Banks in Singapore are doing away with one-time passwords (OTPs) for customers who use digital tokens to log in to their bank accounts.

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced in a joint release on Jul. 9 that this move is to counter phishing.

Banks involved

Major retail banks in Singapore, including DBS Bank, OCBC Bank and UOB, will phase out the use of OTPs for account login within the next three months.

Since 2023, Citibank has phased out SMS OTPs in place of authentication via digital tokens for its customers who have are signed up for the digital token option.

Customers using physical tokens will not be affected though.

Why OTPs vulnerable

OTPs for unauthorised transactions can be easily hijacked by a scammer.

This can be done by intercepting OTPs via spyware in a phone, or via social engineering tactics, such as asking the victim for it.

This makes OTPs a source of vulnerability during phishing attacks.

With digital tokens, on the other hand, scammers need to be in possession of a user's physical phone to ensure the two-factor authentication goes through.

Authorities here are urging users of physical tokens to switch to digital tokens.

“Customers who have not activated their digital tokens are strongly encouraged to do so, to lower the risk of having their credentials phished,” MAS and ABS said in the joint statement.

Moreover, banking apps are equipped with anti-malware capabilities that can block any access to the app when malware is detected on the device.

History of OTP

The use of OTP was introduced in the 2000s as a multi-factor authentication option to boost online security.

However, scammers can more easily phish for customers’ OTPs via technological developments and more sophisticated social engineering tactics, MAS and ABS noted.

Scammers have relied on fake bank websites that closely resemble the real ones to phish for credentials.

“This latest measure will strengthen the authentication process, making it harder for scammers to fraudulently access a customer’s account and funds without the customer’s explicit authorisation using his mobile device,” the statement said.

Top photo via Unsplash