OCBC customers are up in arms over the new security feature on its mobile app, with many taking to the the comment section of the bank's Facebook page with messages and one-star reviews on the Google Playstore.

What is the new update?

On Aug. 5, OCBC launched its latest security update to the OCBC Digital app as part of its ongoing efforts against cybercrime and to protect customers' online banking experience.

This "essential security enhancement" will only allow the OCBC Digital app to work on phones whose mobile apps are only downloaded from official app stores.

Apps that come from other sources, like Android Package Kit (APK) files, "tend to have more security vulnerabilities, including being more susceptible to malware infection", said OCBC.

"If you try to access the OCBC Digital app on a device which has apps were not downloaded from an official app store, you will see a message – warning you of one or more potentially malicious/ harmful apps on your device – pop up on your screen. Please uninstall such apps so you can continue to use the OCBC Digital app. You do not have to delete the OCBC Digital app."

Unable to log in to OCBC Digital app on their phone

Some customers discovered they could not use the OCBC Digital app on their phones after its most recent update.

One user told Mothership that they could not log in to their OCBC Digital app if any apps were not installed from Google Playstore or Apple app store.

Another informed Mothership that when they updated their OCBC mobile app on their Android phone, it showed a message that they had to uninstall the Douyin app from their phone.

They said they downloaded that app without going through an official store, such as the Google Playstore.

Some apps that users gathered that need to be uninstalled before they could use the OCBC digital app are Douyin, Temp Mail, SD Maid, All-In-One Toolbox, aodNotify, Snaptube, and APKPure, according to a post on Facebook group Complaint SG.

Users are not happy with this new feature

OCBC Digital app users made their disappointment known by flooding the Google Playstore with one-star reviews for the OCBC Digital app.

Many have also expressed their frustrations over the latest update in the comment section of OCBC's Facebook page.

OCBC: Apps downloaded from official app stores not affected

On Aug. 6, 2023, OCBC put out a statement on Facebook stating they implemented a security feature on their OCBC Digital app to further safeguard their customers from malware.

"With this enhancement, we can detect any app that has been downloaded from unofficial app stores. Once these apps are detected, if you do not uninstall them, you will not be able to log in to our internet banking and/ or the OCBC Digital app."

OCBC also linked an advisory from the Singapore Police Force regarding the dangers of downloading apps from third-party sites in the comment section.

They even provided a screenshot of a particular part of the advisory.

OCBC added at 5:10pm on Aug. 7 that to use the apps customers uninstalled, they would need to download them only from official app stores.

At 6:35pm, OCBC clarified that they do not "monitor customers' phone activity, nor conduct surveillance on phones".

"We would like to assure our customers that our new security feature does not collect nor store any personal data from customers. This technology detects apps that are not downloaded from official app stores only when the OCBC Digital app is opened. It does not identify the owner of the device. All it does is to alert customers to apps that could compromise the device to malware scams. We apologise for any inconvenience caused. We seek your patience as this feature is aimed to safeguard customers from malware scams."

Despite the clarification, many OCBC users were still angry with the bank for having such a feature in the first place, and they let their displeasure show in the comments.

MAS and the Association of Banks in Singapore support OCBC's move

In a press release on Aug. 8, 2023, the Monetary Authority of Singapore (MAS) said it "strongly supports banks' initiatives to bolster the security of digital banking".

MAS stated that it has been working closely with banks to introduce measures to address the risks associated with malware-related scams, which "an increasing number of customers have fallen prey to".

"Security measures will come with some measure of added inconvenience for customers, but they are necessary to maintain security of and confidence in digital banking. Coupled with a vigilant and discerning public, robust security measures will help us strengthen our defence against scams."

The Association of Banks in Singapore (ABS) emphasised that banks do not monitor customers' phone activity or conduct surveillance on mobile phones.

"We would like to assure all banking customers that this security feature does not collect nor store any personal data. The technology detects higher risk behaviours which are characteristic of known malware activities when the banking apps are opened. It does not identify the owner of the mobile phone," said director of ABS, Ong Ai Boon.

OCBC emphasises it does not monitor phone activities

Speaking to Mothership, OCBC's head of the anti-fraud division, Beaver Chua, emphasised that on the bank's side, they do not know what apps are flagged on users' phones.

All the checks for malware on the phone happen on the phone itself, said Chua.

"Whatever content you have [that] is on your phone... it doesn't go to us. We are just asking before you enter into the app, the app is just checking the phone for any sort of dodgy apps around. If you have, we can't let you log in."

Chua also assured that the information does not go back to the bank, and the banks do not know what apps are flagged.

The bank does not have access to users' private data on their phones, like their photos or documents, there is no surveillance capability, and it is not checking users' phones actively, he said.

"We want to stop any potential scammers from taking over the phone and trying to launch the online banking app and then utilise our app with the information [they] have gotten from the user and then emptying out the banking account."

Chua clarified that they are not stopping users who downloaded apps not from official stores like Google Playstore, App Store, Huawei App Gallery, and OPPO Store.

The OCBC Digital app will only stop users from logging in if they have an app on their mobile phone that is not from an official app store, and the app must have a risky setting known in the IT security space to cause a security problem.

Chua stressed that this security update is to protect the customers, especially the vulnerable customer who may fall victim to scams and install an app that is not from an official store.

Before OCBC rolled out the new security update, they would have at least one reported case of malware from third-party apps that led to users having their bank accounts drained. Chua stated that since the update, they have not seen any cases reported to them.

He also shared that these cases appear only to Android phone users.

Users can read up on the new security update on OCBC's FAQ page for more information.

Top photos via OCBC