Reply to Parliamentary Question on SMS OTPs diversion fraud
QUESTION NO 1794
NOTICE PAPER 724 OF 2021
FOR ORAL ANSWER
Date: For Parliament Sitting on 5 October 2021
Name and Constituency of Member of Parliament
Dr Tan Wu Meng, MP, Jurong GRC
To ask the Prime Minister regarding the report by MAS that bank customers in Singapore suffered fraudulent credit card transactions following malicious actors' diversion of SMS one-time passwords, whether a retrospective review will be conducted to establish whether additional customers prior to September 2020 may have been affected.
Answer by Mr Lawrence Wong, Deputy Chairman of MAS and Minister for Finance, on behalf of Mr Tharman Shanmugaratnam, Senior Minister and Minister in charge of MAS:
1. Mr Speaker, Sir, may I have your permission to answer all the Parliamentary Questions (PQs) related to MAS’ recent announcement on the SMS one-time passwords (OTPs) fraud together. Aside from Dr Tan Wu Meng’s PQ, Ms Joan Pereira had filed a PQ
2. MAS, the Infocomm Media Development Authority (IMDA), and the Singapore Police Force (SPF) announced on 15 September that malicious actors overseas had diverted and used SMS OTPs to perform fraudulent credit card transactions between September 2020 and December 2020. 75 bank customers in Singapore had been affected. Banks have reached out to all the affected customers to waive the unauthorised transactions, amounting to approximately S$500,000.
3. There have been no confirmed cases of SMS OTP diversion in Singapore prior to September 2020. Banks are reviewing all card dispute cases reported to them from September 2020, to identify if there may be other fraudulent transactions that were enabled by SMS OTP diversion. Banks will similarly investigate any new reports by customers, including any such transactions before September 2020. Bank customers will not have to bear any unauthorised charges in cases which are confirmed to have been enabled by SMS OTP diversion, as long as customers had taken care to protect their card information and authentication credentials.
4. This attack has shown us that the fight against scams and fraud requires collective effort.
5. Banks have a responsibility to secure their IT systems, put in place robust measures to authenticate customer transactions, and conduct active surveillance to detect unusual transactions patterns. They are required to institute robust security controls to safeguard customers’ account information and transaction data from unauthorised access and misuse.
6. Bank customers too have a responsibility – to protect their online banking and payment credentials for authentication such as passwords and OTPs, by inputting them only on official websites or mobile applications. These should never be disclosed over the phone, via text message, or via e-mail.
7. Mr Giam asked about the measures taken by banks and telecommunication companies to safeguard against the SMS OTP diversion attack. While banks’ systems were secure and not the cause of these incidents, banks have further enhanced their fraud surveillance measures. This includes rejecting card payments made to common merchants linked to the unauthorised transactions. Banks will continue to closely monitor the evolving cyber security landscape, and regularly review authentication mechanisms and other security measures put in place to address risks posed to customers using online financial services.
8. As for the local telecommunication networks, IMDA, in consultation with the Cyber Security Agency of Singapore (CSA), has required telco operators to put in place specialised firewalls and system safeguards to monitor and block suspicious diversions of SMS.
9. As Ms Pereira highlighted, consumers need to also take action to protect themselves. Allow me to share a few actions which consumers can focus on.
10. First, consumers must assume that criminals will try to obtain their online banking credentials. Criminals typically do this by tricking consumers into installing malware on their devices or disclosing their online banking username and passwords through phone calls or fake websites. When in doubt, consumers should call the banks’ official hotlines to verify the legitimacy of requests for online banking and card credentials. Banks work with the SPF, National Crime Prevention Council (NCPC) and MoneySense, our national financial education programme, to regularly alert consumers to new methods adopted by scammers and how consumers can protect themselves.
11. Consumers must also develop a healthy skepticism about websites, unsolicited phone calls, messages and emails. When making online purchases, they only should use established and reputable online services. If there is any doubt about a merchant’s legitimacy, don’t proceed with the transaction. And be wary of any deal or offer that sounds too good to be true.
12. Second, consumers should set transaction notification thresholds at low levels so that unauthorised transactions are detected early. Banks work closely with the SPF and Anti-Scam Centre to exchange intelligence on emerging scam trends, so that they can take prompt action. The sooner a report is made, the higher the likelihood that the funds can be recovered.
13. Where bank customers suffer financial losses from fraudulent transactions, they are protected as long as they have acted responsibly. Banks are expected to consider whether the customers could have taken reasonable steps to prevent the occurrence of the fraudulent transactions. Bank customers will not have to incur any losses which arise from the banks’ non-compliance with MAS’ rules.
14. Let me reiterate: fighting fraud is a collective effort. As criminals will continue to perpetuate new and more sophisticated methods to defraud consumers, banks, consumers and the authorities need to remain vigilant in preventing as well as detecting fraudulent transactions. MAS will continue to work with all stakeholders to ensure that e-payments remain safe and secure.