Mr. Kevin Reed, head of information security at cybersecurity firm Acronis, told TODAY that a much better approach would be for banks not to use SMS for such notifications at all.
If banks stopped communicating important information via text message, customers would be more alert and suspicious when they received a text message purporting to be from the bank.
Without SMS messages, customers would more likely log into official bank portals, apps or websites to check bank messages.
OCBC, for its part, reminded customers not to click on links in SMS messages allegedly sent by the bank, adding that the bank will never send one to notify them of account closure or reactivation.
However, it’s hard for customers to remember those instructions, Mr. Reed said.
“I still see security professionals being successfully phished, so it’s difficult and we can’t expect consumers to make the (right) decisions, especially in a situation like the one that happened. produced,” he added.
“I think banks and telecoms are the ones who need to step up and not just post instructions on a website.”
OCBC did not respond to a request for comment for this story. TODAY also asked the Infocomm and Media Development Authority (IMDA) and the Monetary Authority of Singapore (MAS) what steps they are taking to prevent such attacks from happening again.
HOW ARE SMS ONE-TIME PASSWORDS USED?
One weakness pointed out by experts who spoke to TODAY was that banks use text messages to provide customers with OTPs, which are codes that customers use to verify their identity.
However, hackers have used several methods to obtain such OTPs in past attacks:
- A hacker can call the telecommunications company of a victim’s cell phone plan and convince the telco to send them a new SIM card for the phone number, with personal information he obtained about the victim
- Some malware disguised as apps has also been known to steal OTPs from a user’s phone
- Hackers were able to intercept text messages containing OTPs by targeting flaws in the international telecommunications network
Experts have suggested that banks revert to using physical tokens that generate OTPs as they did in the past, or rely on other forms of software authentication such as Google Authenticator or Authentication System Government SingPass.
Mr. Lim Yihao, head of intelligence for Asia-Pacific at cybersecurity firm Mandiant, said removing SMS OTPs would reduce SMS scams, but warned that it would not end attacks on the Internet. money from bank customers.
“Most likely (the hackers) will change their tactics to target the new authentication mechanism instead.”
WHAT IS DONE FOR STEM SPOOF TEXTS
On Monday, OCBC bank explained how fraudsters could send spoofed messages to its customers through an SMS aggregator, which are intermediaries that manage SMS for businesses.
When customers click on the phishing link in the SMS message and enter their login details – including their OTP – on the fake website, fraudsters then use this information to log into victims’ bank accounts.
From there, fraudsters can apply to activate a digital token that allows them to receive OTPs from the bank on their device, enabling them to transact.
This scam tactic is not entirely new. In 2020, police said at least S$600,000 was lost between January and May that year due to spoofed SMS messages from “banks” claiming the client’s accounts had been suspended or deactivated.
Last August, IMDA and MAS launched the Singapore SMS SenderID Protection Registry.
The registry allows organizations to register their Sender ID, which are the names that appear on SMS messages instead of mobile phone numbers. When fraudsters attempt to send messages using a saved sender ID, the message is blocked.
In response to a reader’s letter to the Straits Times on Monday, IMDA said “some banks” signed up when the register was launched. E-commerce platform Lazada and Singapore Post are also on the register.
“We urge more businesses and organizations that use SMS sender IDs to do so,” IMDA wrote.
United Overseas Bank Group Chief Information Security Officer Tobias Gondrom told TODAY that it was one of the first banks in Singapore to join the registry pilot.
“Given the ability for scammers to spoof the names of SMS senders in the current telecommunications infrastructure, we see this pilot project as a positive step in preventing scammers from exploiting consumers,” he said. added.
More than 1,500 people have signed an online petition for IMDA to require all organizations in Singapore to register with the authorities before they are allowed to send text messages with sender IDs.
The SenderID SMS Protection Registry is managed by the global trade body Mobile Ecosystem Forum (MEF), which has developed and maintains a registry in the UK where it is based.
In addition to Singapore and the UK, similar registries are operated by the MEF in Ireland and Spain.
In response to TODAY’s questions, MEF Registry Project Director Mike Round explained how the registry works:
- Participating merchants log sender IDs they use in SMS, such as “OCBC”
- SMS aggregators provide information to MEF and participating merchants each time they receive a request to send an SMS using a sender name registered with a merchant
- The merchant can then choose to allow or block the sending of this message
In the UK, 23 traders have signed up to be part of the register. They include major banking groups, the Royal Mail postal service, retailers and five government agencies.
Mr Round said the initial monitoring and discovery phase of the registry in Singapore was “working well”, but stressed that the registry is not foolproof in eliminating SMS phishing attacks.
“The success of the project is based on changing the behavior of fraudsters. To that end, our experience in the UK and Ireland proves that the register is extremely effective,” he said.
However, Acronis’ Mr Reed said he “strongly doubts” such a move would succeed.
One way for hackers to bypass registry checks, he said, could be to gain access to a telco, such as one in a developing country that may not have strong security.
This way, hackers will be able to send spoofed messages directly to customers through the compromised phone carrier.
Mandiant’s Lim said asking companies to save their sender IDs might work in the short term, but cybercriminals’ tactics are constantly changing.
Ultimately, he added, all organizations need to be kept abreast of the latest methods employed by these criminals and update their security systems accordingly.