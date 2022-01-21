A day after banks were told to put in place more stringent measures to bolster the security of digital banking within the next two weeks, cyber-security experts said all organisations should adopt anti-SMS spoofing measures.

An example would be signing up for the SMS sender ID registry, which was launched as a pilot initiative by the Infocomm Media Development Authority (IMDA) in August last year.

"It should be the immediate priority, as scams originating via spoofed SMS and calls are becoming one of the top security concerns among residents in Singapore," said Mr C.K. Chim, field chief security officer for the Asia-Pacific at cyber-security firm Cybereason.

The registry enables organisations to register the SMS sender IDs they wish to protect. Any unauthorised party that tries to send SMS messages using the registered IDs will be flagged and blocked on mobile operators' networks.

Banks will continue to work closely with the Monetary Authority of Singapore (MAS), IMDA and the police on the adoption of the registry as one of the solutions to combat SMS spoofing, following a recent spate of SMS phishing scams targeting OCBC Bank's customers.

On Wednesday, the MAS and the Association of Banks in Singapore (ABS) introduced measures including removing clickable links in SMSes or e-mails sent to retail customers, a delay of at least 12 hours before the activation of a new soft token on a mobile device, and sending a notification to an existing registered mobile number or registered e-mail address whenever there is a request to change a customer's contact details.

Several experts said some of the measures introduced by the MAS and ABS can be implemented consistently across all sectors.

Mr Leow Kim Hock, Asia chief executive of cyber-security services provider Wizlynx Group, believes that government agencies should remove clickable links in SMSes sent to members of the public.

This is because the transactions handled by these organisations usually involve personal data or funds of members of the public, which could be compromised by scam links.

But aside from this measure, each agency should determine independently which other safeguards to adopt, as not all of these may be relevant, Mr Leow added.

Private organisations should do the same, he said.

Experts also said the measures introduced by the MAS and ABS may compromise the efficiency of an organisation's services or may not address all types of scams.

Mr Ilia Rozhnov, head of digital risk protection at cyber-security firm Group-IB in the Asia-Pacific, also noted: "There are so many different scams out there that are evolving constantly. The fraudsters tend to adapt their techniques to the new detection mechanisms quickly."

He added: "The bottom line is that companies need to focus on fraud and scam hunting mechanisms, instead of over-relying on human awareness."