Written reply to Parliamentary Question on SMS OTP diversions and unauthorised transactions
Date: For Parliament Sitting on 5 July 2023
Questions:
Mr Gerald Giam Yean Song, Aljunied GRC: To ask the Prime Minister (a) in the past year how many fraudulent bank transactions have been made a result of SMS one-time password (OTP) diversions; (b) whether MAS has a timeline for requiring banks to phase out the use of SMS OTPs in favour of other multi-factor authentication (MFA) methods; and (c) whether MAS will require banks to provide customers with the option to stop the use of SMS OTPs in the interim, if they are already using other MFA methods.
Dr Tan Wu Meng, Jurong GRC: To ask the Prime Minister in view of the police advisory informing the public that malware was used to compromise mobile devices resulting in unauthorised transactions made from bank accounts, whether MAS will consider reviewing previously closed cases of customer disputes with banks where unauthorised transactions were reported despite one-time passwords not being divulged or received.
Answer by Mr Tharman Shanmugaratnam, Senior Minister and Minister in charge of MAS:
1. Mr Speaker, my response will cover the questions raised by Mr Gerald Giam and Dr Tan Wu Meng in today’s Order Paper.
2. Globally, and in Singapore, scam cases have been rising. Scammers have been quick to evolve their tactics to trick consumers into divulging their banking credentials as well as to evade detection. As previously explained in this house, Singapore has adopted a multi-layered strategy to combat scams. Agencies are continuing to work closely with the industry to strengthen our anti-scam measures to fight the evolving threats.
3. Before 2021, there were cases reported where malicious actors diverted SMS OTPs to perform fraudulent bank transactions. These occurred between September 2020 and December 2020. The attacks were caused by unauthorised access to the systems of overseas telecommunication (telco) operators to divert the SMS OTPs sent by the banks to their customers, which were then used to authenticate fraudulent online card payment transactions. While our local telco networks were secure and not compromised, the telco operators had since implemented additional security safeguards to mitigate the risk. Hence, the risk of SMS OTPs being diverted has now been largely addressed. The Singapore Police Force has also not found any confirmed cases of SMS OTP diversions since January 2021.
4. Nevertheless, given the inherent vulnerability of the SMS channel, MAS has required banks to phase out SMS OTP as a sole factor to authenticate high-risk transactions. Banks in Singapore have already moved away from sole reliance on SMS OTP for high-risk online banking activities, like adding of payees and changing of fund transfer limits.MAS expects the same for high-risk card transactions, such as authorising online card payments. The transition has commenced, and MAS will set a deadline for all retail banks to complete this.
5. MAS does not currently see the need to require banks to provide customers the ability to opt out of SMS OTPs as this would limit the authentication toolkit that the banks have and dilute the effectiveness of multi-layered security for protecting customers. When used in combination with other authentication factors such as biometrics or digital tokens, SMS OTP provides an additional layer of security that fraudsters have to overcome. In addition, SMS OTP is an authentication method that is accessible by all customers as it can be received on any type of mobile device. It allows all customers to perform low-risk activities, such as viewing of account balance and paying of bills, conveniently without the need for an additional device. Removing SMS OTPs entirely will exclude a significant number of online banking customers who do not own mobile devices that can install digital tokens.
6. The transition away from sole reliance on SMS OTP for high-risk online banking activities will however not deal with other scam types, such as those related to phishing and malware to steal banking credentials, that has been growing recently.
7. Scam cases involving malware infections of customer devices are not new. However, scammers are exploiting newer technologies. In more recent cases, they have acquired the ability to control customers’ devices using malware. In such cases, the customer may not be aware that SMS OTPs had been delivered to his mobile device, or that unauthorised transactions had been performed, as the scammer who has obtained control over the mobile device has deleted both the SMS OTPs and transaction notifications. Such cases are concerning.
8. The Cyber Security Agency of Singapore has published an advisory on an ongoing malware campaign targeting Android Devices in May 2023. Members of the public are strongly reminded and urged to take these necessary measures, which have also been amplified by the banks, to protect themselves against malware:
a. Pay attention to the security permissions requested by the application and be wary of applications that ask for unnecessary permissions on mobile devices.
b. Install applications only from the official Google Play Store.
c. Uninstall any unknown applications that are found in mobile devices immediately.
d. Perform anti-virus scans and keep regular backups of important data.
e. Ensure that mobile devices’ operating systems and applications are updated regularly to be protected by the latest security patches.
9. When customers discover any unauthorised transactions in their accounts or suspect that their mobile device may have been compromised by malware, they should immediately contact the bank or activate the “kill switch” that the banks provide to freeze their accounts. They should work in cooperation with the bank to establish the facts surrounding the transaction. They should also report fraudulent activities to the Police. For malware cases, the Police may request that customers submit their mobile devices for investigation.
10. MAS expects banks to treat customers fairly in all cases of dispute over unauthorised transactions. Banks must consider whether they have fulfilled their obligations, and whether customers have done their part in protecting their accounts.Customers can ask banks to reassess their cases should new information relevant to their disputes surface.
***