Reply to Parliamentary Question on Unauthorised Banking Transactions
QUESTION NO 543
NOTICE PAPER 227 OF 2021
FOR ORAL ANSWER
Date: For Parliament Sitting on 16 February 2021
Name and Constituency of Member of Parliament
Dr Tan Wu Meng, MP, Jurong GRC
To ask the Prime Minister (a) over the past three years, how many reports have been made annually by consumers regarding unauthorised online bank transactions; (b) in what proportion of cases is there 2-factor authentication (2FA) by token and SMS one-time password respectively; and (c) what is the recourse for consumers who suspect that they are victims of cybercrime or mobile device hacking leading to the unauthorised bank transactions.
Answer by Mr Ong Ye Kung, Minister for Transport, on behalf of Mr Tharman Shanmugaratnam, Senior Minister and Minister in charge of MAS:
1. In 2020, the police received 1,848 reports of unauthorised online banking and card transactions involving criminals phishing for banking and card details from the victims before performing these unauthorised transactions. The cases are on an upward trend. In 2018 and 2019, there were 114 and 329 cases respectively.
2. The Monetary Authority of Singapore (MAS) requires banks to implement controls, such as multi-factor authentication using one-time passwords (OTPs), to keep online transactions secure. Unfortunately, multi-factor authentication cannot eliminate all scams. Many victims have been tricked into revealing their user IDs, passwords, OTPs, or credit card details to scammers.
3. Recently, some account holders have reported successful online card transactions when no SMS OTPs were received, or when no SMS OTPs were revealed to others. The police and banks are following up on these cases and investigations are ongoing. As a precaution, the banks have put in place additional measures, such as rejecting card payments made to some commonly disputed merchants, or placing limits on the transaction amounts that customers can transact with such merchants.
4. If you suspect that you have been a victim of fraud or cybercrime, the first step is to make a police report and contact your bank immediately so that investigations can take place promptly. If an unauthorised transaction was due to the bank’s lapses or non-compliance with MAS’ rules, the customer will not bear any financial loss provided that he has practiced proper cyber hygiene and had not been negligent, for example by giving his login information, including OTP, to a third party.
5. Customers play an important part in preventing scams, because guarding against online threats starts with practising good cyber hygiene. This includes keeping passwords secret and promptly updating the security patches and anti-virus software on computers and mobile devices. It is very important that consumers treat their online banking login information, including OTPs, as they would their ATM PINs.
6. We cannot emphasise this enough to the public. Never reveal your login information, including OTPs, to others. Employees of financial institutions will not ask for such information. So if you are asked for it by a third party, do not provide it.
7. Consumers should also heed the security email advisories, notices and alerts disseminated by their banks, MAS, the Singapore Police Force and the National Crime Prevention Council, and share them with family and friends.
* * *