By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
TechgoonduTechgoondu
  • Audio-visual
  • Enterprise
    • Software
    • Cybersecurity
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
    • Cellphones
    • Tablets
  • PC
  • Telecom
Search
© 2023 Goondu Media Pte Ltd. All Rights Reserved.
Reading: After wake-up call from OCBC phishing scam, here’s what users and banks can do
Share
Aa
TechgoonduTechgoondu
Aa
  • Audio-visual
  • Enterprise
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
  • PC
  • Telecom
Search
  • Audio-visual
  • Enterprise
    • Software
    • Cybersecurity
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
    • Cellphones
    • Tablets
  • PC
  • Telecom
Follow US
© 2023 Goondu Media Pte Ltd. All Rights Reserved.
Techgoondu > Blog > Cybersecurity > After wake-up call from OCBC phishing scam, here’s what users and banks can do
CybersecurityEnterpriseSoftware

After wake-up call from OCBC phishing scam, here’s what users and banks can do

Alfred Siew
Last updated: January 24, 2022 at 5:07 PM
Alfred Siew Published January 21, 2022
10 Min Read
SHARE
  • PHOTO: nosheep from Pixabay

One of the most telling things about the OCBC phishing scam that has filled news headlines this past couple of weeks is the time it took the bank to finally face up to the issue.

After first having its security head say that its banking systems were secure and that its fraud management software had been running, it seemed to have gone quiet.

Was it thinking the incident would blow over? After all, this was yet another scam, right?

Well, now we know it’s not. After a couple of weeks of pressure from the public, angered at the apparent lack of protection from scams that could easily lure even savvy users, OCBC finally said it would fully reimburse the amounts lost by the victims.

This is good news for those who were scammed, though unsurprisingly, there are experts who now wonder if this has set a precedent, which would make cyber criminals more keen to target Singapore banks.

While that’s debatable, what’s clear is the urgent need to rethink how to manage the evolving risks that come with sophisticated scams like the OCBC one.

Not only has this episode shaken confidence in digital banking – I know people who had wanted to take money out of OCBC – it has also thrown a spanner in the works for Singapore’s smart nation ambitions.

How digital can you get when you can’t even safeguard your life’s savings?

Perhaps cognizant of this, the monetary authorities finally reacted this week, by calling for tighter controls for digital banking services. However, there needs to be a broad-based change to the way people use and share data in general as well.

Here are four suggestions:

1. Take private personal data seriously

Yes, users share a responsibility with their bank when it comes to keeping out scammers. Besides ignoring dubious links sent over SMS, they have to be more aware of the importance of personal data.

A coordinated attack like the OCBC one does not happen overnight. Before the scam, the attackers may have tried to get hold of the personal details of potential victims from lists sold on the Dark Web.

“It is possible for criminals to target customers of a specific bank more narrowly and precisely, perhaps if they acquire lists of customer contact information from a previous compromise,” said Paul Prudhomme, head of threat intelligence advisory at IntSights, a Rapid7 company, which tracks the Dark Web.

“Such lists can be purchased in underground criminal marketplaces,” he warned, adding that “e-mail addresses and phone numbers may be sufficient contact information for the targeting of such a campaign.” 

So, consumers need to be aware of not sharing their personal data on, say, social media apps. Or just any online form that asks for it. Reducing one’s risks is key.

People have to be concerned if their data is stolen, say, during the huge SingHealth data breach back in 2018, because it may be used for future scams. Their data is not “worthless” even though they are not famous people.

2. Reduce some convenient features

In the digital world, convenience and security are often on opposite sides of a scale – you need to balance the two.

This is why the Monetary Authority of Singapore (MAS) has added new restrictions on, say, a change in the digital token or app set up on phones to authenticate many banking transactions.

It is possible that hackers in the OCBC case may have tricked users into supplying an SMS one-time password to reset the digital token and then set a new one up on their own phones. Once done, they can carry out transactions pretty much like they own a victim’s account.

So, it is a good thing that MAS is mandating that a change of these tokens should be delayed by at least 12 hours. This means you have more time to stop scam transactions if you spot them.

This has implications, of course. If you buy a new phone, you’d need to wait 12 hours before your new token can be set up to make payments or transfer money out.

Would this be a rule for other software tokens too? Yes, I’m thinking of Singpass, which also uses a software token to authenticate and approve many important transactions with the government and the private sector, including banks.

Banks have gone fully into digital onboarding these days, so it’s not surprising there’s no mandate to move this token onboarding process back over the counter. But that should be an option if further tightening is needed.

3. Phase out SMS one-time passwords

After years of forcing customers to stop using their physical tokens, banks here have stopped phasing them out because of the OCBC phishing scam.

That’s a stop-gap measure, possibly, because it’s not only expensive to maintain these tokens in the long term, but they are also not as convenient to carry around (unlike a phone).

What users should transition to are app-based tokens, now that these software tokens are protected by a 12-hour delay.

It’s also time to scrap the use of one-time passwords over SMS, which security experts have long said are not secure and prone to theft. Just a few months ago, SMS OTPs had been diverted in a separate scam that affected credit card users here.

So, it’s time to at least stop using SMS OTPs for high-risk transactions, like the changing of transfer limits or adding of a new account for transferring money out.

4. Audit banks’ fraud management systems

This is the part that MAS has said it would scrutinise more intensely but so far, it has not set any standards for them to follow – at least not publicly.

Sure, the threat is always evolving and what works one day may not work the next. That said, the banks cannot just put in “best effort” when it comes to fraud detection.

As the final layer of defence, fraud management is important to keep out fraudsters that manage to get through despite greater user awareness, the rooting out of fake SMSes, and hardening of token and login security.

This is the part where banks have to do better in. OCBC needs to explain, for example, how its fraud detection system failed to stop transfers that were huge in amount and also unusual when compared to historical records.

Banks should no longer say that their cyber perimeters are not breached, thus all the liability is on a victim. This goes against what cybersecurity is about today – you defend not just the borders of your castle but also what gets inside.

MAS has to find a way to scrutinise banks’ fraud management systems with an independent, common industry standard that is robust yet fair. Ultimately, banks have to share the risk more evenly with customers.

MAS may not wish to publish everything it finds in public because you don’t want to give hackers a headstart on what defences or vulnerabilities you have.

However, there should be at least broad guarantees on what types of suspicious transactions customers can reasonably expect to be blocked. And when things don’t work as expected, customers should get an answer why.

Nothing is 100 per cent, to be sure. Even with security guards, banks do get robbed, though that’s a rarity in low-crime Singapore.

By the same analogy, it also goes that banks need to tighten their security and awareness beyond just gun-toting criminals.

Scammers coming in, drawing out large amounts of cash in a hurry, should raise suspicions at a bank that promises to take care of the money entrusted to them. It’s reasonable to expect them to stop these scams.

You Might Also Like

After another DBS outage, is it time to make banks publicly report service uptime?

IT leaders must manage the tension point between application development and security by embracing a DevSecOps approach

SPTel offers multi-network eSIM service to businesses running IoT apps

As TikTok faces a possible ban in the US, should users elsewhere be worried?

Foodpanda to use Gogoro electric scooters in battery swapping trial with Cycle & Carriage

TAGGED: 2FA, dark Web, fraud management, IntSights, MAS, OCBC, personal data, phishing scam, SMS OTP, think

Sign up for the TG newsletter

Never miss anything again. Get the latest news and analysis in your inbox.

By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Alfred Siew January 21, 2022
Share this Article
Facebook Twitter Whatsapp Whatsapp LinkedIn Copy Link Print
Share
Avatar photo
By Alfred Siew
Follow:
Alfred is a writer, speaker and media instructor who has covered the telecom, media and technology scene for more than 20 years. Previously the technology correspondent for The Straits Times, he now edits the Techgoondu.com blog and runs his own technology and media consultancy.
Previous Article Sony Alpha 7 Mark IV review: An evolved hybrid shooter for the prosumer
Next Article Q&A: Google Cloud says sustainability efforts have gained momentum, made a difference outside the data centre
Leave a comment

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected

Facebook Like
Twitter Follow

Latest News

Five ways the Roborock S8 robot vacuum will change the way you clean your home
Internet March 31, 2023
After another DBS outage, is it time to make banks publicly report service uptime?
Enterprise Internet March 30, 2023
Xiaomi 13 Pro review: A photography powerhouse with 1-inch image sensor
Cellphones Mobile March 29, 2023
IT leaders must manage the tension point between application development and security by embracing a DevSecOps approach
Cybersecurity Enterprise Software March 29, 2023
//

Techgoondu.com is published by Goondu Media Pte Ltd, a company registered and based in Singapore.

.

Started in June 2008 by technology journalists and ex-journalists in Singapore who share a common love for all things geeky and digital, the site now includes segments on personal computing, enterprise IT and Internet culture.

banner banner
Everyday DIY
PC needs fixing? Get your hands on with the latest tech tips
READ ON
banner banner
Leaders Q&A
What tomorrow looks like to those at the leading edge today
FIND OUT
banner banner
Advertise with us
Discover unique access and impact with TG custom content
SHOW ME

 

 

POWERED BY READYSPACE
The Techgoondu website is powered by and managed by Readyspace Web Hosting.

TechgoonduTechgoondu
Follow US

© 2023 Goondu Media Pte Ltd. All Rights Reserved | Privacy | Terms of Use | Advertise | About Us | Contact

Join Us!

Never miss anything again. Get the latest news and analysis in your inbox.

Zero spam, Unsubscribe at any time.
 

Loading Comments...
 

    Welcome Back!

    Sign in to your account

    Lost your password?