Customers of the Oversea-Chinese Banking Corp. (OCBC) in December 2021 discovered that their hard-earned savings were wiped out in an elaborate phishing scam during the holidays.
According to the Straits Times, the initial victims stood at 470, with S$8.5 million lost. During the Christmas weekend alone, 186 people lost S$2.7 million. Bloomberg reported the total victim count at 790 people.
Following this incident, cybersecurity experts are floating the idea to do away with sending sensitive information such as verification codes through SMS (short message service). This has long been known to be an insecure way to transmit data, and has led to several forms of scams in the past.
Victims of the OCBC phishing scam were tricked with fake SMS messages that appeared to be legitimate messages from the bank for one-time passwords (OTPs) and transaction alerts. This was made possible by sending the fake messages via an SMS aggregator, which are intermediaries that take care of SMS for businesses.
These messages claimed that there were issues with customers’ bank accounts or credit cards and then instructing them to click on a link in the SMS message, which led them to a fake banking website. The victims were then prompted to enter their log-in details and OTPs, allowing the scammers to access their accounts.
Fraudsters were then able to request to activate a digital token that let them receive OTPs from the bank on their device, enabling them to make transactions.
In the past, hackers would obtain OTPs by a number of ways. One is calling up a target victim’s telco company and convincing them to send him a new SIM card for the phone number using personal information he has acquired about the victim. They also used malware to steal OTPs from a user’s phone. Yet another method is intercepting texts with OTPs by exploiting weak spots in the telco’s network.
However, SMS messages have made it far easier for scammers to get these OTPs.
Recently, OCBC announced the release of a “one-off”, goodwill gesture of S$ 13.7 million to the victims.
OCBC has since reminded their customers not to link on links in SMS messages supposedly from the bank, saying that the they will never send one to inform them of account closures or reactivation.
Experts also suggested for banks to return to using physical tokens to generate OTPs or use other forms of software authentication, such as Google Authenticator or the SingPass authentication system.
Head of Intelligence for Asia Pacific at cybersecurity firm Mandiant, Lim Yihao, agreed that abolishing SMS OTPs would lessen SMS scams, but said that it would not stop attacks on bank customers’ money.
“Most likely, hackers will shift their tactics to target the new authentication mechanism instead,” he said.
