Written reply to Parliamentary Question on SMS OTP diversions and unauthorised transactions
1. Mr Speaker, my response will cover the questions raised by Mr Gerald Giam and Dr Tan Wu Meng in today’s Order Paper.
2. Globally, and in Singapore, scam cases have been rising. Scammers have been quick to evolve their tactics to trick consumers into divulging their banking credentials as well as to evade detection. As previously explained in this house, Singapore has adopted a multi-layered strategy to combat scams. Agencies are continuing to work closely with the industry to strengthen our anti-scam measures to fight the evolving threats.
3. Before 2021, there were cases reported where malicious actors diverted SMS OTPs to perform fraudulent bank transactions. These occurred between September 2020 and December 2020. The attacks were caused by unauthorised access to the systems of overseas telecommunication (telco) operators to divert the SMS OTPs sent by the banks to their customers, which were then used to authenticate fraudulent online card payment transactions. While our local telco networks were secure and not compromised, the telco operators had since implemented additional security safeguards to mitigate the risk. Hence, the risk of SMS OTPs being diverted has now been largely addressed. The Singapore Police Force has also not found any confirmed cases of SMS OTP diversions since January 2021.
4. Nevertheless, given the inherent vulnerability of the SMS channel, MAS has required banks to phase out SMS OTP as a sole factor to authenticate high-risk transactions. Banks in Singapore have already moved away from sole reliance on SMS OTP for high-risk online banking activities, like adding of payees and changing of fund transfer limits.MAS expects the same for high-risk card transactions, such as authorising online card payments. The transition has commenced, and MAS will set a deadline for all retail banks to complete this.
5. MAS does not currently see the need to require banks to provide customers the ability to opt out of SMS OTPs as this would limit the authentication toolkit that the banks have and dilute the effectiveness of multi-layered security for protecting customers. When used in combination with other authentication factors such as biometrics or digital tokens, SMS OTP provides an additional layer of security that fraudsters have to overcome. In addition, SMS OTP is an authentication method that is accessible by all customers as it can be received on any type of mobile device. It allows all customers to perform low-risk activities, such as viewing of account balance and paying of bills, conveniently without the need for an additional device. Removing SMS OTPs entirely will exclude a significant number of online banking customers who do not own mobile devices that can install digital tokens.
6. The transition away from sole reliance on SMS OTP for high-risk online banking activities will however not deal with other scam types, such as those related to phishing and malware to steal banking credentials, that has been growing recently.
7. Scam cases involving malware infections of customer devices are not new. However, scammers are exploiting newer technologies. In more recent cases, they have acquired the ability to control customers’ devices using malware. In such cases, the customer may not be aware that SMS OTPs had been delivered to his mobile device, or that unauthorised transactions had been performed, as the scammer who has obtained control over the mobile device has deleted both the SMS OTPs and transaction notifications. Such cases are concerning.
8. The Cyber Security Agency of Singapore has published an advisory on an ongoing malware campaign targeting Android Devices in May 2023. Members of the public are strongly reminded and urged to take these necessary measures, which have also been amplified by the banks, to protect themselves against malware:
a. Pay attention to the security permissions requested by the application and be wary of applications that ask for unnecessary permissions on mobile devices.
b. Install applications only from the official Google Play Store.
c. Uninstall any unknown applications that are found in mobile devices immediately.
d. Perform anti-virus scans and keep regular backups of important data.
e. Ensure that mobile devices’ operating systems and applications are updated regularly to be protected by the latest security patches.
9. When customers discover any unauthorised transactions in their accounts or suspect that their mobile device may have been compromised by malware, they should immediately contact the bank or activate the “kill switch” that the banks provide to freeze their accounts. They should work in cooperation with the bank to establish the facts surrounding the transaction. They should also report fraudulent activities to the Police. For malware cases, the Police may request that customers submit their mobile devices for investigation.
10. MAS expects banks to treat customers fairly in all cases of dispute over unauthorised transactions. Banks must consider whether they have fulfilled their obligations, and whether customers have done their part in protecting their accounts.Customers can ask banks to reassess their cases should new information relevant to their disputes surface.