A father with a special needs child lost the S$250,000 that he had saved for more than 10 years after he got tricked by an elaborate phishing scam seemingly aimed at OCBC bank users last month.
A woman had her S$68,000 life savings stolen, leaving her penniless and starving at Christmas, after she had supplied login credentials on a fake website linked from a spoof SMS message. At least 469 people in Singapore lost S$8.5 million.
These victims’ stories are heartbreaking, and they are made more painful by the many questions that OCBC has failed to answer.
In saying its own systems were not breached, its message seems to be that customers should take full responsibility by taking more care of their login credentials.
That may sound correct, because it goes with common logic that if you’re not careful and got scammed, then it’s on you, not the bank. However, that may be right only if a bank has indeed done enough to protect you against such scams.
While the job of “doing enough” is not spelt out clearly in law – a review with the authorities is underway – there are clearly good practices that should have been in place.
First, the SMS one-time password (OTP) that many still rely on as a two-factor authentication (2FA) tool.
For the hackers to have stolen the money, they would have to not only steal the login and password from the fake website that they’ve set up to trick a user into typing their credentials in.
They also have to, within a short period of time (usually minutes), key in an SMS OTP that would have been sent to the victim’s mobile phone. This is usually required for what’s deemed a “high-risk” transaction.
The hackers would need a different OTP for each of a few tasks – first, to add their own bank account for a transfer, then to change the transaction limit and finally transfer the money over.
Remember, all this had to be done within minutes. Some victims said all their money was gone in half an hour, while they frantically called the bank but were put on hold. Some said they hadn’t revealed their SMS OTPs.
The big question is, how did the hackers make all these transactions online? Did they somehow divert the SMS OTPs, similar to a separate credit card scam just months earlier in 2021?
At least for that, the victims had their charges waived and they did not have to suffer monetary loss.
This time round, why hasn’t OCBC or the monetary authorities come out to say what’s happened with the SMS OTPs? Were they also stolen or diverted?
News outlets have quoted cybersecurity experts saying that it is possible to divert SMS OTPs. In the United States, too, loopholes in the SMS system have shown how users can be easily exposed to fraud.
So, why are SMS OTPs still in use today by banks for the most important “high-risk” transactions? In its regular technology guidance to financial institutions, is it time for the Monetary Authority of Singapore (MAS) to review the use of this second factor for authentication?
Physical tokens could probably have helped to avoid this type of heist this time round but many banks in Singapore have been progressively phasing the key fobs out (until this incident).
Some have made users switch to an app-based token, but many users, who do not like the hassle of yet another app, have taken to the easier SMS token out of convenience.
Now, if this method of authentication is no longer secure, then banks should be told to stop using it.
Let’s be clear, cybersecurity experts have long warned that SMS OTPs are far from secure. Yes, they have provided an easy way to stop hackers for a while, but clearly, the threat has evolved today.
The second question that OCBC, and indeed the other banks here, have to answer is how robust their anti-fraud efforts are.
OCBC says it has a fraud surveillance system which uses machine learning to aid a human analyst to detect fraud. The bank also can know what devices its services are accessed from.
If so, how did the series of fraudulent transactions involving so many victims happen?
Rightly, some of the victims are asking how so many high-risk transactions can go through in such a short span of time, considering they don’t fit the usual pattern of usage.
Is it usual for people to be transferring out more than S$100,000 in a short span of time, for example? Or with a different device from the usual one?
And with several users reporting such scams, did the bank manage to tweak its algorithms to spot similar transactions? If it did, then how quickly did it respond?
There are multiple anti-fraud tools in a bank’s cybersecurity defence. Some artificial intelligence (AI) tools will look out for unusual patterns, for example, large sums of money being transferred out, while others will “learn” on the job by looking at reports from users of similar phishing scams.
There have to be standards for two things – the type of anti-fraud tools that banks need to put in place and how fast they respond to a series of fraudulent activities.
With cyber threats evolving all the time, the duty of care for a bank should be extended beyond simply protecting its own cyber boundaries.
Its job of securing an account has to be more clearly spelt out by MAS, so that if it fails the standard set, it becomes liable for its customers’ losses.
Just like organisations now proactively seek out breaches because users are often tricked into clicking on phishing links, banks cannot just put up their hands and say it’s all on the user. They have to do more to snuff out threats.
Will these additional measures add cost to banks? Lest we forget, all this digital transformation we hear about so often today has helped banks save on branch and manpower costs and boost profits.
They have cut down on time spent with non-VIP customers, saving themselves from “high touch” interactions by pushing these customers to self-service digital options.
Having reaped the benefits of digitalisation, they need to be told to up their cybersecurity game and share the risks more evenly with the customers they say they serve.