SINGAPORE: Consumers should switch to push notifications instead of SMS alerts for digital banking because they are safer and more secure, experts told The Straits Times.

Last Thursday (Oct 26), OCBC Bank told its customers that it will no longer use SMS as its default method to inform customers about banking activities such as payments and fund transfers. Customers will instead receive alerts through push notifications and emails.

“SMS messages traverse the telecommunications network, and then land on a customer’s mobile phone. Unfortunately, the sender labels for these messages can be easily spoofed, a vulnerability that has given rise to scams,” said Cisco’s cybersecurity strategist and adviser Vivek Gullapalli.

He added that banks have recognised this weakness, and are exploring alternative, more secure communication methods that are not reliant on SMSes.

In the case of push notifications, the content is received on a mobile app that is owned and managed by the bank, said Gullapalli. This ensures that the whole process is a closed loop, and therefore controlled and secure, offering an additional layer of security.

Emails, however, remain susceptible to phishing attacks, as bad actors may impersonate the banks to deceive customers, he noted. Despite this, emails offer a backup security measure, for when the customer’s mobile device is compromised.

Kelvin Lim, director of security engineering at Synopsys Software Integrity Group, noted that SMS protocols are based on a 30-year-old technology when the cybersecurity landscape was largely different.

“Traditional SMS messages lack encryption and are inherently insecure,” said Lim. This can result in attackers hijacking and reading the content of text messages without the user’s knowledge.

On the other hand, push notifications are encrypted and transmitted securely from the bank straight into the banking app, making it harder for hackers to intercept, said Lim. This extra layer of security will also remove the risk of customers falling prey to SMS phishing, where hackers impersonate the banks and send malicious SMSes to customers.

Lim added that the combination of push notifications and emails is a “nice combination” – as limited information can be sent via push notifications, emails are a good way to deliver non-confidential information, and an option for sending encrypted files for confidential information.

Switching from SMSes to push notifications would also help banks see potential savings, although the cost-saving aspect of the switch is secondary.

According to Gullapalli, it is only natural that investment in these channels will be amped up, given the future reliance on push notifications and emails. Implementation of such features would incur a one-time set-up cost, in addition to recurring operational expenses.

With consumers today heavily dependent on their mobile phones for everything from entertainment to payments, risk levels are significantly elevated when a mobile device is compromised, or when the authenticity of an SMS is in question, he said.

A suggested framework by the Monetary Authority of Singapore and Infocomm Media Development Authority seeks to strengthen the direct accountability of financial institutions and telcos to consumers. The Shared Responsibility Framework places duties on financial institutions and telcos, making them liable to pay if they have fallen short of these duties.

“If a customer’s credentials are detected on an unfamiliar device, it’s crucial to alert the customer to this risk. An out-of-band email communication, or even a direct phone call, can serve as an effective means to convey this essential information,” said Gullapalli, who feels that Singapore is moving towards the right direction.

“There needs to be constant collaboration between the financial institutions, Government and its people to set regulations and guidelines, improve the processes, as well as education on cyber hygiene to maintain a high level of cyber alertness.”

Besides OCBC, other banks such as DBS and UOB have also started switching to email and push notifications as their default channels of communication. – The Straits Times (Singapore)/Asia News Network