Skip links

Singapore gives banks two-week deadline to fix SMS security

A widespread phishing operation targeting Southeast Asia’s second-largest bank – Oversea-Chinese Banking Corporation (OCBC) – has prompted the Monetary Authority of Singapore (MAS) to introduce regulations for internet banking that include use of an SMS Sender ID registry.

Singapore banks have two weeks to remove clickable links in text messages or e-mails sent to retail customers. Furthermore, activation of a soft token on a mobile device will require a 12-hour cooling off period, customers must be notified of any request to change their contact details, and fund transfer threshold will by default be set to SG$100 ($74) or lower.

MAS has also offered a vague directive requiring banks to issue more scam education alerts, and to do so more often.

Singapore-based banks will also be required to operate dedicated customer assistance teams to deal with potential fraud cases on a priority basis.

A dedicated service line could tackle one of the major complaints raised by victims of the OCBC phishing scam: that the bank was not equipped to handle fraud case in progress in real time, and funneled customers into an automated loop while their accounts were being drained.

MAS flagged more regulations will follow.

“The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months,” MAS and the Association of Banks in Singapore (ABS) revealed in a joint statement on Wednesday.

The statement said specifically that MAS would continue to work with the Singapore Police Force and the Infocomm Media Development Authority (IMDA) to combat SMS spoofing – including adoption of an SMS Sender ID registry, of which a pilot programme was launched last August. The central banking authority also promised to increase “scrutiny of major financial institutions’ fraud surveillance mechanisms” to make sure they can deal the recent influx of new scams.

The phishing scheme, which first appeared at the start of December 2021, affected at least 469 customers and yielded over SG$8.5 million ($6.3M) by the end of the month alone.

Victims received an unsolicited SMS that asked the account holder to click a link to resolve account issues that redirected them to a fake bank website so the threat actors could collect their logins and passwords. The scammers then transferred the digital token over to their own devices and began the process of draining the accounts.

At first the bank offered “goodwill” payments to a paltry 6.4 per cent of victims. The day after MAS threatened action, OCBC changed its tune and told local media outlet The Straits Times that it would issue “full goodwill payouts” to all victims.

Emails from the bank to customers revealed the payments came after a full investigation, and the bank promised to contact the victims by January 27. Interestingly, reports have surfaced that the goodwill payout comes with a non-disclosure agreement for the victims.

Overall, MAS warns that the more stringent measures it is implementing will “lengthen the time taken for certain online banking transactions but will provide an additional layer of security to protect customers’ funds”.

The changes might also have some extra unintended positive effects. As one Singaporean bank account holder put it:

Thereby proving these sort of things can sometimes have silver linings – unless you’re a techie at a Singaporean bank and have a very busy fortnight ahead of you. ®