A widespread phishing operation targeting Southeast Asia’s second largest bank – Oversea-Chinese Banking Corporation (OCBC) – has prompted the Monetary Authority of Singapore (MAS) to introduce regulations for online banking services that include the use of an SMS sender ID registry.
Singapore banks have two weeks to remove clickable links in text messages or emails sent to retail customers. Additionally, activating a soft token on a mobile device will require a cooling off period of 12 hours, customers must be notified of any request to change their contact details, and the funds transfer threshold will default to 100. SG$ ($74) or lower.
The MAS also proposed a vague directive requiring banks to issue more educational alerts about scams, and to do so more often.
Singapore-based banks will also be required to set up dedicated customer support teams to prioritize potential fraud cases.
A dedicated service line could address one of the main complaints raised by victims of the OCBC phishing scam: that the bank was not equipped to deal with ongoing fraud cases in real time and funneled customers in an automated loop while their accounts were being emptied.
MAS reported that further regulations would follow.
“The growing threat of online phishing scams requires immediate action to tighten controls, while longer-term preventative measures are being evaluated for implementation in the coming months,” MAS and Association of Banks of Singapore (ABS) in a statement. joint statement Wednesday.
The statement specifically stated that MAS would continue to work with the Singapore Police Force and the Infocomm Media Development Authority (IMDA) to combat SMS spoofing – including the adoption of an SMS Sender ID Registry, including an pilot program was launched last August. The central banking authority also promised to step up “review of fraud monitoring mechanisms of major financial institutions” to ensure they can deal with the recent influx of new scams.
The phishing scheme, which first emerged in early December 2021, affected at least 469 customers and grossed more than S$8.5 million ($6.3 million) at the end of the month alone.
The victims received an unsolicited text message asking the account holder to click on a link to resolve account issues that redirected them to a fake banking website so that the threat actors could recover their logins and passwords. The crooks then transferred the digital token to their own devices and began the process of draining the accounts.
At first, the bank offered “goodwill” payments to a meager 6.4% of victims. The day after MAS threatened action, OCBC changed its tune and told local media The time of the straits that he would make “full goodwill payments” to all victims.
Bank emails to customers revealed the payments came after a thorough investigation and the bank promised to contact the victims by January 27. reports have surfaced that the goodwill payment is accompanied by a non-disclosure agreement for the victims.
Overall, MAS warns that the stricter measures it is implementing “will lengthen the time it takes for some online banking transactions but provide an additional layer of security to protect customer funds”.
The changes could also have additional unintended positive effects. As one Singaporean bank account holder put it:
So proving that stuff can sometimes be good – unless you’re a technician in a Singaporean bank and have a very busy fortnight ahead of you. ®