Singapore's banks have been ordered to tighten customer verification procedures following the recent cyber attack at SingHealth where personal information of 1.5 million individuals was illegally accessed and stolen.
Banks in Singapore are already required to put in place two-factor authentication for log-in to online banking services and additional controls for the authorisation of high-risk transactions.
But following the massive breach at SingHealth, the Monetary Authority of Singapore has told banks they should no longer rely solely on the types of personal information lifted in the breach, such as name, NRIC number, address, gender, race, and date of birth, for customer verification.
"To address any risk that the information stolen from SingHealth may be used by fraudsters to impersonate customers and perform unauthorised financial transactions, MAS has directed financial institutions to tighten their customer verification processe," says MAS in a statement. "Additional information must be used for verification before undertaking transactions for the customer. This may include, for instance, One-Time Password, PIN, biometrics, last transaction date or amount, etc."
MAS has also directed all financial institutions to conduct a risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including transaction and inquiry functions.
"Financial institutions are to take immediate steps to mitigate any risks that might arise from the misuse of the compromised information," states the Central Bank. "MAS will engage financial institutions on their risk assessments and mitigation steps."