Secured Mobile Payments
Enhancing user experience & security of mobile transfers and payments experience
CLIENT & DURATION
Oversea-Chinese Banking Corporation (OCBC Bank)
Aug 2022 – Dec 2023
ROLE
Manager, Experience Design
OCBC Bank
UX Design, User Interface Design, User Testing
CONTEXT
OCBC Bank, a leading financial services group in Southeast Asia, faced phishing scams that required urgent security upgrades. This project aims to implement security features to prevent scams and protect customers.
IMPACT
A series of anti-fraud measures have protected customers from various scams, preventing more than $12 million SGD losses since its inception.
Surge in phishing scams involving OCBC
Affecting hundreds of customers and costing millions of dollars
Urgent need to enhance our security measures
Identify gaps to protect customer assets and achieve business objectives.
Bring stakeholders together to align on limitations, must-haves, and necessary actions.
Solution for design problems and create basic wireframes for assessment
Create hi-fidelity prototypes with proposed content structure and flow
A wave of phishing attacks targeting OCBC in December 2021, followed by advanced scams like malware and e-commerce fraud, prompted an urgent race to implement enhanced security features to protect customers' assets
As the design was being finalized, I identified key challenges that needed to be addressed to ensure the revamp's success. The solution was carefully crafted with these considerations in mind.
1
With every minute wasted, scammers could exploit vulnerable customers, so I prioritized essential features to implement immediately and phased out non-essentials for later.
2
User research showed that while customers expect seamless transfers, however, security enhancements require adding friction to ensure safety, so it was crucial to balance effective checks without overwhelming users.
Alignment
I gathered stakeholders, from business, legal, technical, and data analysts to agree on constraints, essentials, and required steps.
The intended strategy can be divided into three categories:
Detect fraud with data
System-based measures like AI and data analytics can help monitor and detect fraudulent transactions.
Verify customer identity
Verify that the consumer is the one completing the transaction.
Timely intervention
Delaying immediate transactions can allow time for intervention when necessary.
I mapped out user journeys of frequently done tasks after analyzing research results to determine customer pain points and opportunity statements. From there, I came up with ideas.
Reframing the ask
Given the complexity of this flow, I aligned stakeholders by mapping the pre, during, and post-fraud monitoring stages to ensure logic, address gaps, and assess impacts on front and back staff.
Alongside basic wireframes, this flowchart served as the shared "source of truth" across teams, clarifying what could be implemented immediately versus deferred to phase 2.
Fig: Customer flows for pre, during, and post-fraud monitoring
I identified the need to refine customer communication—reassuring users when transactions fail without alarming them or tipping off potential fraudsters.
To address this, I mapped a "What goes on" flow to surface questions for business, legal and editorial teams, ensuring clarity, consistency, and compliance.
Fig: "What goes on" flow
Fraud management measures were implemented at various stages of payment transactions—focusing on pre-transaction deterrence, during-transaction verification, and post-transaction detection to safeguard assets.
PRE-TRANSACTION
Personalised tools to make informed decisions
Cooling periods are implemented for adding payees or increasing transaction limits, deterring fraud by delaying immediate transactions and allowing time for intervention when necessary.
Fig: Increase of transaction limit takes effect after 12 hours
PRE-TRANSACTION
Reducing minimum transfer limits
Reduced default daily transfer limits for various types, with adjustable settings for customers. Notifications are now triggered for transfers starting from S$0.01.
Fig: Customers can adjust the transaction limits
DURING-TRANSACTION
Strengthening security with email authentication
With SMS compromised, email authentication was introduced, offering better security as sender verification and spam filters block most phishing attempts, ensuring only authenticated emails reach recipients.
Fig: Customers must authenticate via email to complete transaction
POST-TRANSACTION
Smart algorithms conduct backend checks before transaction approval
Algorithms and data analytics flag suspicious transactions, like those involving blacklisted accounts or duplicate transfers, for review. The bank confirms these transactions with customers via call before processing.
Fig: Suspicious transactions will be flagged for further review
Usability Testing
I tested the product at various phases, but due to the urgent implementation, testing was more limited compared to other projects.
Testing was conducted across end-to-end payment flows to ensure a realistic representation.
• Low-fidelity prototypes were tested with stakeholders to gather feedback on the flow and content when a transaction is flagged as suspicious.
• High-fidelity prototypes were tested with customers for two-factor authentication and suspicious transaction scenarios to gauge sentiment, verify usability, and ensure the language is clear and appropriate.
Fig: Artefacts from customer interviews
Launched in December 2021, continuously adding new features while gathering customer feedback through app stores or surveys.
Prevented more than S$12 million in losses through anti-fraud measures, safeguarding customers from various scams since inception.
Navigating temporary unideal trade-offs
Given the surge in phishing scams involving OCBC Bank in 2022, the team promptly enacted measures, potentially compromising user experience to safeguard assets. Looking to 2024, reevaluating these trade-offs is essential given evolving customer behaviour, prompting a reconsideration of whether to enhance or relax certain measures.
Always listen to your users
Concurrently, the bank also rolled out the OCBC Digital Silvers Programme as part of an attempt to help the silver segment learn how to bank and pay digitally, and to stay safe from scams while doing so. Through which, I volunteered on weekends as a digital ambassador to teach elders digital banking skills. It was eye-opening to learn about how elders struggle with dynamic font issues, to having difficulty accessing account documents. I wasn’t just teaching them, they also taught me to be open to learning the frictions that users might face.