Loss of CPF savings through malware scams

The Singapore Police Force reported that Android device users lost at least $99,800 of their Central Provident Fund (CPF) savings in June 2023 alone through malware-related scams. During the 4 July Parliament sitting, Minister for Manpower Tan See Leng said that victims had installed apps which contained malware that “allowed the scammer to take full control of the phone, steal banking and Singpass credentials stored in the phone and perform unauthorised CPF log-ins and withdrawals.”

Ordinarily, Singpass credentials — specifically the six digit passcode — would not be stored on the phone as they would be input from memory by users. Passcodes certainly should not be stored in the Singpass app itself. This prompted me to ask the Minister if there was a vulnerability in the Singpass app, and if so, whether MOM was working with GovTech to patch it.

As it turned out, what the Minister meant was that some victims stored their Singpass credentials in a “notepad” app on their phones and this was what the malware was able to read to login via Singpass and access their CPF accounts.

This is but one way scammers can access your savings if you choose not to install apps from Google Play Store or Apple Store. All users can better protect themselves from such scams by following the advice in the 29 June 2023 joint statement by CPF Board, GovTech and the Police.

This is the Parliament exchange I had with the Minister:

The Minister for Manpower (Dr Tan See Leng): Mdm Deputy Speaker, my response to this Parliamentary Question will also address the Parliamentary Question filed by Mr Zhulkarnain Abdul Rahim as a written Parliamentary Question for yesterday’s Sitting. 

Since January 2023, the Police received more than 700 reports of victims having downloaded malware onto their phones, with more than $8 million worth of savings lost through unauthorised withdrawals from the victims’ bank accounts and so on. Based on the investigations thus far, nine of these cases involved unauthorised Central Provident Fund (CPF) withdrawals, amounting to a net loss of $124,000 in CPF savings. I would like to add that the ninth case did not result in loss of CPF savings. So, even though nine involved unauthorised CPF withdrawals, the ninth case itself did not result in the loss of CPF savings because the Singapore Police Force (SPF) managed to stop the transfer out from the bank account of the CPF member.  

CPF monies were paid from members’ CPF accounts to their own bank accounts and then they were subsequently withdrawn from these bank accounts by the scammers.

The modus operandi of these malware-related scams has been extensively covered in an earlier joint advisory from the Police, Government Technology Agency (GovTech) and CPF Board on 29 June 2023. In gist, the victims downloaded malware-infected Android Package Kits, or APK, from unauthorised sites and they subsequently turned on accessibility services when told by the scammer to purportedly facilitate the purchase of items at a steep discount. Doing so allowed the scammer to take full control of the phone, steal banking and Singpass credentials stored in the phone and perform unauthorised CPF log-ins and withdrawals.

I urge all Singaporeans to stay vigilant. We should update our phones regularly with the latest security patches and we should only download apps from official app stores and exercise the greatest of caution when we are prompted to turn on accessibility services. These accessibility services are mainly meant to assist users with disabilities to use their devices, such as by allowing apps to read and control your screen.

As a further precaution, CPF Board and GovTech have introduced additional authentication measures since 22 June 2023 to increase the protection for CPF members. Members may be asked to perform Singpass Face Verification (SFV) or other checks when accessing CPF e-services. This provides additional security in addition to the existing two-factor Singpass authentication required for accessing CPF e-services. Members who require assistance on CPF services and the SFV can visit the CPF service centres and Singpass counters respectively. They may also call the Singpass helpdesk.

These additional safeguards may make it slightly less convenient for members to perform certain CPF e-services but I think members would agree that it is better to be safe than sorry. This is especially so in light of new threats. The Government will continue to review and monitor these threats closely and work closely alongside the banks to introduce more precautionary measures where necessary.

The Police will spare no effort in tracking down those responsible for such malware incidents and will take tough action against them. I urge anyone with information on such crimes to contact the Police immediately.

Mr Gerald Giam Yean Song (Aljunied): Madam, just now I heard the Minister say that the scammers were able to obtain the victims’ Singpass credentials from their phones after they managed to install the app on their phone. Is MOM working with GovTech to patch this vulnerability if it, indeed, is a vulnerability? 

Dr Tan See Leng: I thank Mr Gerald Giam for his question. Perhaps, Mr Giam may not have an appreciation of the different steps that these scammers sort of would navigate to actually get the CPF members to download these apps. Today, the vulnerability appears to be in the Android phones and generally our members may have just gone online, whether it is on Facebook or some other form of social media, and come across some particular app which purportedly gives him a steep discount; a very, very good deal, in which they have to download that particular app. And once they download the app, they will, more often than not, get phone calls from someone helping them to navigate and to use the app.

And they then hand over some of the navigational options to this and turn on the accessibility services on their Android phone itself. That then exposes themselves to all these scammers to then undertake and take over their information.

So, the added precautionary measure that we have put up is that for vulnerable members, they would need an additional step of using the Singpass Face Verification. We have these identities stored, because the NRICs, the passports, we have that. Based on our records, we can then ensure that the person who is logging in and making these withdrawals actually corresponds to the actual member and not through some scam account.

So, we believe that, today, that added step, which to some members cause a lot of inconvenience, is sufficient as a precautionary measure. I hope that addresses your concern. 

Mdm Deputy Speaker: Mr Gerald Giam.

Mr Gerald Giam Yean Song: To clarify, I understand the process in which the scammers use to access the phone. But just now the Minister said that once the accessibility is enabled, the scammers are able to read the passwords that are stored in Singpass. Typically, these passwords should not be stored at all inside the phone. So, I just want to understand whether or not this is something that is being looked into, as to why is it that passwords are stored inside the phone for that reason? 

Dr Tan See Leng: I think there are a myriad of reasons why people store their passwords on their phones, in their notepads and so on. There are also members who write it down somewhere in a booklet and they put it at home.

I cannot tell you how members will want to store their passwords to remind themselves. But I think the added measure today, first of constantly educating our public to not download any form of innocuous-looking apps from unauthorised stores, unauthorised sites and also to not just switch on the accessibility services; and at the same time, not release details to someone who is unknown over the phone and at the same time adding on the additional security verification through the Singpass Face Verification step, I think it is sufficient for us to prevent, today, unauthorised withdrawals from the CPF account. Of course, I said that there are also parallel initiatives to deal with what happens after the money goes into the banking account.

So, there are all these measures that we are doing. 

I would not want to be in a position of hubris where we say that we have got it all figured out. Because today, cybersecurity constantly evolves – scammers and hackers are getting more and more creative. So, we have to constantly work at nudging our people, working with one another to keep reminding all of our members, all of our citizens, to always be vigilant. At the same time, the Government will also constantly find new ways to step up our precaution to protect our members. I hope that gives you the reassurance. 

Mdm Deputy Speaker: Senior Minister of State Janil. 

The Senior Minister of State for Communications and Information and Health (Dr Janil Puthucheary): Thank you, Mdm Deputy Speaker. I raised my hand, but I think Minister Tan had already made the point. The information is being taken from other parts of the phone, not as Mr Giam had asked about. But the point has been made by Dr Tan already.

Source: Singapore Parliament Reports (Hansard)

Photo by Markus Spiske on Unsplash

Safeguards against scams involving CPF monies

Scams against senior citizens have become worryingly common these days. With many seniors able to withdraw large amounts of money from the CPF accounts once they reach 55, this group may be a prime target for scammers. I therefore asked a Parliamentary question on 9 May 2022 whether CPF Board imposes any daily withdrawal limits or enhanced scrutiny for extraordinarily large withdrawals of CPF funds to safeguard against scams. The Minister’s answer is below:

DAILY WITHDRAWAL LIMITS FOR CPF FUNDS AND SAFEGUARDS IN PLACE AGAINST SCAMS INVOLVING EXTRAORDINARILY LARGE SUMS

Mr Gerald Giam Yean Song asked the Minister for Manpower whether the CPF Board imposes any daily withdrawal limits for CPF funds that members are eligible to withdraw; and (b) whether the CPF Board has a threshold beyond which extraordinarily large withdrawal sums are subject to enhanced scrutiny to safeguard against scams.

Dr Tan See Leng: CPF Board takes a serious view towards safeguarding members against scams. At the same time, the CPF Board recognises that we should not unnecessarily inconvenience members for the vast majority of transactions that are legitimate. This is why we do not impose any daily withdrawal limits or thresholds. However, CPF Board will only pay to a member’s bank account after verification that the bank account belongs to the member.

CPF Board has put in place several measures to give members a greater peace of mind against illegitimate transactions. First, before any CPF withdrawals are authorised, CPF Board authenticates the identity of the person making the withdrawal request to ensure he or she is the owner of the CPF accounts involved. This is done by verifying against the member’s identification card for face-to-face requests or through the use of Singpass two-factor authentication for online requests.

Second, CPF members receive a notification via email or SMS for any withdrawal of CPF monies from their accounts. Members are encouraged to update their latest mobile number or email address via the CPF website by logging in with their Singpass so they do not miss out on such notifications. 

Third, CPF Board verifies that a bank account indeed belongs to the member before making any payment.  

CPF Board’s safeguards are in line with existing practices in the financial industry such that banks do not impose limits for transactions between verified accounts held by the same person within the same bank. As outlined in Minister Lawrence’s Ministerial Statement in February 2022, Monetary Authority of Singapore (MAS) and the banks are looking to introduce further measures for significant changes to their accounts such as fund transfers that are large relative to their overall balances. CPF Board will review these safeguards regularly to ensure that they are effective and align with industry practices, where applicable.

Citizen vigilance is imperative in the fight against scams. Members should take necessary precautions to guard against potential scams when they receive unsolicited calls and refrain from giving away their Singpass or internet banking credentials. CPF Board staff are also trained to assist members to respond to scam cases. When in doubt, always verify the authenticity of the information with CPF Board through multiple online and offline channels. 

Source: Parliament Hansard

Retirement adequacy and low take-up rate of Lease Buyback Scheme

Mr Gerald Giam Yean Song asked the Minister for Manpower whether there is any evidence to support the Ministry’s view that the low take-up rate for the Lease Buyback Scheme among eligible home owners may be a positive sign that most seniors have other forms of support and are adequately provided for in retirement, as opposed to any shortcomings in the design of the scheme, lack of awareness of the scheme or other reasons.

Parliamentary Question on 8 October 2014

LINK BETWEEN RETIREMENT PROVISION ADEQUACY AND LOW TAKE-UP RATE FOR LEASE BUYBACK SCHEME

Mr Gerald Giam Yean Song asked the Minister for Manpower whether there is any evidence to support the Ministry’s view that the low take-up rate for the Lease Buyback Scheme among eligible home owners may be a positive sign that most seniors have other forms of support and are adequately provided for in retirement, as opposed to any shortcomings in the design of the scheme, lack of awareness of the scheme or other reasons.

Mr Tan Chuan-Jin: Most seniors have various sources of financial support in retirement. Based on the findings of the latest Household Expenditure Survey, a retiree household in 2012/2013 received $1,740 of non-work income on average a month. The sources of income include monthly payouts from CPF, contributions from family members, rental income and investment income. Results from the National Survey of Senior Citizens 2011 also indicated that about two-thirds of senior citizens received income transfers from their children.

Many of our seniors today also have savings in their housing assets which have appreciated significantly. A typical retiree household who owns a three-room or a four-room flat has $300,000 or $400,000 worth of net equity in the flat respectively. The Government has introduced schemes such as the Lease Buyback Scheme (LBS) to provide Singaporeans with additional options for unlocking the savings in their flats to supplement their retirement income if they wish to do so. Seniors who have other forms of financial support might not see the need to take up LBS, or they may choose to move to a small flat or rent out rooms in their flats instead. One in 10 elderly households aged 55 and above sublet a room or the whole flat. These are alternative monetisation options for those who prefer to bequeath their flats to their children.

There is ongoing interest and enquiries about the housing monetisation schemes which indicate awareness of these options, but not all enquiries translate to actual applications. Nonetheless, the Government will continue to study ways to improve the range and features of housing monetisation schemes to ensure that they meet the needs of our seniors while providing flexibility to suit different preferences. MND and HDB recently announced enhancements to the LBS, which include extending LBS to 4-room HDB flats, relaxing the top-up requirement to the CPF for households with two or more lessees, and having the flexibility to choose the amount of lease to retain. These enhancements were made in response to feedback on the LBS. We will continue to take in feedback for future reviews.

———-

Source: Singapore Parliament Reports

Govt should take on more risk on behalf of citizens

The PAP MP’s argument that it is okay for the Government to “save more” (by collecting more premiums than necessary) but disastrous for it to pay out more, proved the central point in my speech: That the Government is reluctant to take on more risks on behalf of Singaporeans.

During the debate in Parliament on 27 May 2014 on the President’s address, I made a speech in which I criticised the Government for not taking on sufficient risks on behalf of the people, but had instead passed many risks to them. I cited the increasing of the CPF Minimum Sum, the raising of the CPF drawdown age, and the high capital adequacy ratio of the MediShield insurance scheme as examples.

PAP MP Janil Puthucheary took issue with my remark that MediShield was “collecting a lot more in premiums than it is paying out in claims”. He suggested — without mentioning me by name — that this was an example of “intellectual dishonesty” and “sound-bite politics”, paraphrasing what I said as, “Medical insurance premiums are higher than the pay-outs”.

He left out my phrase “a lot more”, which gave the impression that I thought MediShield should be making a loss by collecting less in premiums than it pays out in claims. I immediately clarified that “I never said or suggested that health insurance pay-outs should be more than the premiums collected. But for a social health insurance scheme which is what MediShield Life should be, the premiums collected do not need to be so much more.”

In any case, these are not simply sound-bites, but facts. Between 2001 and 2013, based on CPF Board Annual Reports, MediShield collected $3.704 billion in premiums but paid out $2.190 billion in claims — a difference of $1.514 billion. I leave it to Singaporeans to assess whether or not they consider $1.5 billion to be “a lot more” in premiums than pay-outs.

Dr Puthucheary also questioned the validity of my comparison between MediShield and Obamacare, the US Affordable Care Act, which requires all Americans to buy health insurance and mandates commercial insurers to take on more risks on behalf of their policyholders. He said that “we are talking about a public social insurance and he is comparing it with a private, for-profit environment in the United States”.

In fact, Obamacare served to illustrate my point that even profit-oriented health insurers in the US are required to take on more risks on behalf of their policyholders than our MediShield, which is a social health insurance scheme. I pointed out that Obamacare mandates a loss ratio of at least 80-85%, and that insurers who do not meet this minimum must now issue rebates to policyholders. (Loss ratio = [claims paid-out] / [premiums collected] x 100%. The higher the loss ratio, the more risk on the insurer.)

MediShield’s loss ratio between 2001 and 2012 had been, on average over this period, 63% (59% if year 2013 is included). It dropped from 75% in 2012 to to a historical low of 43% in 2013. The latter figure was revealed in the latest CPF Annual Report released on 6 June (after the Parliament sitting). It is likely due to the higher premiums collected as a result of the premium hike last year.

On his last point, about what if the “supposition that we could increase pay-outs is wrong”. He cited a “worst case scenario is that our public healthcare financing becomes insolvent and we are unable to support the healthcare needs of a generation possibly.”

Increasing the loss ratio to 80-85% is not going to make public healthcare financing “insolvent”. That is clearly a hyperbole (an accusation he made about me). But more importantly, wouldn’t it be better for a government to take on more risks, so as to prevent individual citizens from suffering financial ruin due to high healthcare costs?

The PAP MP’s argument that it is okay for the Government to “save more” (by collecting more premiums than necessary) but disastrous for it to pay out more, proved the central point in my speech: That the Government is reluctant to take on more risks on behalf of Singaporeans.

The MediShield Life Review Committee is expected to submit its full report to the Government this week. I hope the Committee can prove me wrong, and that the Government will show that it is willing to take on significantly more risks on behalf of its citizens. If not, this will certainly not the last time I will be raising this issue.

This is the transcript of the full exchange in Parliament:

——————————-

Mdm Speaker: Mr Gerald Giam.

Mr Gerald Giam Yean Song: Thank you, Madam, I just want to clarify a point that Dr Janil said in his speech earlier on. I never said or suggested that health insurance pay-outs should be more than the premiums collected. But for a social health insurance scheme which is what MediShield Life should be, the premiums collected do not need to be so much more.

As a point of comparison, the US Affordable Care Act, the new ObamaCare, mandates that a minimum loss ratio of between 80% and 85%. Ours is, on average, 63% over the last 11 years, and it was 75% in 2012. So, the US Affordable Care Act mandates that the minimum loss ratio should be between 80% and 85% and that insurers who do not spend 80-85% of their premiums in healthcare costs must now issue rebates to consumers. And these are all commercial insurers. These are not social health insurers.

Mdm Speaker: Dr Puthucheary.

Dr Janil Puthucheary: Thank you, Madam. Mr Giam brings up some very good points. And if I could take them in reverse order. Firstly, we are talking about a public social insurance and he is comparing it with a private, for-profit environment in the United States. So I do not think his comparison is valid.

Secondly, I am loath to use the United States as the be-all and end-all for a model of where our healthcare system should evolve to. Even the policy-makers and office holders in the United States would readily admit that the short-term electoral outlook significantly constrains their ability to take a long-term strategic vision for the healthcare system of their nation.

But lastly, I would like to make one point, which is that what if he is wrong? What if Mr Giam’s supposition that we could increase pay-outs is wrong? And we should compare that to what if the current situation is the wrong decision? If the current situation where, as he puts it, the pay-outs are far less than the premiums collected, that is the wrong decision. We save a little bit too much. If he is wrong, and we pay out more, if we pay out more and he is wrong, what is the worst case scenario? The worst case scenario is that our public healthcare financing becomes insolvent and we are unable to support the healthcare needs of a generation possibly.

This has happened in many other countries. The intellectually honest thing to do is to compare risks versus risks, benefits versus benefits, and worst-case scenarios against worst-case scenarios – not to cherry-pick the benefits of your proposal against the potential risks of the proposal in front of you. Thank you, Madam, for your indulgence.

Mr Gerald Giam Yean Song: Madam, I am glad he made that clarification. In fact, I cited ObamaCare precisely because of the US health system and the trouble that it is in today, and the fact that it is a commercial insurance scheme rather than a social insurance scheme. In fact, a social insurance scheme should have a much higher loss ratio than a commercial insurance scheme because commercial insurance wants to make money, whereas the Government is not in the business of making money. In fact, MediShield is supposed to be a not-for-profit insurance scheme.

Secondly, he asked about the grave scenario if pay-outs become more than the premiums collected. Now, in the case of medical insurance, it is relatively easy to be able to project what are the likely pay-outs to be and compared to, let us, say, earthquake insurance or something that has a much low frequency compared to health insurance, where you are able to see the trend and the cost of medical expenses over the years and be able to project what the pay-outs should be.

So, the question is: if it comes to the point where, because of the miscalculations, we aim for a 90% or 80% medical loss ratio but, for some reason, there is SARS that year or something like that happens, then we have a situation where the Government would have to step in to subsidise a bit more of the cost and the premiums can rise behind the increase in cost, not before you know that the costs are going to increase, then you raise the premiums.

Mdm Speaker: Dr Puthucheary.

Dr Janil Puthucheary: Madam, because we are talking about a social public good, it is therefore incumbent that we take a longer term, prudent approach, past one electoral cycle. I am glad that Mr Giam feels that medical expenditure is predictable. I and my professional colleagues would completely disagree. There is a lot of uncertainty about how costs will rise.

Myself and my brothers and sisters in the healthcare profession are part of that problem because we keep researching and coming up with all kinds of ways to spend the Health Minister’s money. Lastly, the example of SARS is a great example. It is precisely because of the prudent, conservative, risk-averse approach that we take on a day-to-day basis that when something like SARS comes along, the Government is able to step in and do what needs to be done.

Mdm Speaker: Minister Gan Kim Yong.

——————————–

Source: Singapore Parliament Reports (Hansard)

The necessary privileges of citizenship

I was invited to be a studio guest on Channel NewsAsia’s BlogTV on 27 August 2009. This was my second time on the show. The topic for this discussion was titled, “We want more… privileges!”

This article first appeared in Hammersphere.

I was invited to be a studio guest on Channel NewsAsia’s BlogTV on 27 August 2009. This was my second time on the show. The topic for this discussion was titled, “We want more… privileges!”

Continue reading “The necessary privileges of citizenship”