S'pore bank customers' SMS OTPs diverted by fraudsters who made S$500,000 in credit card payments

The fraud was described as one requiring 'highly sophisticated expertise'.

Nigel Chua | September 15, 2021, 05:19 PM

Follow us on Telegram for the latest updates: https://t.me/mothershipsg

Some 75 bank customers in Singapore were victims of a "highly sophisticated" fraud, between Sep. and Dec. 2020.

The fraud was carried out by "malicious actors abroad" who managed to divert SMS one-time passwords (OTPs) that had been sent to customers by their banks.

The fraudsters had separately obtained their victims' card details and were able to make fraudulent online payments with the diverted SMS OTPs.

Approximately S$500,000 of credit card payments were made, with customers reporting that they had not initiated the transactions nor received the SMS OTPs required to perform them.

This was revealed in a joint statement on Sep. 15, 2021, by the Infocomm Media Development Authority (IMDA), Monetary Authority of Singapore (MAS), and Singapore Police Force (SPF).

How the SMSes were redirected

After gaining access to overseas telecommunication operators' systems, the fraudsters modified the location data of mobile phones used by their victims in Singapore.

They were thus able to divert the SMS OTPs sent by banks to their customers, redirecting them to overseas mobile network systems.

These compromised overseas telecommunication networks have already been identified and notified, said the agencies in their statement.

They added that this mode of attack requires "highly sophisticated expertise" as it involves being able to compromise the systems of overseas telecommunication networks.

Systems in Singapore unaffected

The agencies said that investigations by the banks found that their systems were secure, uncompromised, and not the cause of these incidents.

Local telecommunication networks, however, are secure and had not been compromised, the statement said.

However, IMDA has consulted with the Cyber Security Agency of Singapore (CSA), and has required operators to put in place additional safeguards.

These include specialised firewalls and system safeguards to monitor and block suspicious diversions of SMS.

Investigations to identify the perpetrators are ongoing.

Meanwhile, banks will provide a "goodwill waiver" to affected customers who had taken care to protect their credentials, due to the "unique circumstances of these cases", according to the statement.

How can Singaporeans avoid such situations?

The agencies said that card details would still be needed to perform fraudulent card payments.

As such, they urged members of the public to "be alert and vigilant against malware and phishing attempts that seek to obtain their personal details."

Members of the public are also advised to do the following:

  • Keep bank account, credit and debit card details safe at all times. Never disclose to anyone these details and the personal identification number, passwords and codes (e.g. OTPs).
  • Keep devices updated with the latest security patches and anti-virus software.
  • Use only credible online services. These includes downloading applications only from official online application stores and making online purchases via trustworthy platforms.
  • Never click on suspicious links from unknown sources.
  • Set low thresholds for payment transaction alerts so that unauthorised activities are detected early. Alert the banks as soon as possible should there be any discrepancies or unauthorised transactions.

Top image via Bermix Studio @bermixstudio and rupixen.com @rupixen on unsplash

Follow and listen to our podcast here