Banks urged to scrap use of SMS in the wake of rising scam cases
Rising SMS-related banking scams continue to expose a damaging weakness in Singapore's cybersecurity infrastructure.
Rising SMS-related banking scams continue to expose a damaging weakness in Singapore's cybersecurity infrastructure, one that remains challenging to pinpoint exactly where given the hyper-connectedness of our networks today.
Banks, telcos, payment providers and government agencies all have some part to play in beefing up their own systems, experts said, calling for stronger cooperation within the industry as well.
"No single entity can address this alone. Cybersecurity is a team sport and it is constantly evolving," Koo Juan Huat, Cisco director of cybersecurity for Asean, told The Business Times.
That said, banks, dealing directly with customers' money, are expected to shoulder more liability beyond just public warnings.
Online banking fraud has taken many forms as cybercriminals become increasingly sophisticated. SMS-related attacks, in particular, have grown more prevalent even with customer education efforts.
Last December, at least S$8.5 million was lost to SMS phishing scams impersonating OCBC.
It is also possible to fall victim to unauthorised transactions without receiving or revealing OTPs to others. Between September to December 2020, attackers gained access to the systems of overseas telcos to divert SMS OTPs and authenticate fraudulent card transactions amounting to S$500,000, affecting 75 bank customers in Singapore.
To be sure, banks' internal systems are generally uncompromised in such situations. "Of course, we shouldn't dismiss an option of banks' security systems being compromised, but I assume we would hear about much more money stolen if that were the case," said Acronis co-founder Stas Protassov.
But being the parties impersonated by attackers, banks' defence measures need to protect more than just their own systems, said Yeo Siang Tiong, Kaspersky general manager for South-east Asia.
BT understands that one of the local banks has plans to stop including hyperlinks in all its SMS communications, even for marketing purposes.
Some experts suggest the lenders scrap SMS completely: both as a customer-facing communication tool and as a secure channel for OTPs.
"While adding SMS to a password and username combination did increase security in the beginning, its increased use also saw attackers focus on attacks against the SMS two-factor authentication (2FA) channel, which has decreased its security benefit," said Synopsys software security consultant Jamie Boote.
More can be said about security protocols for online credit and debit card transactions, which are also largely SMS-based. "It certainly discourages attackers from going after cards, making it much easier for them to target the accounts directly," said Protassov.
This is not to downplay the responsibility of telcos. They are, undoubtedly, a large attack vector for SMS-based attacks.
But Protassov flagged that fundamental security issues in SS7 - a set of protocols used by telcos for data management - are long known. "There are minor improvements here and there, but large-scale improvements require changes in all telcos worldwide and we've not seen any progress on that front. It's almost impossible to implement proper security at the telco level, so can it really be demanded?"
For now, a better bet would be to rely on banks' hardware or digital tokens - both said to be equally secure - for OTP generation.
"Digital tokens were designed with security as a primary requirement in a way that the utility-driven SMS was not," said Boote.
Thanks to the convenience of digital tokens, customers are unlikely to revert to hardware tokens. But banks will need to reassure customers their accounts are secured in the light of recent scams, said Dean Coclin, senior director of business development at DigiCert.
Importantly, banks can consider adopting an authentication solution that does not require users to input an OTP, Cisco's Koo noted.
"Push notification-based, one-tap authentication processes are considered more resilient against man-in-the-middle attacks that allow attackers to steal passwords and second factors of authentication like OTPs," he said.
The Monetary Authority of Singapore (MAS) is currently working with banks and payments institutions to explore additional measures to mitigate the risks of scams without impairing the speed and convenience of digital payments.
These include a cooling-off period, lowering default transaction limits and notification thresholds, and enhancing fraud surveillance systems.
Though banks currently have multiple levels of fraud detection in place, these systems have to constantly evolve to keep pace with fresh threats.
"Cybersecurity systems are dependent on the teams that regularly update and maintain them. Threat actors are humans, too, constantly finding creative ways to work around security defences," said Kaspersky's Yeo.
He warned that relying on the comfort that a cybersecurity infrastructure exists without ensuring it is updated will not only mean an outdated system, but also provide a false sense of security that there is a system up and running when there might already be gaps and lapses that allow suspicious transactions through.
An OCBC customer BT spoke to said more than 100 unauthorised fund transfers were made from his savings account within an hour on Dec 23, wiping out over S$8,000.
MAS is working with the Inter-Ministry Committee on Scams to strengthen funds recovery.
Still, the extent of that remains uncertain. In a comment seen by BT on Instagram, OCBC said it is "not able to compensate customers for such losses as the login credentials were disclosed on a fraudulent website".
Ultimately, experts concurred that customers still need to play a big part in being vigilant. The rule of thumb is to avoid clicking on hyperlinks that come through SMSes or any text messages, said Jeremy Ho, Asia-Pacific vice president of Attivo Networks.
"Many users bank online with their mobile phones, and with a smaller screen, they have to be mindful not to overlook fake websites and provide sensitive information unknowingly," he added.
Source: Business Times © Singapore Press Holdings Ltd. Permission required for reproduction.