SMS is an inherently vulnerable platform to use for secure transactions. On 5 October 2021, I asked the Prime Minister how MAS, the banking regulator, is working with banks and telcos to prevent hijacking of one-time passwords (OTPs) sent by banks via SMS. I asked whether MAS will require banks to reimburse customers for any losses resulting from the hijacking of SMS OTPs. The Minister confirmed that customers will not have to bear any such unauthorised charges resulting from SMS OTP diversion so long as they had taken care to protect their card information and authentication credentials.
I further asked if MAS be directing banks to move their multi-factor authentication methods away from SMS to more secure app-based authentication methods. The Minister said that MAS does not prescribe.
Next, I asked if MAS will require banks to allow customers to disable SMS OTP authentication and only allow app-based authentication. The Minister said that it is something MAS can engage the banks on to see if banks will be prepared to give more options for customers who feel they would prefer something more secure.
In the wake of the massive scam of OCBC customers that took place recently, I think there is an added urgency to move banks away from using SMS for financial transactions.
The full Parliamentary Q&A is below:
REVIEW OF FRAUDULENT CREDIT CARD TRANSACTIONS INVOLVING DIVERSION OF ONE-TIME PASSWORDS PRIOR TO SEPTEMBER 2020
REVIEW OF FRAUDULENT CREDIT CARD TRANSACTIONS INVOLVING DIVERSION OF ONE-TIME PASSWORDS PRIOR TO SEPTEMBER 2020
The Minister for Finance (Mr Lawrence Wong) (for the Prime Minister): Mr Speaker, Sir, aside from Dr Tan’s Parliamentary Question (PQ), Member Ms Joan Pereira had filed similar PQ yesterday and Mr Gerald Giam1 had also filed a PQ on this matter.
So, with your permission, may I take all these PQs related to MAS’ recent announcement on the SMS OTPs fraud, at the same time.
Mr Speaker: Yes, please.
Mr Lawrence Wong: Sir, MAS, the Infocomm Media Development Authority (IMDA) and the Singapore Police Force (SPF) announced on 15 September that malicious actors overseas had diverted and used SMS OTPs to perform fraudulent credit card transactions between September 2020 and December 2020. Seventy-five bank customers in Singapore had been affected. Banks have reached out to all the affected customers to waive the unauthorised transactions, amounting to approximately S$500,000.
There have been no confirmed cases of SMS OTP diversion in Singapore prior to September 2020. Banks are reviewing all card dispute cases reported to them from September 2020, to identify if there may be other fraudulent transactions that were enabled by SMS OTP diversion. Banks will similarly investigate any new reports by customers, including any such transactions before September 2020. Bank customers will not have to bear any unauthorised charges in cases which are confirmed to have been enabled by SMS OTP diversion, as long as customers had taken care to protect their card information and authentication credentials. So, bank customers will not have to bear any such unauthorised charges so long as they had taken care to protect their card information and authentication credentials.
Sir, this attack has shown us that the fight against scams and fraud requires collective effort.
Banks have a responsibility to secure their IT systems, put in place robust measures to authenticate customer transactions and conduct active surveillance to detect unusual transactions patterns. They are required to institute robust security controls to safeguard customers’ account information and transaction data from unauthorised access and misuse.
Likewise, bank customers too have a responsibility – to protect their online banking and payment credentials for authentication such as passwords and OTPs, by inputting them only on official websites or mobile applications. These should never be disclosed over the phone, via text message or email.
Mr Giam had asked about the measures taken by banks and telecommunication companies to safeguard against the SMS OTP diversion attack. While banks’ systems were secure and not the cause of these incidents, banks have further enhanced their fraud surveillance measures. This includes rejecting card payments made to common merchants linked to the unauthorised transactions. Banks will continue to closely monitor the evolving cybersecurity landscape, and regularly review authentication mechanisms and other security measures put in place to address risks posed to customers using online financial services.
As for the local telecommunication networks, IMDA, in consultation with the Cyber Security Agency of Singapore (CSA), has required telco operators to put in place specialised firewalls and system safeguards to monitor and block suspicious diversions of SMS.
As Ms Pereira highlighted, consumers need to also take action to protect themselves. Allow me to share a few actions which consumers can focus on.
First, consumers must assume that criminals will try to obtain their online banking credentials. Criminals typically do this by tricking consumers into installing malware on their devices or disclosing their online banking username and passwords through phone calls or fake websites. When in doubt, consumers should call the banks’ official hotlines to verify the legitimacy of requests for online banking and card credentials.
Banks work with SPF, National Crime Prevention Council (NCPC) and MoneySense, our national financial education programme, to regularly alert consumers to new methods adopted by scammers and to educate consumers on how they can protect themselves.
Consumers must also develop a healthy scepticism about websites, unsolicited phone calls, messages and emails. When making online purchases, they only should use established and reputable online services. If there is any doubt about a merchant’s legitimacy, do not proceed with the transaction. And be wary of any deal or offer that sounds too good to be true.
Second, consumers should set transaction notification thresholds at low levels so that unauthorised transactions are detected early. Banks work closely with SPF and Anti-Scam Centre to exchange intelligence on emerging scam trends, so that they can take prompt action. The sooner a report is made, the higher the likelihood that the funds can be recovered.
Where bank customers suffer financial losses from fraudulent transactions, they are protected as long as they have acted responsibly. Banks are expected to consider whether the customers could have taken reasonable steps to prevent the occurrence of the fraudulent transactions. Bank customers will not have to incur any losses which arise from the banks’ non-compliance with MAS’ rules.
Let me reiterate: fighting fraud is a collective effort. As criminals will continue to perpetuate new and more sophisticated methods to defraud consumers, banks, consumers and the authorities need to remain vigilant in preventing as well as detecting fraudulent transactions. MAS will continue to work with all stakeholders to ensure that e-payments remain safe and secure.
Mr Speaker: Dr Tan Wu Meng.
Dr Tan Wu Meng (Jurong): I thank the Minister for his answer. Sir, these are serious revelations. A Clementi resident told me that when he disputed a credit card transaction with his bank, he was told because there was an OTP record in his phone number’s name, the transaction must be genuine and therefore, cannot be challenged. He appealed a number of times; the case was resolved. But how many more consumers would have given up before attaining a resolution?
Sir, I have got three supplementary questions for the Minister. First, prior to September 2020, how many reports were there of fraudulent card transactions in recent years where the victim said they did not perform the transaction nor receive the SMS OTP? Has the trend been going up, prior to the latest findings?
Second, will MAS consider looking into these earlier cases too? Cases, which based on earlier assumptions, might have been deemed clear-cut open and shut, but given the latest revelations, might warrant repeat scrutiny?
And thirdly, can MAS reassure the public, including our Clementi residents, that agencies will continue keeping an open mind when a customer is concerned about cyber fraud affecting their credit card, involving the SMS OTP?
Mr Lawrence Wong: Mr Speaker, as I mentioned in my reply just now, we have not seen any confirmed cases of SMS OTP diversion. I emphasise, we are talking about SMS OTP diversion fraud cases. We have not seen any confirmed cases up to now, prior to September. But the banks, as I mentioned just now, are investigating any further reports by consumers and customers, and these will include transactions that occurred before September 2020, taking into consideration this new revelation or this new finding that some of these SMS OTPs could have been diverted and we would take that into consideration in resolving these cases.
Certainly, if any subsequent report were to be made and found to be linked to SMS OTP diversion, the cases would be resolved as with the 75 cases that I highlighted, which means that for affected customers, the banks will waive the unauthorised transactions, so long as the customers have taken the necessary care to protect their card information and authentication credentials.
Going forward, for future cases, whether it is due to SMS OTP diversion or other fraudulent methods, I have mentioned before in this House that we have a Payments Council. They are reviewing guidelines and responsibilities for customers as well as financial institutions to clarify responsibilities and liabilities.
Ultimately, everyone needs to play their part: financial institutions will have to do so, customers will have to do so. If we clarify what the responsibilities and guidelines are, then, hopefully, we can continue collectively to do more to guard against such fraudulent transactions.
Mr Speaker: Mr Gerald Giam.
Mr Gerald Giam Yean Song (Aljunied): I thank the Minister for answering my PQ. Given that SMS OTP diversion is something that takes place overseas where MAS has no jurisdiction, how are the banks going to prevent this from happening to their customers again? For example, are banks or IMDA going to work with these overseas telcos to close these loopholes?
Secondly, will MAS be directing banks to move their multi-factor authentication methods away from SMS to, for example, more secure app-based authentication methods? If so, how will they ensure that the less tech-savvy customers will not be left out?
Lastly, can MAS also require banks to allow existing customers to disable SMS multi-factor authentication for their own accounts and then use app-based authentication instead, because they are more secured?
Mr Lawrence Wong: Sir, let me just take these three questions in turn. First, as I mentioned in my reply, IMDA is putting in place some safeguards with regard to how the telcos operate. In this instance where it comes to SMS OTP diversion, the perpetrators needed to do several things.
One, they would have obtained the victim’s personal and financial information and mobile phone number already. That would have been compromised already, through malware, through phishing, whatever methods they would have gotten that information.
Second, the perpetrators would have gained access to a few overseas telco networks to compromise their system. Then, they would fraudulently modify the location details of the targeted victims as though these victims were overseas. Then, you make a transaction and the bank sends an SMS OTP through this overseas network. And that is how, with the compromised credit card credentials, the fraudulent transaction is made.
And so, as I mentioned just now, telcos are already putting in place additional safeguards, for example, specialised firewalls and other system safeguards to monitor and block suspicious diversions of SMS. This would include, for example, knowing where an individual’s location is, and if you suddenly see the change in location, a red flag may be triggered, and then, the telco would then have safeguards in place to prevent the SMS from being diverted. These system safeguards are being worked on by telcos.
On the second question, can you please repeat the second question?
Mr Gerald Giam Yean Song: Asking the banks to use other forms of authentication besides SMS.
Mr Lawrence Wong: Thank you. Other forms of authentication and whether you can allow customers to opt out. MAS does not prescribe. The financial institutions are required to implement multi-factor authentication mechanisms. It can include SMS OTP but they can include other forms of multi-factor authentication. Each one will potentially be susceptible to perpetrators trying to take advantage of any possible weakness. It is a continuous process where the financial institutions have to review the type of authentication mechanisms which they would like to use, commensurate with the risk level of the financial transaction and the sensitivity of the data involved.
As for allowing options for customers, it is something that MAS can engage the banks on, to see if the banks will be prepared to give more options for customers who feel they would prefer something more secure.
But I must say whatever you put in place, the perpetrators will always be looking out for new ways to identify vulnerabilities and weaknesses. So, this has to be a continuous effort to make sure that our systems remain secure and it requires continued vigilance by regulator, financial institutions and customers, importantly.
Footnote:
1 To ask the Prime Minister (a) how is MAS working with banks and telecommunications companies to prevent hijacking of the One-time Passwords (OTPs) sent by banks via SMS; and (b) whether MAS will require banks to (i) proactively reach out to customers affected by such schemes given customers may be unaware of these transactions taking place and (ii) reimburse customers for any losses resulting from hijacking of SMS OTPs.
Source: Singapore Parliament Reports
