Banks to probe new card disputes to identify if they are linked to SMS OTP diversion fraud

Mr Lawrence Wong said the amount of about $500,000 from the unauthorised transactions has been waived by the banks. PHOTO: ST FILE

SINGAPORE - Banks will investigate any new card dispute cases to identify if they were fraudulent transactions enabled by the diversion of SMS one-time passwords (OTPs), including any related to transactions prior to September 2020, before the first confirmed cases were found to have occurred.

They are also reviewing all card dispute cases reported to them since September 2020 to identify if there may be other such fraudulent transactions, Monetary Authority of Singapore (MAS) deputy chairman Lawrence Wong told Parliament on Tuesday (Oct 5).

Customers will not have to bear any unauthorised charges in cases that are confirmed to have been enabled by SMS OTP diversion, as long as customers had taken care to protect their card information and authentication credentials.

Mr Wong, who is also Finance Minister, was speaking on behalf of Senior Minister Tharman Shanmugaratnam, who is the Minister-in-charge of MAS.

Dr Tan Wu Meng (Jurong GRC), Ms Joan Pereira (Tanjong Pagar GRC) and Workers' Party (WP) MP Gerald Giam (Aljunied GRC) had asked about cases of SMS OTP fraud, following an announcement last month that 75 bank customers in Singapore were victims of such incidents between September and December last year.

Mr Wong said the amount of about $500,000 from the unauthorised transactions has been waived by banks.

The minister said banks have a responsibility to secure their IT systems, implement robust measures to authenticate transactions and conduct active surveillance to detect unusual transaction patterns.

But bank customers too have a responsibility to protect their own credentials, he added.

"Consumers must assume that criminals will try to obtain their online banking credentials. Criminals typically do this by tricking consumers into installing malware on their devices or disclosing their online banking username and passwords through phone calls or fake websites," he said.

"When in doubt, consumers should call the banks' official hotlines to verify the legitimacy of requests for online banking and card credentials."

They must also develop a healthy scepticism about websites, unsolicited phone calls, messages and e-mails, and should use only established and reputable services when making online purchases, Mr Wong added.

The minister advised setting transaction notification thresholds at low levels so that unauthorised transactions are detected early.

Bank customers are protected from financial losses arising from fraud as long as they have acted responsibly.

Mr Wong noted that banks consider whether the customers could have taken reasonable steps to prevent the occurrence of the fraudulent transactions, and that customers will not incur any losses that arise from the banks' non-compliance with MAS' rules.

Dr Tan cited a resident who said he had disputed a credit card transaction with his bank, only to be told that there was a record of an OTP sent to his phone number and the transaction could not be challenged.

"He appealed a number of times and the case was resolved, but how many more consumers would have given up before attaining a resolution?"

Dr Tan asked if earlier cases that had similarly been deemed clear-cut at the time could be relooked.

Mr Wong replied that banks will take into account the "new finding" that SMS OTPs could have been diverted when investigating further reports, including those involving earlier transactions.

Mr Giam said that SMS diversion happens overseas, where MAS has no jurisdiction. He asked if banks here will work with overseas telcos to prevent such incidents.

He also asked if MAS will direct banks to move away from SMS as an authentication method, or allow customers to manually disable it in favour of more secure methods such as app-based authentication.

Mr Wong said the Infocomm Media Development Authority is already implementing additional safeguards such as checking an individual's location and flagging any sudden changes to that as suspicious to prevent the SMS from being diverted overseas.

The minister also said that while MAS requires multi-factor authentication, it does not prescribe which method must be used.

"Whatever you put in place, the perpetrators will always be looking for new ways to identify vulnerabilities and weaknesses, so this has to be a continuous effort to make sure that our systems remain secure. It requires continued vigilance by regulator, financial institutions and customers."

Join ST's WhatsApp Channel and get the latest news and must-reads.