SINGAPORE: Malware scammers not only empty victims’ bank accounts, they are also able to take up credit card and personal loans through a victim’s compromised banking app.

In malware scams, victims are typically tricked into downloading an app from non-official app stores that will allow the hacker to spy on their activities and take control of the device.

Hackers have used such malware to empty more than S$10 million (RM34.5 milion) from compromised bank accounts in the first half of 2023, involving more than 750 cases, according to mid-year scam statistics provided by the police.

But now, they are also taking out bank loans to get access to more cash.

Between January and August, at least 30 victims were saddled with loans in the form of credit card cash advances, with the money transferred out of their accounts, the police told The Sunday Times.

ST tested the apps of three major retail banks in Singapore – DBS, OCBC and UOB – to compare the loan process.

DBS/POSB

Tests by ST found that users can apply for a credit card personal loan within seconds on DBS Bank’s digibank app.

Once logged in to the app, users can apply for a loan by tapping the “personal loan” button.

Without requiring any additional verification, the app springs up a pop-up showing the maximum amount the user is permitted to borrow, indicating to the user how much cash can be withdrawn.

The user is required to enter the loan amount, which credit card the loan is attached to and the loan tenor.

The money can be disbursed to any of the users’ accounts.

At no point during the loan application did the app ask for any additional verification, such as via national authentication system Singpass, security questions, one-time passwords or other details like the user’s address.

Checks by ST showed that this process is identical for accounts into which a user’s salary is credited.

Within a minute of sending the loan application, $500 in cash was disbursed to this writer’s account.

OCBC and UOB

Applying for a loan on OCBC’s and UOB’s digital banking apps took more steps than on DBS’ app.

OCBC’s ExtraCash Loan allows users to get up to six times their monthly income, but will offer instant approval and disbursement of the money only when applied for via Singpass.

Users are required to provide details including their signature, job and educational background, and residential information before they can enter the amount they wish to borrow.

As a final step, users need to provide their income details by uploading their income documents or retrieving them via Singpass’ Myinfo, which stores and autofills citizens’ personal details.

It is a similar process for UOB, which requires users to apply via Myinfo in order for a loan to be processed.

In an interview with ST, Mr Chris Roeckl, chief product officer of Appdome, a mobile cyber-security firm that works with financial institutions globally, said that banking apps can introduce more steps as “challenges” to deter fraudsters.

They should ask for information that a hacker is unlikely to know, like a secret password or the user’s birth date.

Mr Roeckl said: “If there is something potentially suspicious, create a ‘cooling period’ that holds the transaction. It could be a pop-up screen that says we need to process this for an extra amount of time, or ask for more data from the user in order to, say, complete a loan.” - The Straits Times/ANN