Banks to beef up e-banking security after spate of scams

Banks in Singapore will have to put in place more stringent measures to bolster the security of digital banking, such as removing clickable links in SMSes or e-mails sent to retail customers, within the next two weeks.

These additional measures were introduced in view of the recent spate of SMS phishing scams targeting bank customers, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) said in a joint statement yesterday.

They include a delay of at least 12 hours before activation of a new soft token on a mobile device, sending a notification to an existing mobile number or registered e-mail whenever there is a request to change a customer's contact details, and dedicated teams to deal with feedback on potential fraud cases on a priority basis.

OCBC Bank has said it will cover in full the losses suffered by its customers to SMS phishing scams last month, while other local banks, the Singapore Police Force and the Supreme Court yesterday issued warnings about phishing scams targeting users in Singapore.

MAS and ABS said the growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated in the coming months.

The more stringent measures which banks will work to put in place in the next fortnight will lengthen the time taken for certain online banking transactions but also provide an additional layer of security to protect customers' funds, they added.

Last month, nearly 470 OCBC customers lost at least $8.5 million to SMS phishing scams, among them a mother of seven who said she lost almost $100,000 and a couple in their 20s who took five years to save about $120,000 to start a family.

Victims received unsolicited SMSes that appeared to be from OCBC, claiming there were issues with their banking accounts and asking users to click on the link given in the message. The link led to fake bank websites and victims were asked to key in their Internet banking account login details.

MAS and ABS said more permanent solutions to combat SMS spoofing include the adoption of the SMS sender ID registry. The registry pilot, launched by the Infocomm Media Development Authority (IMDA) last August, enables organisations to register the SMS sender ID headers they wish to protect. When there is unauthorised use of this protected SMS sender ID, the messages will be blocked.

They stressed that customer vigilance remains key and outlined several measures customers must take to avoid falling victim to online banking scams, such as verifying SMSes or e-mails by calling the bank directly on the hotline listed on its official website.

MAS managing director Ravi Menon said the central bank is deeply concerned about the recent scams and the financial losses suffered by victims. "The threat of scams will not go away, but we can reduce our vulnerabilities," he said.

In response to yesterday's announcement, DBS said that in addition to the industry measures, it will stop sending non-essential SMSes from tomorrow. Only essential ones, such as security and trade notifications, and OTP authentication with no clickable links will be sent to retail and wealth customers until further notice.

Cyber-security firm Acronis' chief information security officer, Mr Kevin Reed, said that the new security measures help to minimise risks but stressed that the changes need to be well explained to users to prevent confusion and opening up more opportunities for scammers.