Singapore Banks Advised to Strengthen Customer VerificationAfter SingHealth Breach, Banks Advised to Beef Up Authentication
Following the recent data breach affecting 1.5 million patients of Singapore-based SingHealth, the country's largest healthcare group, the Monetary Authority of Singapore has asked all financial institutions to tighten their customer verification process by applying multifactor authentication.
The regulator has sent notification to all banks in Singapore asking them to avoid using customer verification that relies solely on the types of personal information lifted in the breach, such as name, National Registration Identity Card number, address, gender, race and date of birth.
The SingHealth breach exposed personal information for more than 25 percent of the country's residents. But authorities say they believe the "deliberate, targeted and well-planned attack" was designed to steal medical information pertaining to Lee Hsien Loong, Singapore's prime minister.
"To address any risk that the information stolen from SingHealth may be used by fraudsters to impersonate customers and perform unauthorized financial transactions, MAS has directed financial institutions to tighten their customer verification processes," MAS says in a statement.
"All financial institutions should not rely solely on the types of information stolen for customer verification. Additional information must be used for verification before undertaking transactions for the customer. This may include, for instance, one-time password, PIN, biometrics, last transaction date or amount, etc."
A best practice for financial institutions after the SingHealth data breach is to strictly limit the number of employees who have access to important data, some security experts advise.
Banks also urgently need to centrally manage identity, no matter the number of applications and people involved, says a security practitioner at a leading bank in Singapore, who asked not to be named. "Having key data stored in one server is extremely important. Yes it can be a hassle, but eventually this will help in mapping risks," the practitioner says.
Right Risk Assessment
As a precautionary step, MAS has also directed all financial institutions to conduct a risk assessment of the impact of the SingHealth incident on their control measures for financial services offered to customers, including transaction and inquiry functions. MAS instructed financial institutions to take immediate steps to mitigate any risks that might arise from the misuse of the compromised information.
For access to online financial services, banks in Singapore already are required to put in place two-factor authentication at login to identify their customers. Banks are also required to implement an additional layer of control to authorize high-risk transactions.
"MAS will work closely with the financial institutions to ensure that robust cyber defenses are in place so that customers can carry out online financial transactions with confidence," says Tan Yeow Seng, chief cybersecurity officer at MAS. "But customers must also play their part. They must safeguard their passwords and practice good cyber hygiene. If they suspect any fraudulent transactions in their accounts, they should notify their banks immediately."
Late last year, MAS created the Cyber Security Advisory Panel, comprising cybersecurity thought leaders from around the world. CSAP advises MAS on strategies that would be needed to enhance the cyber resilience of Singapore's financial sector. It also provides MAS perspectives on all kinds of evolving technologies and on cyber threats, highlighting their implications for financial services.
Early last year, CSAP and MAS collaborated with Financial Services Information Sharing and Analysis Center in the U.S. to establish the Asia Pacific Regional Intelligence and Analysis Center to encourage regional sharing and analysis of cybersecurity information and strengthen cybersecurity risk management and response (see: New APAC Center to Coordinate Threat Info Sharing)
The new regional center should help bolster the quality and timeliness of cyber threat intelligence received by financial institutions, strengthen cybersecurity risk management and response, as well as champion cybersecurity programs and initiatives in the APAC region, says Sopnendu Mohanty, chief FinTech officer at MAS.
Securing Customer Transactions
According to Forrester, 58 percent of global enterprises have experienced a breach in the past 12 months.
Some security practitioners say the first step toward protecting customer information is to restrict access to data using privileged access management. Other key steps include:
- Avoid using multifactor authentication via SMS because security can't be guaranteed;
- Embed the software development kit into customer-facing applications;
- Practice data access governance.