Security → .SG monetary auth threatens action on bank over widespread phishing scam

»www.theregister.com/2022 ··· _action/

quote:

---

The Monetary Authority of Singapore says it is considering supervisory action against Southeast Asia's second largest bank, Oversea-Chinese Banking Corporation (OCBC), which was criticised for its incident response to a widespread phishing scheme across the island nation. ... The phishing scheme first appeared at the start of December 2021 and became more aggressive through the holiday period. By the end of the month, the Singapore Police Department reported the scam had affected 469 customers and taken over SG$8.5m (US$6.3m/ £$4.62m). Victims receive an unsolicited SMS that appears to be from the bank and asks the account holder to click a link to resolve account issues. Once that link is clicked, victims are redirected to a fake bank website where they provide their login details. They won't know they've been scammed until they receive a notification of unauthorized transaction charged to their account. ... One mother of seven ... she claimed, "OCBC's hotline is not equipped to immediately handle scams which are in progress." ... OCBC said it issued multiple alerts and warnings including SMS messages to all customers on 30 December 2021 and 4 January 2022.

---

So if I read this right : bunch of ppl clicked the link and lost their money, calls to the bank (seemingly) went to the circular file, bank counterclaims they did due diligence by notifying customers of the scam, govn't grabbing the big stick and waving it over the bank...

Take what you will from this. I take it as a free (re)education in practicing safe hex, ESPECIALLY SMSes claiming to be from your [insert here] institution that must be acted on "urgently."

Regards

»www.theregister.com/2022 ··· s_banks/ -- Singapore gives banks two-week deadline to fix SMS security

quote:

---

A widespread phishing operation targeting Southeast Asia's second-largest bank – Oversea-Chinese Banking Corporation (OCBC) – has prompted the Monetary Authority of Singapore (MAS) to introduce regulations for internet banking that include use of an SMS Sender ID registry. Singapore banks have two weeks to remove clickable links in text messages or e-mails sent to retail customers. Furthermore, activation of a soft token on a mobile device will require a 12-hour cooling off period, customers must be notified of any request to change their contact details, and fund transfer threshold will by default be set to SG$100 ($74) or lower. MAS has also offered a vague directive requiring banks to issue more scam education alerts, and to do so more often. Singapore-based banks will also be required to operate dedicated customer assistance teams to deal with potential fraud cases on a priority basis. ... The statement said specifically that MAS would continue to work with the Singapore Police Force and the Infocomm Media Development Authority (IMDA) to combat SMS spoofing – including adoption of an SMS Sender ID registry, of which a pilot programme was launched last August. The central banking authority also promised to increase "scrutiny of major financial institutions' fraud surveillance mechanisms" to make sure they can deal the recent influx of new scams. ... At first the bank offered "goodwill" payments to a paltry 6.4 per cent of victims. The day after MAS threatened action, OCBC changed its tune and told local media outlet The Straits Times that it would issue "full goodwill payouts" to all victims.

---

Regards

»www.theregister.com/2022 ··· easures/ -- Singapore introduces potent anti-scam measures

quote:

---

Singapore will step up up efforts to stamp out phishing and spoofing, ministers told the island nation's parliament on Tuesday. The topic earned ministerial attention after instances of attacks and scams soared recently. The standout example is the attack on Southeast Asia's second-largest bank, the Oversea-Chinese Banking Corporation (OCBC). In the OCBC bank scam, threat actors stole a combined SG$13.7 million ($10.2M) from 790 customers by spoofing text messages in what minister of finance Lawrence Wong referred to as "by far the most serious phishing scam seen" in Singapore. Wong detailed [VIDEO] several ways banks would be expected to improve security, including using more diverse machine learning algorithms to strengthen fraud detection tools to identify suspicious transactions. Banks will also be required to block suspicious transactions in a more consistent fashion, require additional customer confirmations for high-risk transactions or changes to account details, expand biometric technology, and accelerate adoption of – and preference for – mobile banking apps. "These [measures] will introduce some frictions to customers undergoing genuine transactions," Wong predicted, "but we will all need to adapt and get used to these inconveniences." Furthermore, Wong said customers and banks would have a shared responsibility for any losses in the future in order to prevent a "weaken[ed] incentive to be vigilant" on the part of the customer. ... The country is also creating an alphanumeric ID registry to prevent threat actors from sending out SMS messages using a business's identity – as happened in the OCBC scam. To get on the registry of approved businesses, an organization must be a registered business with the government. ... Following the threat of action from the Monetary Authority of Singapore, OCBC offered goodwill paybacks to all the victims of the scam bearing its name, under nondisclosure agreements. Wong said 90 per cent of the victims had already received reimbursement.

---

Take what you will from this. "You are the firewall" as they used to say at my former place of employment.

Regards