SINGAPORE – Banks will investigate any new cases of card litigation to identify if they were fraudulent transactions made possible by the hijacking of SMS one-time passwords (OTPs), including those related to transactions prior to September 2020, before the first confirmed cases were revealed to have occurred.
They are also reviewing all cases of card litigation that have been brought to their attention since September 2020 to determine whether there may be other such fraudulent transactions, the deputy chairman of the Monetary Authority of China told parliament. Singapore (MAS), Lawrence Wong, Tuesday October 5.
Customers will not have to incur unauthorized charges in cases confirmed to have been activated by SMS OTP hijacking, provided customers have taken care to protect their card information and credentials.
Mr. Wong, who is also Minister of Finance, was speaking on behalf of Senior Minister Tharman Shanmugaratnam, who is the Minister in charge of MAS.
Dr Tan Wu Meng (Jurong GRC), Ms Joan Pereira (Tanjong Pagar GRC) and Workers Party (WP) MP Gerald Giam (Aljunied GRC) had asked about cases of OTP SMS fraud, following of an announcement last month that 75 bank customers in Singapore were victims of such incidents between September and December of last year.
Mr. Wong said the amount of around $ 500,000 from unauthorized transactions was written off by the banks.
The minister said banks have a responsibility to secure their IT systems, implement strong measures to authenticate transactions and conduct active monitoring to detect unusual transaction patterns.
But bank customers also have a responsibility to protect their own credentials, he added.
“Consumers should assume that criminals will try to obtain their online banking credentials. Criminals typically do so by tricking consumers into installing malware on their devices or by disclosing their username and password. going online banking through phone calls or bogus websites, ”he said.
“When in doubt, consumers should call official bank hotlines to verify the legitimacy of requests for online banking services and card credentials.”
They should also develop a healthy skepticism of unsolicited websites, phone calls, messages and emails, and should only use established and reputable services when shopping online, Mr. Wong.
The minister advised to set transaction notification thresholds low so that unauthorized transactions are detected early.
Bank customers are protected against financial loss resulting from fraud as long as they have acted responsibly.
Mr. Wong noted that banks are reviewing whether customers could have taken reasonable steps to prevent fraudulent transactions from occurring, and that customers will not suffer any losses as a result of banks’ non-compliance with MAS rules.
Dr Tan cited a resident who said he disputed a credit card transaction with his bank, only to be told that there was a record of an OTP sent to his phone number and that the transaction could not be disputed.
“He appealed several times and the matter was resolved, but how many more consumers would have given up before reaching a resolution?”
Dr Tan asked if any earlier cases that were also found to be clear at the time could be revisited.
Mr Wong replied that banks will take into account the “new discovery” that SMS OTPs may have been misappropriated when investigating other reports, including those involving past transactions.
Mr Giam said the SMS hijacking occurs overseas, where MAS has no jurisdiction. He asked if the banks here would work with telecom operators overseas to avoid such incidents.
He also asked if MAS would order banks to move away from SMS as an authentication method, or allow customers to manually disable it in favor of more secure methods such as application-based authentication.
Mr Wong said the Infocomm Media Development Authority is already implementing additional safeguards such as verifying an individual’s location and reporting any sudden changes to an individual as suspect to prevent the SMS is not diverted abroad.
The minister also said that while the MAS requires multi-factor authentication, it does not prescribe which method should be used.
“Whatever you put in place, authors will always be looking for new ways to identify vulnerabilities and weaknesses. It must therefore be a continuous effort to ensure the security of our systems. This requires continued vigilance on the part of the regulator, financial institutions and customers. . “