Parliamentary Replies
Published Date: 08 July 2002

Reply to PQ on Internet Banking

Date : For Parliamentary Sitting on 8 July 2002


To ask the Deputy Prime Minister and Minister for Finance (a) what steps will the Government take to enhance security of bank depositors' accounts and to prevent erosion of confidence in electronic and on-line banking in the light of several hacking incidents and (b) whether the Government will introduce harsher penalties as deterrent to such acts.

(a) MAS has promulgated security guidelines on electronic and internet banking for the banking industry. The security standards which banks have to comply with include:

i) maintaining robust risk management controls and security practices
ii)   deploying strong cryptography to protect customer data
iii) enhancing surveillance, incident response and systems recovery capabilities

As part of the audit and internal monitoring process, auditors have a duty to evaluate bank compliance with these security guidelines. MAS also maintains its own programme of onsite inspections and offsite reviews.

Banks are required to assess the risks relating to their online banking products and adopt appropriate security control measures to address and mitigate the risks involved. They are directly responsible for the safety and soundness of the services and systems they provide to their customers.

Internet banking, as with other forms of online banking, is not without risks. These risks generally relate to impersonation, stealing ID/PIN information, computer hacking, forging access to accounts and fraudulent transactions. The safety of online banking is dependent on the security systems of the bank and the precaution customers take to safeguard their User ID and PIN, as well as protecting the PCs they use.  For example, customers should install firewall and anti-virus software on their PCs to block out hackers, and log off their computers when not in use.

Regarding the recent hacking incident, which affected a number of DBS customers, the Police is still carrying out its investigation.

According to DBS, which has been conducting its own internal investigation, its findings were that the bank's own internet system had not been hacked but it was the customers' PCs which had been hacked.  By accessing the customers' PCs, the hacker(s) had been able to capture the PINs and IDs of these customers. The hacker(s) then used the captured customer information to access their accounts to make fraudulent withdrawal transfers.

The Police and DBS have advised the public in certain precautionary measures to take and good security practices to adopt when conducting online banking.

(b) Penalties for hacking into bank systems are already prescribed in the Computer Misuse Act. These penalties have been designed to take account of the severity of the offence and the actual or potential damage caused.  For example, if it can be proved that a hacker broke into a "protected computer system" relating to banking and financial services, the Act provides for an enhanced maximum penalty of a $100,000 fine or 20 years' imprisonment or both.  In addition to the criminal penalties, the court may order a convicted offender to pay monetary compensation for any damage caused by the offence to the computer, system or data.

* * *