Bad Actors Diverted, Used SMS One-Time Passwords to Perform Fraudulent Credit Cards Transfers, Affecting Singapore Consumers

The Infocomm Media Development Authority (IMDA), Monetary Authority of Singapore (MAS), and Singapore Police Force (SPF) recently revealed that malicious actors overseas had been able to divert and use SMS one-time passwords (OTPs) to carry out fraudulent credit card transfers impacting 75 banking clients based in Singapore.

As mentioned in a release, these transactions, amounting to around SGD 500,000 in total, took place between September and December of last year. Clients had reported that they had “not initiated the transactions nor received the SMS OTPs required to perform these transactions.”

Investigations by the banking service providers revealed that their systems “were secure, uncompromised, and not the cause of these incidents.”

As stated in the update:

“Subsequent joint investigations by SPF and IMDA, with the support of the banks, revealed that malicious actors abroad had gained unauthorized access to the systems of overseas telecommunication operators and used them to modify the location data of the mobile phones used by the victims in Singapore.”

The malicious actors were thus able “to divert to overseas mobile network systems the SMS OTPs sent by the banks to their customers,” the announcement noted while adding that “having separately obtained their victims’ card details, the malicious actors then made fraudulent online card payment transactions and authenticated these transactions using the diverted SMS OTPs.”

The compromised overseas telecommunication networks have “already been identified and notified, while investigations are ongoing to identify the perpetrators and bring them to justice.”

The release also mentioned that SMS diversion is “a mode of attack that requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks.”

As noted in the update:

“While our local telecommunication networks are secure and had not been compromised, IMDA, in consultation with the Cyber Security Agency of Singapore (CSA), has required operators to put in place additional safeguards, including specialized firewalls and system safeguards to monitor and block suspicious diversions of SMS.”

The release further noted that as card details would be required to carry out the fraudulent card payments,” the MAS and other organizations “urge members of the public to be alert and vigilant against malware and phishing attempts that seek to obtain their personal details.”

The public is “advised to heed” the following guidelines and recommendations:

  • Keep bank account, credit and debit card details “safe at all times.” Never “disclose to anyone these details and the personal identification number, passwords and codes (e.g. OTPs).”
  • Keep devices “updated with the latest security patches and anti-virus software.”
  • Use only credible online services. These “includes downloading applications only from official online application stores and making online purchases via trustworthy platforms.”
  • Never click “on suspicious links from unknown sources.”
  • Set low thresholds “for payment transaction alerts so that unauthorized activities are detected early.” Alert the banks “as soon as possible should there be any discrepancies or unauthorised transactions.”

The update also noted that banks have now reviewed these cases “with the assistance of SPF.” Given the “unique” circumstances of these cases, banks will “provide a goodwill waiver to affected customers who had taken care to protect their credentials,” the announcement confirmed.

Sponsored Links by DQ Promote



Send this to a friend