Online Banking security practices

Security Advisory:


  1. Do not entertain calls on any outstanding credit card/personal loan or incoming fund transfer from Bank Negara Malaysia.
  2. Do not entertain calls/emails from any banks asking you to update your account number for Lembaga Hasil Dalam Negeri (LHDN) tax refund.
  3. Do not reveal your account information, login ID, password and OTP to a 3rd party. If in doubt, always call the official OCBC contact number listed in our website.
  4. Beware of phishing and malware. Do not click on any links provided in email, SMS, messaging apps or social media.
  5. Set your anti-virus/anti-malware software on auto-update and scan your device regularly. Regularly update your internet browser and your OCBC mobile app to stay protected.
  6. Change your Internet browser security settings to support TLS 1.2 for an uninterrupted OCBC Internet Banking experience.


Learn more about Malware and Online Banking security


Alert on Mobile Malware

Malware targeting mobile phones (especially Android phones) has been on the rise. Such malware can infect your mobile phones when you click on hyperlinks, attachments in your emails or mobile messages (e.g. SMS, WhatsApp) from unknown sources, or when you download mobile apps from untrusted app stores (other than Google Play store or Apple App Store).

Once your mobile phone is infected with mobile malware, the malware will prompt for excessive or unusual permissions to be granted in order to obtain privileged access rights to your phone. If you grant such permissions, the malware can take control of your mobile phone and perform actions such as stealing or intercepting your SMS messages, showing fake overlay login screens on top of the Bank's website/mobile app to ask for your banking login credentials or credit/debit card information.

Examples

Overlay screens caused by mobile malware that asked for login credentials

What is a malware? How does it affect my online banking?

Malware targets customers' computers/mobile devices to steal their login credentials. For example: Your Online Banking Login ID, Password and One-Time-Password (OTP).

Your computer/mobile device can be infected by malwares when you click on email attachments or hyperlinks from unknown sources. Computers which are not well protected by anti-virus software are vulnerable to risk of malware infection.

Malwares redirect you to a fake webpage that looks similar to the Bank's login page. It may prompt you to enter Password or OTP from your hardware token and tries to access your account to create fraudulent transactions for your approval.

How do I know if my computer/mobile device is compromised by malware?

Watch out for these warning signs :

  • The URL showing on the login page is different from the official OCBC Online Banking website which is https://internet.ocbc.com.my/internet-banking/
  • OCBC Online Banking login screen looks different. The legitimate OCBC login is done in two separate screens - First Screen: Enter Login ID & Password, Second Screen: Enter One-Time-Password (OTP)
  • Prompted repeatedly for Password or OTP even though you have entered the login credentials correctly
  • A delayed pop-up screen that says the system is not available and repeatedly ask you to enter OTP or use your hardware token to generate an OTP
  • Prompted to authorise transactions which you have not initiated using OTP generated through your hardware token. For example: While trying to login, you are prompted to enter a 6-digit number shown on your computer screen into your hardware token. Then you are asked to press the "Sign" button on the token and key in the OTP generated from the hardware token into the computer screen.
  • Your Password is visible when you type in the Password field - it should be masked
  • You receive SMS messages on OTP or transactions which you did not initiate
  • A redirection to a third-party website, which may feature a hotline number or an unsolicited request
  • You receive a call purportedly from a staff in OCBC asking you to verbally reveal your Online Banking Login ID, Password, OTP or hardware token details (Note: OCBC Bank will never ask a customer to reveal his Password or OTP)

Mobile Device Behaviour

  • Bad Battery Life: Whether malware is hiding in plain sight, pretending to be a regular application, or trying to stay hidden from the user, abnormal battery drainage can often give away the presence of an infection. This could be due to malware utilising the system resources to perform its actions (e.g., communicating with a command and control server) in the background.
  • Dropped Calls and Disruptions: Mobile malware can affect outgoing and incoming calls. Dropped calls or strange disruptions during a conversation could be the interference of mobile malware. Call your service provider to determine if the dropped calls are its fault. If it’s not, it is possible that someone or something is trying to eavesdrop on conversations or perform other suspicious activities.
  • Unusual Phone/Data Bills: Android malware often infects devices and starts sending SMS text messages to premium-rated numbers. Some malware may send an SMS message just once a month to avoid suspicions, or they may uninstall themselves after punching a serious hole in your budget. Malware can also smuggle data from your device to a third-party. Significant changes in your download or upload patterns could be a sign that someone or something has control over your device.
  • Clogged Performance: Malware infestation may cause serious performance problems as it tries to read, write or broadcast data from your smartphone. Checking RAM (Random Access Memory) use or CPU load could reveal the presence of malware that's actively running on the device.
  • Suspicious Applications: If you notice an unusual change in the look-and-feel of your smartphone (such as new icons or applications), malware may have infected your phone.

What should I do if I think my computer/mobile device has been compromised?

  • Take a screenshot or picture of the suspicious screen
  • Cancel any suspicious-looking transaction, logout the Online Banking session, close the browser
  • Do not enter your Online Banking Login ID, Password or One-Time-Password (OTP) and do not attempt to login again
  • Inform the Bank immediately by calling us at 03-8317 5000

What can I do to protect myself?

  • Install and maintain the latest anti-virus software on your computer/mobile devices
  • Do not click on email attachment and hyperlinks from unknown sources
  • Make sure the OCBC Online Banking login page is https://internet.ocbc.com.my/internet-banking/
  • Do not share your Online Banking Login ID, Password, One-Time-Password (OTP) or hardware token details to anyone
  • Look for the SSL encrypted connection, indicated as https:// or a padlock, as well as to check OCBC Bank's name in its digital certificate.
  • Update us on your latest mobile number to receive One-time Password (OTP) and register for SMS alerts
  • Adopt the recommended security practices. Learn more on safeguarding your internet banking access.
  • Do not "root" or "jailbreak" the smartphone, as this could compromise smartphone security.
  • Only install applications from trusted sources such as "Google Play", or other reputable app stores, and avoid downloading pirated applications from unauthorised/illegitimate app stores, or random download locations on the internet as the latter could be laced with malware

The screenshots below are samples of how consumers were prompted to perform "application updates", which had resulted in their smartphones being infected by the malware.

  • If you notice any unusual activities, please log off immediately and call us at 03-8317 5000

Is OCBC Online Banking service secure?

Yes, we would like to assure you that OCBC Online Banking service is secured. All of our banking systems are integrated with the most advanced security technologies available today.

We advise you to stay vigilant and take the necessary precautions. You play a part to protect yourself from online fraud by adopting the recommended security practices.

Terms and conditions for Electronic Banking Services apply.