Singapore's Ministry of Communications and Information (MCI) has announced safety recommendations for apps carrying out high-risk monetary transactions.
The new Safe App Standard was published by the Cyber Security Agency of Singapore (CSA) for app developers and providers on the necessary security controls and best practices to protect their applications against common malware and phishing attempts.
An advisory from the Singapore Police recently said around 83 victims have fallen prey, with total losses amounting to at least S$155,000, since the start of this year to a phishing scam variant where scammers would impersonate DBS bank through spoofed SMSes, to phish for victims’ online banking usernames, passwords and One-Time Passwords (OTP).
The police said in most of these cases, victims would receive SMSes claiming to be from DBS bank.
The statement added that in some cases, victims would receive WhatsApp messages impersonating DBS bank security department officers who would provide forged bank statements displaying unauthorised transactions made in the victims’ e-wallets.
MCI's minister, Josephine Teo, said the standard will reduce the risk of malicious actors exploiting weaknesses in the app design and protect user data and transactions via all kinds of apps, including e-commerce.
CSA’s standards also recommend that developers build in malware detection capabilities on their apps, since this has proven to be effective in disrupting scammers’ unauthorised transactions using compromised devices, she added.
The standard focuses on four critical areas commonly targeted by threat actors. It directs developers to validate user identity (authentication) and user access rights (authorisation) within an application.
It calls for safeguarding the integrity and confidentiality of sensitive data such as personally identifiable information stored locally on the user’s device and application server when it is not actively being used or transmitted.
The guidelines also suggest additional measures like anti-tampering and anti-reversing security controls that developers can implement to counter cyber attacks.
CSA said these measures were developed by referencing established industry standards including the Open Web Application Security Project, the Payment Card Industry Data Security Standard and the European Union Agency for Network and Information Security.
It expects to update the Standard given the evolving risk landscape in future.
New Centre
Teo said the MCI along with Singapore's Agency for Science, Technology and Research will also launch a new centre under a S$20 million research initiative to build tools to detect harmful online content such as deepfakes and non-factual claims.
The Centre for Advanced Technologies in Online Safety will be the platform for Singapore’s community of research partners, companies and practitioners to build capabilities for a safer internet, she added.
Recently, Singapore's Infocomm Media Development Authority (IMDA) has also published an advisory for telcos to protect vulnerable consumers, from being tricked by scammers into signing up for mobile plans at offline stores.
The advisory calls for measures to help staff identify vulnerable consumers and waive charges for those who have fallen victim to scams.
Fighting scams is a team effort
Speaking in parliament, Teo said that fighting scams is a team effort, and it is not possible for the government to do it alone.
There is a need to explore novel ways to combat scams and work with partners such as banks and telcos.
Talking about the strategy to tackle scams, Teo mentioned the work of the Anti-Scam Command under the Singapore Police Force which facilitates the tracing of funds and freezing of scammed bank accounts.
Singaporean government implemented the mandatory SMS Sender ID registration for organisations which use SMS as a channel of communication.
“Within the first three months of its implementation, SMS scam cases fell by 70 percent,” said Teo.
