There were recent reports of local bank customers having funds stolen from their accounts because of criminals overseas using a technique called “SMS diversion” to obtain the SMS one-time passwords (OTP) sent by banks to verify a credit card transactions.
I have filed a question for the Minister to reply on behalf of the Monetary Authority of Singapore to ask how MAS is working with banks and telcos to prevent criminal hijacking of OTPs. This involves compromising of overseas telecommunication networks and may be out of Singapore’s jurisdiction.
I also asked if MAS will require banks to proactively reach out to customers affected by such schemes and reimburse them for any losses resulting from these criminal acts. Unlike situations where bank customers are tricked into communicating their OTPs to scammers, SMS hijacking happens without their knowledge.
Since SMS is vulnerable to being hijacked, it might be prudent for banks to give customers the option to disable SMS verification of purchases so they use only their banking app to verify purchases.
This is the full text of my question, to be answered on 4 Oct 2021 in Parliament:
Mr Gerald Giam Yean Song: To ask the Prime Minister (a) how is MAS working with banks and telecommunications companies to prevent hijacking of the one-time passwords (OTPs) sent by banks via SMS; and (b) whether MAS will require banks to (i) proactively reach out to customers affected by such schemes given customers may be unaware of these transactions taking place and (ii) reimburse customers for any losses resulting from hijacking of SMS OTPs.
