OCBC phishing scam: Banks should stop using SMS to communicate with customers, experts say

OCBC phishing scam: Banks should stop using SMS to communicate with customers, experts say

Ocbc, Phishing

18/1/2022 5:49:00 PM

OCBC phishing scam: Bank s should stop using SMS to communicate with customers, experts say

SINGAPORE — In the wake of a recent phishing scam involving hundreds of OCBC bank customers, some cybersecurity experts are suggesting that banks here do away with communicating important information such as verification codes via SMS .

in all to the phishing scams, were fooled by fake SMS messages that appeared in the same thread as legitimate text messages by OCBC for one-time passwords (OTPs) and transaction alerts.Mr Kevin Reed, chief information security officer at cybersecurity firm Acronis, told TODAY that a much better approach would be for banks not to use SMS at all for such notifications.

OCBC, on its part, has been reminding customers not to click on links in SMS messages purportedly sent by the bank, adding that the bank will never send one to inform them about account closures or reactivation.“I think the banks and the telcos are the ones that need to step up and not just publish instructions on a website.”

Read more: TODAY »

Those scums of the Earth fraudsters are a nuisance to innocent victims and scamming people out of their Blood and Sweat life savings. Pray that retribution will befall those scammers a thousand fold!! Please highlight steps 2 and 6 as a no no. SG full of experts Maybe need a voice recognition in order to change the mobile device tagged as a digital token

Bank’s comm with customers should be via bank’s app only. No more sms please. This is scary. Step 1 is wrong. It should be the bang’s useless security and failed customer service. Then use wat? Email? Call? Telepathy?

Some SMS scam victims receive goodwill payments from OCBC but cannot disclose amountsSo secretive...haizzz..

2 OCBC SMS scam victims share losing life savings within minutesSINGAPORE - OCBC Bank customers who were scammed have felt great pain, with some losing life savings that they had built up for their children and families painstakingly over the years. OCBC said its banking systems have not been hacked and remain secure. It also reversed its plan to phase out physical tokens for e-banking. In a letter to The...

OCBC compensates more than 30 SMS scam victimsSINGAPORE - OCBC Bank said on Monday (Jan 17) that it has already been making goodwill payments to customers who lost funds from their bank accounts in a recent spate of SMS phishing scams. The bank said it has been doing so since Jan 8 and more than 30 customers have received them so far. 'The payouts to this group... Who are the “beneficiaries”? Let them get away scot-free? ZERO explanation from Head of Digital Business and Transformation? What about SGFinDEx? Conveniently expose depositors to all sort of risk and never said a word?

Beware of fake SMS claiming to be from Singapore Police ForceMembers of the public are reminded to be wary of fake SMS es with spoofed headers that make it seem like the messages came from the police. Read more at stomp.straitstimes.com yeah with dair email as sporepoliceibit.com.ng

Ex-OCBC financial consultant admits to cheating 5 people of $170,000In a move to obtain money to ease his gambling-related debts, a financial consultant with OCBC Bank hatched a plan to dupe five of its clients of $170,000 in total. Hoi Wei Kit selected victims who were not technologically savvy and relied on his explanations when they were... Ocbc....

Former OCBC financial consultant admits to cheating clients of S$170,000 in fake time depositsSINGAPORE: A former financial consultant with OCBC Singapore cheated five of his clients of S$170,000 in fake time deposits, picking existing clients whom he knew were not technologically savvy and who would trust his explanations. Hoi Wei Kit, 34, pleaded guilty on Monday (Jan 17) to seven charges of chea

This is because SMS, which stands for Short Message Service and is sent via mobile phones, have been known to be insecure for a very long time and have led to several forms of scams in the past, they told TODAY on Tuesday (Jan 18). Many of the nearly 470 affected OCBC customers, who lost at least S$8.5 million in all to the phishing scams, were fooled by fake SMS messages that appeared in the same thread as legitimate text messages by OCBC for one-time passwords (OTPs) and transaction alerts. The swindlers impersonated the bank by having their sender name as “OCBC”, claiming that there were issues with the customer’s bank accounts or credit cards and instructing them to click on a link in the SMS message that led the customer to a fake banking website. Samuel Woo/TODAY Mr Kevin Reed, chief information security officer at cybersecurity firm Acronis, told TODAY that a much better approach would be for banks not to use SMS at all for such notifications. If banks stopped communicating important information via SMS, customers would be more alert and wary when they receive a text message purportedly from the bank. Without SMS messages, customers would more likely log in to the bank’s official portals, applications or websites to view messages from the bank. OCBC, on its part, has been reminding customers not to click on links in SMS messages purportedly sent by the bank, adding that the bank will never send one to inform them about account closures or reactivation. However, it is hard for customers to remember these instructions, Mr Reed said. “I still see people who are security professionals being successfully phished, so it's hard and we cannot expect the consumers to make (the right) decisions, especially in a situation like the one that happened,” he added. “I think the banks and the telcos are the ones that need to step up and not just publish instructions on a website.” OCBC did not respond to a request to comment for this story. TODAY has also asked the Infocomm and Media Development Authority (IMDA) and the Monetary Authority of Singapore (MAS) about what steps they are taking to prevent such attacks from happening again. HOW SMS ONE-TIME PASSWORDS ARE EXPLOITED One weakness pointed out by experts who spoke to TODAY was that banks are using SMS to provide customers with OTPs, which are codes that customers use to verify their identity. However, hackers have used several methods of obtaining such OTPs in past attacks: A hacker can call up the telecommunications company of a victim’s mobile phone plan and convince the telco to send him a new SIM card for the phone number, with personal information he has obtained about the victim Some malware disguised as applications have also been known to steal OTPs from a user’s phone Hackers have been able to intercept text messages containing OTPs by targeting flaws in the international telecommunications network The experts suggested that banks revert to using physical tokens that generate OTPs as they had in the past, or rely on other forms of software authentication such as Google Authenticator or the Government’s SingPass authentication system. Mr Lim Yihao, head of intelligence for Asia Pacific at cybersecurity firm Mandiant, said that doing away with SMS OTPs will reduce SMS scams, but warned that it will not put a stop to attacks on bank customers’ money. “Most likely, (hackers) will shift their tactics to target the new authentication mechanism instead.” WHAT'S BEING DONE TO STEM SPOOF TEXTS On Monday, OCBC bank outlined how fraudsters were able to send spoofed messages to its customers via an SMS aggregator, which are intermediaries that handle SMS for businesses. When customers click on the phishing link in the SMS message and key in their log-in details — including their OTP — on the fake website, the fraudsters then use those details to log in to the victims’ bank accounts. From there, the fraudsters are able to request to activate a digital token that allows them to receive OTPs from the bank on their device, allowing them to make transactions. This scam tactic is not entirely new. In 2020, the police said that at least S$600,000 was lost between January and May that year to spoofed SMS messages from “banks” claiming that the customer’s accounts had been suspended or deactivated. Last August, IMDA and MAS launched the Singapore SMS SenderID protection registry. The registry allows organisations to register their sender ID, which are the names that appear on SMS messages instead of mobile numbers. When fraudsters try to send messages using a sender ID that is registered, the message will be blocked. In reply to a reader’s letter to The Straits Times on Monday, IMDA said that “some banks” signed up when the registry was started. E-commerce platform Lazada and Singapore Post are also on the registry. “We urge more businesses and organisations that use SMS sender IDs to do so,” IMDA wrote. Mr Tobias Gondrom, United Overseas Bank’s group chief information security officer, told TODAY that it was among the first Singapore banks to join the pilot for the registry. "Given the possibility of scammers to spoof SMS sender names in the current telecommunications infrastructure, we see this pilot as a positive step towards preventing scammers exploiting consumers," he added. More than 1,500 people have signed an online petition to get IMDA to require all organisations in Singapore to register with the authorities before being allowed to send SMS messages with sender IDs. The SMS SenderID protection registry is run by global trade body Mobile Ecosystem Forum (MEF), which developed and ran a registry in the United Kingdom where it is based. Besides Singapore and the UK, similar registries are being run by MEF in Ireland and Spain. In response to TODAY’s queries, MEF’s registry project director Mike Round explained how the registry works: Participating merchants register the sender IDs they use in SMS, such as “OCBC” SMS aggregators provide information to MEF and the participating merchants whenever they get a request to send an SMS using a sender name that is registered to a merchant The merchant can then choose whether to allow or block that message from being sent In the UK, 23 merchants have signed up to be part of the registry. They include the major banking groups, postal service Royal Mail, retailers as well as five government agencies. Mr Round said that the initial monitoring and discovery phase for the registry in Singapore is “working well”, but stressed that the registry is not foolproof in rooting out SMS phishing attacks. “The success of the project relies on changing the behaviour of fraudsters. To this end, our experience in the UK and Ireland proves the registry to be extremely effective,” he said. However, Mr Reed from Acronis said he “highly doubts” that such a measure will be successful. One way hackers can bypass the registry's checks, he said, could be by getting access to a telco, such as one in a developing country that may not have strong security. That way, the hackers will be able to send spoofed messages directly to customers via the compromised telco. Mr Lim from Mandiant said that requiring businesses to register their sender IDs could work in the short term, but cyber criminals’ tactics change constantly. Ultimately, he added, all organisations must be kept up to date on the latest methods employed by these criminals and update their security systems accordingly. Related topics