Singapore banks told to phase out SMS OTP as sole factor of authenticating high-risk transactions

SINGAPORE — In a written reply to oral questions not answered by the end of parliament's question time on Thursday (6 Jul), Senior Minister Tharman Shanmugaratnam, standing in for the Prime Minister, responded to concerns over fraudulent bank transactions. The queries were raised by Mr Gerald Giam Yean Song, Workers' Party Member of Parliament for Aljunied GRC, and Dr Tan Wu Meng, People's Action Party MP for Jurong GRC. Mr Giam had asked about the number of fraudulent transactions due to SMS OTP diversions, the timeline set by the Monetary Authority of Singapore (MAS) to phase out SMS OTPs, and the possibility for customers to opt out of using SMS OTPs if they were already using other multi-factor authentication methods. Responding to Mr Giam's queries, SM Tharman, also MAS' Chairman before he stepped down from his political appointments on 7 July, stated, "While our local telco networks were secure and not compromised, the telco operators had since implemented additional security safeguards to mitigate the risk. Hence, the risk of SMS OTPs being diverted has now been largely addressed." SM Tharman further explained, "The Monetary Authority of Singapore (MAS) has required banks to phase out SMS OTP as a sole factor to authenticate high-risk transactions. Banks in Singapore have already moved away from sole reliance on SMS OTP for high-risk online banking activities." However, according to SM Tharman, MAS does not currently see the need to require banks to provide customers the ability to opt out of SMS OTPs as this would limit the authentication toolkit that the banks have and dilute the effectiveness of multi-layered security for protecting customers. He also notes that the transition away from sole reliance on SMS OTP for high-risk online banking activities will however not deal with other scam types, such as those related to phishing and malware to steal banking credentials, that has been growing recently. Meanwhile, Dr Tan, prompted by a police advisory on malware compromising mobile devices, asked whether MAS would consider reviewing previously closed cases of customer disputes involving unauthorized transactions. In addressing these concerns, the Senior Minister underscored the growing threat of malware, stating that "scammers are exploiting newer technologies" and have "acquired the ability to control customers’ devices using malware." SM Tharman urges the public to pay attention to the security permissions requested by applications, install only from official sources, uninstall unknown applications, and regularly update devices and applications. "MAS expects banks to treat customers fairly in all cases of dispute over unauthorized transactions," SM Tharman emphasized. "Customers can ask banks to reassess their cases should new information relevant to their disputes surface." The police had earlier reported in February that residents in Singapore lost S$16.5 million in 2022, which is a significant decrease from 2021, when S$34.8 million was reported as lost.

Malware scams on the rise in Singapore

Just this June, police have issued a warning to Android users after at least two individuals lost an aggregate sum of S$99,800 from their Central Provident Fund (CPF) savings due to a new kind of malware scam. Victims reportedly stumbled upon advertisements for groceries, including seafood, on various social media platforms, primarily Facebook. After reaching out to the businesses through social media or WhatsApp, they were directed to download an Android Package Kit (APK) file to place orders and process payments. APKs are installation files for Android apps, which can be downloaded from the Internet and third-party app stores, as opposed to the official Google Play Store. These APK files could contain malicious software or “malware”, particularly those designed for phishing. Unwitting victims, unaware of the hidden malware in the downloaded application, opened their devices to remote access by scammers. This allowed the cybercriminals to pilfer sensitive data such as Singpass passcodes and other stored information on the victims’ devices. “The scammer might also call the victim to ask for their Singpass passcode, purportedly to create an account on the application,” the police cautioned. Further exploiting the victims’ trust, scammers directed them to phony bank application login sites to input their banking credentials. Equipped with keylogging capabilities, the malware would record the information and transmit it to the scammers. These cybercriminals, now possessing stolen Singpass passcodes, accessed victims’ CPF accounts remotely. They withdrew funds through PayNow, which were then deposited into the victims’ bank accounts. Subsequently, the scammers utilized the victims’ banking application to transfer the CPF funds away via PayNow. Victims only detected the scam when they noticed unauthorized transactions in their bank accounts. Just yesterday, TOC reported on a case where a preschool teacher had most of her money transferred out of her account without her permission, even after she immediately deleted the suspicious app that she had downloaded online two months ago.