What does a bank’s ‘kill switch’ kill? It became a point of contention after a victim lost money: Commentary
Source: Straits Times
Article Date: 16 Dec 2024
Author: Irene Tham
Banks are divided into two camps over what services their kill switches affect, particularly when it involves Giro.
In October, a customer called a bank to freeze all his cards and savings, only to discover later that not all fund transfers were disabled.
It could well be that the customer expected the bank’s “kill switch” to be a master switch in turning off the funding tap for everything linked to it further downstream – and reasonably so.
But a day later, the customer’s compromised Wise multi-currency e-wallet could still be topped up with his linked POSB account. An unauthorised transfer of a total of $3,000 eventually went to an unknown overseas account through Wise.
The customer had no clue the transactions took place until it was too late.
He was a victim of an elaborate hack that involved a criminal abusing stolen login credentials to control his e-SIM, including one-time passwords, and online financial accounts. It did not help that the victim used the same login credentials across multiple online accounts, easing the hacker’s access to these accounts.
The incident has thrown a spotlight on what the banking kill switch actually does.
How did the victim still lose money even though he had frozen his cards and savings?
Since October 2022, all retail banks here have rolled out their versions of the mandatory kill switch to let customers freeze all cards and accounts if they suspect their login credentials have been compromised.
The kill switch – which can be turned on by calling a bank hotline, or via the bank’s app or website – is meant to limit potential losses to hackers, after some 790 OCBC Bank customers were swindled of $13.7 million in phishing attacks in December 2021 and January 2022.
But there is one big problem.
Depending on which bank you speak to, the kill switch has a different function.
Banks are divided into two camps over which services their kill switches affect, particularly when it involves Giro, a direct debit mechanism first set up in 1984 for people to pay bills.
In one camp, OCBC, Citibank and HSBC cut off Giro (incoming and outgoing) when customers activate the kill switch.
This means existing arrangements to receive monthly salary over Giro, and regular payments to organisations such as the Inland Revenue Authority of Singapore, country clubs, schools, town councils and insurance firms, will be disrupted. Customers will need to find other ways to continue to receive their salary or pay their bills.
Meanwhile, DBS Bank, POSB, UOB, Standard Chartered Bank and Maybank’s kill switches do not kill off Giro – and understandably so.
Who wants the hassle of setting up new payment methods across so many billing organisations?
Not all banks communicate which services their kill switches affect on their websites, and customers are none the wiser.
Unfortunately for the POSB customer who lost money in October, the unauthorised transfers were made through Giro, which links his POSB savings account to his Wise e-wallet.
A Monetary Authority of Singapore (MAS) spokesperson told The Straits Times: “MAS expects retail banks to provide a way for customers to promptly disable mobile and online banking access and outward payment transfers. Banks should disclose clearly to customers the access and transactions that will be disabled and which functions or transactions will still be operational and give customers the opportunity to disable those.”
For the longest time, Giro has been a safe and convenient mechanism to pay all kinds of bills. In recent times, it has also become a popular way to top up e-wallets such as those of Grab, Wise and YouTrip to facilitate e-commerce payments, including to overseas entities.
For the uninitiated, Giro transfers need to be authorised only once, at the point the link is established. Subsequent transfers – which can be initiated by the billing organisation or through e-wallet apps – need no authorisation from the user.
This explains why the hacker was able to easily top up the POSB customer’s Wise e-wallet, and steal the funds.
In a statement to ST, POSB said the customer’s bank account was not compromised or hacked.
The customer could not be named. ST understands that he has signed a non-disclosure agreement with POSB and his telco Giga, a sub-brand of StarHub.
The police confirmed that the victim had lodged a report, and investigations are ongoing.
The Infocomm Media Development Authority is also investigating StarHub for failing to verify the identity of users requesting to port their Giga e-SIMs to another phone.
This is how the POSB customer lost control of his Giga e-SIM.
Many questions remain to be answered.
It is not clear if POSB had explained to the customer that Giro arrangements would be excluded from the coverage of the kill switch, or if the customer had explicitly asked for Giro to be excluded, since it would be inconvenient to find other ways to receive salary or pay bills.
In its statement, DBS said its Safety Switch does not, by default, block incoming fund transfers or existing Giro arrangements.
“This is to ensure we strike a balance between enhanced security and unnecessary disruptions to the customer’s recurring payments or the crediting of their salary,” said a spokeswoman. However, customers can still ask for all Giro links to be cut off, she added.
It could well be that the POSB customer had no clue his Wise e-wallet could still be topped up even after turning off the funding tap upstream with the bank.
Now that the incident has cast a shadow over Giro, it is perhaps time for MAS to step in.
Given that most bank customers would not be cued to ask for Giro to be disabled, MAS could standardise its regulation over how banks define their kill switches. For instance, it could mandate that Giro be included in all kill switches. But this approach has its disadvantages.
Imagine the inconvenience.
Alternatively, MAS could disallow e-wallets from being topped up through Giro. This approach will protect the Giro scheme (which has been entrenched in most people’s way of life for 40 years) from abuse and disruption.
Also, why must e-wallets be topped up via Giro since these e-wallets can also be topped up via other means, such as PayNow, credit or debit cards, which fall under all banks’ kill switches?
Multi-currency e-wallets like Wise and YouTrip – which allow for funds to be easily transferred overseas – are prime targets for criminals. Also, these e-wallets can now process and hold more funds, possibly resulting in greater losses.
In 2023, Singapore’s Payment Services Act was amended to allow the maximum funds held in e-wallets to be raised from $5,000 to $20,000. The maximum annual flow through an e-wallet has also been raised from $30,000 to $100,000.
Giro is the weakest link in the e-wallet payment chain since authorisation is required only once: at the point the link is established between a savings account and an e-wallet. This weak link has to be strengthened.
Mandate that Giro be included in kill switches for consistency, or carve Giro out just for established billing organisations. Giro should not be thrown into the modern e-wallet mix.
Source: Straits Times © SPH Media Limited. Permission required for reproduction.
1894