses and share consequences.
8. Requiring social media services and app distribution services to step up age assurance measures to better protect young users from harmful content.
9. Requiring social media services and app distribution services to improve timeliness in responding to user reports on harmful content on their platforms.
10. Requiring essential service providers to ensure accessibility for all.
11. Driving corporates and community organisations to promote awareness of essential digital skills and partner the public sector to help close digital skill gaps.
12. Driving stronger partnerships among the public and private sectors as well as individuals to deepen focus on educating the young and old on digital literacy, scams and online harms.
13. Strengthening efforts in establishing future-ready workplaces for a more digitally-savvy workforce.