| | | Effective PR

Bank forces customers to compromise their own on-line security arrangements

BIScom Subsection: 
Editorial Staff

It's the old, old story: someone has what they think is a great idea then forces others to adopt it against their wishes, even when their wishes take into account their own security arrangements. This time, it's a bank and even they disclaim risks they force customers to accept. It's either a snafu in policy or a snafu in communications.

Welcome to Standard Chartered, Malaysia.

Standard Chartered, Malaysia are forcing customers to install Apps on their mobile phone. The bank says it's to increase security but what it does is this:

1. disenfranchise those who do not own or have difficulty using a smart-phone such as the elderly and partially sighted

2. force customers who, for reasons of security, decline to install or record on their mobile devices any financial or personal information.

It's not as if Standard Chartered even have faith in the installation process or the integrity of the app: as part of the compulsory sign-up process, there is the following warning:


This link brings you to a 3rd Party Website, over which Standard Chartered Bank Malaysia Berhad has no control ("3rd Party Website"). Use of the 3rd Party Website will be entirely at your own risk, and subject to the terms of the 3rd Party Website, including those relating to confidentiality, data privacy and security.

Standard Chartered Bank Malaysia Berhad makes no warranties, representations or undertakings about and does not endorse, recommend or approve the contents of the 3rd Party Website.

In addition to the terms stated in Standard Chartered Bank Malaysia Berhad's Important Legal Notices, Standard Chartered Bank Malaysia Berhad shall have no responsibility or liability in connection with the content of or the consequences of accessing the 3rd Party Website, including any virus arising from or system failure associated with the 3rd Party Website.

The third party website is Google's Play Store which, of course, is useless when following the installation links from a desktop computer.

They gush

"Quick and easy access to your bank accounts and manage your finances on the go!

Designed with enhanced functions to help you stay on top of your finances, Standard Chartered Mobile proves that banking can be done in 60 seconds!

Some of the exciting things you can do with Standard Chartered Mobile:

* Introducing ‘Welcome screen features‘ - Access Balances and Transactions without logging in
* Secure and fast access with Fingerprint (for selected phone models)
* Experience the unique and time-sensitive background design
* Ease of navigation with revamped side menu
* New "Customer Investment Profile" enables you to review your investment profile on the move
* View and keep track of your bank accounts in one place
* Transfer funds to and beyond Standard Chartered accounts
* Make online payments
* Chat with us (Priority & Premium Customers)
* SC Mobile Key - soft token solution which provides a more secure two-factor authentication with improved customer experience and without dependency with telco networks on SMS One-Time-Password (OTP) delivery. This will be required for transaction with amount above RM10,000 at current stage and subsequently implemented to the remaining functionalities which require a SMS OTP.

Download now, and experience 60 second banking in the palm of your hand.

That does indeed sound exciting, if you trust your personal information to a little box of a type that is often lost or stolen.

The fact is that the current SMS OTP system is already irritating enough but at least it only has to be used for a limited range of internet activity, allowing the management of accounts from a desktop machine for which users have far more control over both physical and techy security.

On its website, StanChart says, at one point, that the new service relates to those using the mobile banking app. If that were the case, then that's fine: the risk has already been taken by those customers.

Transaction Signing

Standard Chartered Mobile Key is integrated with your mobile banking app on your registered device. From 28th October 2018, you will need the Standard Chartered Mobile Key in order to perform sensitive online or mobile banking activities which require transaction signing, Initially, this Mobile Key will only be required for transactions exceeding RM10,000, but will also cover other transactions in the coming weeks such as:
Adding a new payee/biller
Making 1st transfer/payment to a newly added payee/biller
Making any Financial Process eXchange (FPX) transaction
Transferring funds or making payments above a pre-defined threshold, currently the value is set at RM10k for 3rd party SCB/Interbank fund transfer and RM5k for bill payment.
Increase your daily transfer limits
Placement of Fixed Deposit
Updating personal details, such as mailing address, contact number and email address.

However, whilst in internet banking from the desktop, there is a stern warning that, shortly, all payments exceeding MYR10,000 will require authentication through the new system. What that warning does not tell desktop users is that, in order to use the new system, the mobile banking app must be installed.

It is possible that it's all a communication breakdown and that someone has forgotten to turn off the warnings when customers access internet banking through the web from a non-mobile browser. But that would be an epic fail in systems design and StanChart have, usually, been good at systems design.

However, requiring customers to compromise their most simple of security protocols, i.e. don't have any financial information on a device that can be lost, stolen, have flat batteries or be broken, is really not terribly sensible, is it chaps?