Hackers pretend to be S’pore bank customers by stealing OTPs and earning S $ 500,000 from fake credit card payments


SINGAPORE: Hackers abroad could pretend to be 75 bank customers and earn around S $ 500,000 (RM 1.54 million) with forged credit card payments.

It did this through a sophisticated method of hijacking one-time passwords (OTPs) sent by banks via SMS text messages.

The hackers had redirected the SMS-OTPs from the banks to foreign mobile networks, the Infocomm Media Development Authority (IMDA), the Monetary Authority of Singapore (MAS) and the Singapore Police Force said in a joint statement on Wednesday (September 15).

They said the SMS redirection method “requires highly sophisticated skills to compromise the systems of foreign telecommunications networks”.

The fraudulent transactions took place between September and December last year.

The bank customers said they did not initiate the transactions and did not receive the SMS OTPs required to complete the transactions.

The authorities gave assurances that Singapore’s banking and telecommunications systems were not compromised.

Affected customers who have taken measures to protect their access data do not have to pay for any of the falsified transactions out of goodwill of the banks, “in view of the special circumstances of these cases,” said the authorities. The identity of the banks involved was not disclosed.

So far, UOB has stated that it has “proactively reviewed” the cases of its affected customers and will work with each on a case-by-case basis to offer the waiver.

It goes without saying that customers of DBS and OCBC as well as some foreign banks were also affected. The banks had informed affected customers.

The method used by the cyber criminals in this incident was to obtain the victims’ credit card details and cell phone numbers.

They also hacked into the systems of foreign telecommunications companies and used them to change the location information on the mobile phones of the victims in Singapore.

In this way, the hackers tricked the Singapore telecommunications networks into thinking that the Singapore numbers were roaming on the networks of other countries abroad.

The hackers then used the victims’ stolen credit card details to make fraudulent online card payments.

When the banks sent SMS-OTPs to the victims to verify the transactions, the crooks were able to redirect these text messages to the cellular networks overseas.

The stolen OTPs were then used to complete the fraudulent card payments. This is in line with the victims’ statement that they did not receive the OTPs.

The compromised telecommunications networks overseas were identified and notified, but the authorities did not disclose who they were or where they came from.

The investigation continues to identify the perpetrators and bring them to justice. It is also unclear where the hackers come from.

Eric Nagel, general manager for Asia Pacific at cybersecurity firm Cybereason, said SMS OTPs rely on third-party technology on an operating system that is not immune to sophisticated attacks.

One such technology that can be hacked is the one used for SMS management services.

Such services can be rented from companies in the United States for $ 16 (RM66) for redirecting SMS, business news Business today reported. Cyber ​​criminals can not only hack these services, they can also hire these services.

Nagel added that the SMS-OTP redirection discovery here isn’t surprising.

Earlier this year, Cybereason found that three Chinese threat groups that recently attacked telecommunications companies in Asean had previously carried out cyberattacks in other countries such as the United States and the United Kingdom.

But Nagel said banks and telecommunications companies are trying to reduce reliance on third-party vendors.

“This should reduce these types of attacks over time as they regain control (of systems),” he said.

Although Singapore’s telecommunications networks have not been compromised, IMDA has asked them to take additional security precautions. This includes special firewalls and system backups to monitor and block suspicious SMS redirects.

IMDA had previously consulted the Cyber ​​Security Agency of Singapore (CSA) about the additional telecom measures.

When contacted, CSA said it had assessed that the controls in place were adequate to combat the hackers’ current methods.

“Cyber ​​criminals are constantly developing new and sophisticated methods and tools to target their victims,” ​​said the agency. “Organizations and individuals must remain vigilant and take steps to protect their assets and information.”

The authorities’ statement comes after the Singapore government announced in July that it would conduct a review by the end of the year to provide clearer guidance on what to do with consumers and banks in the event of fraud.

MAS will work with financial institutions to refine the existing framework for fraudulent payment transactions and to cover the responsibilities and liabilities of banks and consumers in such situations.

At the time, it was reported that between September last year and February this year, the police had received 89 reports of fraudulent card transactions with SMS OTPs, in which victims said they had not carried out the transaction or received the OTP for authorization.

The amount stolen in these cases was S $ 550,500 (RM 1.70 million).

Treasury Secretary Lawrence Wong, vice chairman of the MAS, said in Parliament that while these cases accounted for less than 0.1% of reported fraudulent online card transactions and the number of cases has decreased since March 2021, it is “worrying”.

IMDA, MAS and the police urged the public to be vigilant and vigilant about malware and phishing attempts that attempt to steal their personal information as the incident involved stolen credit card information.

For example, consumers should keep their bank account, credit and debit card details safe at all times. You should never give these details, as well as your personal identification numbers, passwords and codes such as OTPs, to anyone.

You can also set low thresholds for payment transaction alerts, which allows for early detection of unauthorized activity. Consumers should notify their banks as soon as possible of any discrepancies or unauthorized transactions.

They should keep their devices updated with the latest security patches and antivirus software.

Consumers should only use credible online services, download apps from official app stores, and make online purchases through trusted platforms.

The public should also never click on suspicious links from unknown sources. – The Straits Times (Singapore) / Asia News Network


About Author

Leave A Reply