Singapore mandates face authentication for ‘higher risk’ bank transactions

woman looking at banking transaction on mobile

Oscar Wong/Getty Images

Singapore has mandated the use of facial recognition as authentication for “higher risk” banking transactions, in a bid to stem growing scams in the country

Retail banks will roll out Singpass Face Verification over the next three months to beef up the setup process for digital tokens, according to a joint statement released Wednesday by industry regulator Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS). 

Also: Non-cash transactions to hit 1.6T, with Asia leading adoption

Verification mode will be triggered in higher-risk scenarios to complement existing authentication methods for setting up digital tokens, they said. Ultimately, face scans verify a customer’s identity against Singapore’s records before the digital token can be activated for use by the customer. 

“This makes it more difficult for a scammer to take over a customer’s digital token by setting it up on his own device using phished credentials such as an SMS, one-time passwords (OTPs), and/or bank card information,” MAS said.

Also: Microsoft Copilot to be integrated into Singapore’s legal technology platform

Customers who do not already have a Singpass account will have to register for an account and download the Singpass app before they can set up digital tokens for their bank accounts. 

Introduced in 2003, Singpass is the national digital identity used to authenticate access to various online activities in Singapore, including e-government services, document signing, and booking medical appointments. It is used in more than 2,700 services across 800 government agencies and businesses, with authentication via biometrics or SMS two-factor authentication (2FA). 

Singpass currently has more than 4.2 million users, processing more than 41 million transactions each month, according to government agency GovTech

Also: Asian banks are a favorite target of cybercrooks, and malicious bots their preferred tool

The latest move is part of security measures banks in Singapore have implemented, including a kill switch, to safeguard customers against scams. In July, local banks — DBS, OCBC, and UOB also unveiled plans to retire the use of one-time passwords (OTPs) for customers who have digital tokens. 

ABS director Ong-Ang Ai Boon said: “Singpass Face Verification gives customers increased protection against unauthorized access to their bank accounts, adding to the suite of measures and tools that banks have provided customers to empower them to guard themselves against scams. While banks will continue to do their part to fight scams, customers need to be vigilant themselves and practice good cyber hygiene.”

It’s a critical move as digital tokens are used to approve subsequent transactions, noted Loo Siew Yee, MAS’ assistant managing director for policy, payments, and financial crime.

Also: Banks must move past PIN, OTP to ensure mobile security

Additional verification is used for higher risk scenarios by banks such as DBS, for instance, that involve adding a payee or updating personal particulars. 

Singapore’s ongoing efforts to beef up the cyber resilience of banks come amid growing attacks targeting the financial services sector. 

The industry remains the world’s most frequently targeted for Layer 3 and 4 distributed denial-of-service (DDoS) attacks for the second consecutive year, according to Akamai Technologies’ latest State of the Internet (SOTI) report. Such attacks aim for network and transport layers with the intent to overwhelm network infrastructures and clog bandwidth.

Financial services sector remains a popular target for attack

Financial services account for 34% of DDoS attacks, followed by gaming at 18%, and high technology at 15%, as documented in the report, whose insights are based on data from Akamai Connected Cloud. 

It attributed the spike in DDoS activities to ongoing geopolitical tensions that drove up hacktivism, with the involvement of well-known threat actors including REvil, BlackCat (ALPHV), and KillNet, commonly linked to the Russian-Ukraine war.

Also: Singapore updates OT security blueprint to focus on data sharing and cyber resilience

In addition, 36% of all suspicious sites monitored by Akamai are implicated in brand impersonation and abuse activities targeting the financial services sector. Phishing attacks also dominate counterfeit sites targeting financial services, accounting for 68% of all recorded instances. 

Akamai further pointed to a sharp climb in the number of Layer 7 DDoS attacks that specifically target applications via APIs (application programming interfaces). “A major concern [is] undocumented shadow APIs, which are often unprotected because information security teams are unaware of their existence,” the report noted. “Attackers can exploit these APIs to exfiltrate data, bypass authentication controls, or perform disruptive acts.”

Also: Banks defending their right to security are missing the point about consumer trust

In particular, the Asia-Pacific region clocked the highest median threat score for phishing attacks, according to the Akamai study. Specifically, it saw a high number of suspicious domains and requests. 

The region’s high digital adoption as well as active engagement on social media put its financial sector in a vulnerable position to cyber attacks, Akamai said. 

It added that the region also faces unique cybersecurity challenges due to its fragmented landscape, where countries in the West and Global South with strong gross domestic product (GDP) make it a prime target for attacks. 

Also: This data platform will help banks share criminal intelligence

“The rapid digitalization in banking, combined with low awareness of phishing dangers, puts consumers at a higher risk of attacks despite this region having fewer phishing or brand impersonation domains compared to other parts of the world,” the report noted. “This indicates that consumers in the region are at a higher risk of having their banking information and other sensitive data stolen when visiting websites.”

With almost all services available online, alongside financial organizations’ increased engagement on social media, Asia-Pacific’s internet adoption makes it a prime target for cybercriminals. It provides more avenues for phishing and impersonation attacks, exploiting users’ trust in these platforms. 

“Financial institutions in [the region] face a trifecta of challenges in today’s landscape such as safeguarding assets and data, ensuring compliance, and staying ahead of innovation to educate customers on the latest phishing and scam tactics,” said Reuben Koh, Akamai’s Asia-Pacific Japan director of security technology and strategy. 

Also: APAC consumers share more data, but will ditch firms over security breach

“With financial services continuing to be the most targeted industry in Asia-Pacific, including Japan, for web application and API cyberattacks, technology decision-makers like chief information security officers must carefully decide where to automate, delegate, and outsource, ensuring scalable security solutions that not only defend assets but also preserve customer loyalty in an increasingly digital world.”

READ MORE HERE