Singapore to tighten digital banking security

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) are introducing more measures to bolster the security of digital banking, in view of the recent spate of SMS phishing scams targeting bank customers.

The measures to be implemented by banks in Singapore within the next two weeks include the removal of clickable links in emails or SMSes sent to retail customers, a delay of at least 12 hours before activating a new soft token on a mobile device, and a cooling-off period before implementing requests for key account changes, among others.

In December 2021, some 469 customers of Singapore’s OCBC Bank fell prey to an SMS phishing scam that tricked them into revealing their digital banking credentials on a fake website, with reported losses amounting to at least S$8.5m.

The central bank said the growing threat of online phishing scams calls for immediate steps to strengthen controls, and that the additional measures will lengthen the time taken for certain online banking transactions but will provide an additional layer of security to protect customers’ funds.

Meanwhile, MAS called for digital banking customers to remain vigilant against scams, such as not divulging internet banking credentials to anyone, among other safeguards, while longer-term preventive measures are being evaluated for implementation in the coming months.

To deal with this scourge of scams, banks will work closely with MAS, the Singapore Police Force and the Infocomm Media Development Authority (IMDA) to combat SMS spoofing, including the adoption of the SMS Sender ID registry by all relevant stakeholders. 

The SMS Sender ID registry was initiated by the IMDA in August 2021 in collaboration with MAS to enable organisations to register SMS sender ID headers they wish to protect. When there is unauthorised use of a protected SMS sender ID, the messages will be blocked, IMDA said in a recent Straits Times forum letter.

MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams.

In August 2021, analytics software supplier SAS announced that it had collaborated with OCBC Bank to deploy a fraud surveillance system (FSS) to monitor customer activities and transactions.

The system’s capabilities included assisting in the detection, investigative remediation and analysis of customer fraud exposures using multiple analytic techniques such as predictive modelling, text mining and network link analysis, among others.

In a news release at the time, SAS noted that as a crucial part of OCBC Bank’s anti-fraud programme, FSS had played a significant role in the recovery of approximately $8m worth of fraudulent transactions in the first year of production use, and on Singapore activities alone.

Earlier this week, OCBC Bank’s group CEO, Helen Wong, assured customers and members of the public that its banking systems and digital banking platforms were safe and secure.

“Digital banking remains a convenient way to do banking. We do not want this scam to take that away from us. But scammers are increasing in sophistication. Therefore, I urge everyone to stay alert and do your banking only at the bank’s official websites and on the official mobile apps.

“Together with the Association of Banks in Singapore and the Monetary Authority of Singapore, the industry will review to further strengthen the anti-fraud detection and prevention measures,” she said.

On 19 January 2022, OCBC Bank said customers affected by the SMS phishing scam would receive full goodwill payouts for the amounts they lost. More than 100 victims have received their payouts so far.