The Singapore Police Force reported that Android device users lost at least $99,800 of their Central Provident Fund (CPF) savings in June 2023 alone through malware-related scams. During the 4 July Parliament sitting, Minister for Manpower Tan See Leng said that victims had installed apps which contained malware that “allowed the scammer to take full control of the phone, steal banking and Singpass credentials stored in the phone and perform unauthorised CPF log-ins and withdrawals.”
Ordinarily, Singpass credentials — specifically the six digit passcode — would not be stored on the phone as they would be input from memory by users. Passcodes certainly should not be stored in the Singpass app itself. This prompted me to ask the Minister if there was a vulnerability in the Singpass app, and if so, whether MOM was working with GovTech to patch it.
As it turned out, what the Minister meant was that some victims stored their Singpass credentials in a “notepad” app on their phones and this was what the malware was able to read to login via Singpass and access their CPF accounts.
This is but one way scammers can access your savings if you choose not to install apps from Google Play Store or Apple Store. All users can better protect themselves from such scams by following the advice in the 29 June 2023 joint statement by CPF Board, GovTech and the Police.
This is the Parliament exchange I had with the Minister:
The Minister for Manpower (Dr Tan See Leng): Mdm Deputy Speaker, my response to this Parliamentary Question will also address the Parliamentary Question filed by Mr Zhulkarnain Abdul Rahim as a written Parliamentary Question for yesterday’s Sitting.
Since January 2023, the Police received more than 700 reports of victims having downloaded malware onto their phones, with more than $8 million worth of savings lost through unauthorised withdrawals from the victims’ bank accounts and so on. Based on the investigations thus far, nine of these cases involved unauthorised Central Provident Fund (CPF) withdrawals, amounting to a net loss of $124,000 in CPF savings. I would like to add that the ninth case did not result in loss of CPF savings. So, even though nine involved unauthorised CPF withdrawals, the ninth case itself did not result in the loss of CPF savings because the Singapore Police Force (SPF) managed to stop the transfer out from the bank account of the CPF member.
CPF monies were paid from members’ CPF accounts to their own bank accounts and then they were subsequently withdrawn from these bank accounts by the scammers.
The modus operandi of these malware-related scams has been extensively covered in an earlier joint advisory from the Police, Government Technology Agency (GovTech) and CPF Board on 29 June 2023. In gist, the victims downloaded malware-infected Android Package Kits, or APK, from unauthorised sites and they subsequently turned on accessibility services when told by the scammer to purportedly facilitate the purchase of items at a steep discount. Doing so allowed the scammer to take full control of the phone, steal banking and Singpass credentials stored in the phone and perform unauthorised CPF log-ins and withdrawals.
I urge all Singaporeans to stay vigilant. We should update our phones regularly with the latest security patches and we should only download apps from official app stores and exercise the greatest of caution when we are prompted to turn on accessibility services. These accessibility services are mainly meant to assist users with disabilities to use their devices, such as by allowing apps to read and control your screen.
As a further precaution, CPF Board and GovTech have introduced additional authentication measures since 22 June 2023 to increase the protection for CPF members. Members may be asked to perform Singpass Face Verification (SFV) or other checks when accessing CPF e-services. This provides additional security in addition to the existing two-factor Singpass authentication required for accessing CPF e-services. Members who require assistance on CPF services and the SFV can visit the CPF service centres and Singpass counters respectively. They may also call the Singpass helpdesk.
These additional safeguards may make it slightly less convenient for members to perform certain CPF e-services but I think members would agree that it is better to be safe than sorry. This is especially so in light of new threats. The Government will continue to review and monitor these threats closely and work closely alongside the banks to introduce more precautionary measures where necessary.
The Police will spare no effort in tracking down those responsible for such malware incidents and will take tough action against them. I urge anyone with information on such crimes to contact the Police immediately.
…
Mr Gerald Giam Yean Song (Aljunied): Madam, just now I heard the Minister say that the scammers were able to obtain the victims’ Singpass credentials from their phones after they managed to install the app on their phone. Is MOM working with GovTech to patch this vulnerability if it, indeed, is a vulnerability?
Dr Tan See Leng: I thank Mr Gerald Giam for his question. Perhaps, Mr Giam may not have an appreciation of the different steps that these scammers sort of would navigate to actually get the CPF members to download these apps. Today, the vulnerability appears to be in the Android phones and generally our members may have just gone online, whether it is on Facebook or some other form of social media, and come across some particular app which purportedly gives him a steep discount; a very, very good deal, in which they have to download that particular app. And once they download the app, they will, more often than not, get phone calls from someone helping them to navigate and to use the app.
And they then hand over some of the navigational options to this and turn on the accessibility services on their Android phone itself. That then exposes themselves to all these scammers to then undertake and take over their information.
So, the added precautionary measure that we have put up is that for vulnerable members, they would need an additional step of using the Singpass Face Verification. We have these identities stored, because the NRICs, the passports, we have that. Based on our records, we can then ensure that the person who is logging in and making these withdrawals actually corresponds to the actual member and not through some scam account.
So, we believe that, today, that added step, which to some members cause a lot of inconvenience, is sufficient as a precautionary measure. I hope that addresses your concern.
Mdm Deputy Speaker: Mr Gerald Giam.
Mr Gerald Giam Yean Song: To clarify, I understand the process in which the scammers use to access the phone. But just now the Minister said that once the accessibility is enabled, the scammers are able to read the passwords that are stored in Singpass. Typically, these passwords should not be stored at all inside the phone. So, I just want to understand whether or not this is something that is being looked into, as to why is it that passwords are stored inside the phone for that reason?
Dr Tan See Leng: I think there are a myriad of reasons why people store their passwords on their phones, in their notepads and so on. There are also members who write it down somewhere in a booklet and they put it at home.
I cannot tell you how members will want to store their passwords to remind themselves. But I think the added measure today, first of constantly educating our public to not download any form of innocuous-looking apps from unauthorised stores, unauthorised sites and also to not just switch on the accessibility services; and at the same time, not release details to someone who is unknown over the phone and at the same time adding on the additional security verification through the Singpass Face Verification step, I think it is sufficient for us to prevent, today, unauthorised withdrawals from the CPF account. Of course, I said that there are also parallel initiatives to deal with what happens after the money goes into the banking account.
So, there are all these measures that we are doing.
I would not want to be in a position of hubris where we say that we have got it all figured out. Because today, cybersecurity constantly evolves – scammers and hackers are getting more and more creative. So, we have to constantly work at nudging our people, working with one another to keep reminding all of our members, all of our citizens, to always be vigilant. At the same time, the Government will also constantly find new ways to step up our precaution to protect our members. I hope that gives you the reassurance.
Mdm Deputy Speaker: Senior Minister of State Janil.
The Senior Minister of State for Communications and Information and Health (Dr Janil Puthucheary): Thank you, Mdm Deputy Speaker. I raised my hand, but I think Minister Tan had already made the point. The information is being taken from other parts of the phone, not as Mr Giam had asked about. But the point has been made by Dr Tan already.
Source: Singapore Parliament Reports (Hansard)
Photo by Markus Spiske on Unsplash