Hackers pose as bank customers by stealing OTPs, making $500k in fake credit card payments

The hackers had hijacked the one-time passwords sent through SMS text messages by banks.
The hackers had hijacked the one-time passwords sent through SMS text messages by banks.PHOTO: ST FILE

SINGAPORE - Hackers abroad have been able to pose as 75 bank customers here to make about $500,000 in fake credit card payments.

This was done by a sophisticated method of hijacking the one-time passwords (OTPs) sent through SMS text messages by banks.

The hackers had diverted the SMS OTPs from the banks to overseas mobile network systems, explained the Infocomm Media Development Authority (IMDA), Monetary Authority of Singapore (MAS), and Singapore Police Force in a joint statement on Wednesday (Sept 15).

They said the SMS diversion method “requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks”.

The fraudulent transactions happened between September and December last year.

The bank customers said they did not initiate the transactions and did not receive the SMS OTPs needed to complete the transactions.

The authorities gave an assurance that Singapore's banking and telecommunication systems were not compromised.

Affected customers who had taken steps to protect their credentials will not have to pay for any of the fake transactions as a gesture of goodwill by the banks, “given the unique circumstances of these cases”, said the authorities. The identities of the banks involved were not revealed.

So far, UOB has said that it has “proactively reviewed” the cases involving its affected customers and will work with each of them on a case-by-case basis to offer the payment waiver.

It is understood that customers of DBS and OCBC, as well as some foreign banks, were affected too. The banks would have informed affected customers.

The method used by the cyber criminals in this incident involved their getting hold of the victims’ credit card details and mobile phone numbers.

They also hacked into the systems of overseas telcos and used them to change the location information of the mobile phones used by the Singapore victims.

By doing so, the hackers tricked Singapore telco networks into thinking that the Singapore numbers were roaming overseas on the networks of other countries.

The hackers then used the victims’ stolen credit card details to make fraudulent online card payments.

So when the banks sent out SMS OTPs to the victims to verify the transactions, the crooks were able to divert these text messages to the overseas mobile network systems.

The stolen OTPs were then used to complete the fraudulent card payments. This matches with the victims saying they did not get the OTPs.

The compromised overseas telecommunication networks have been identified and notified, but the agencies did not reveal who they were or where they were from.

Investigations are ongoing to identify the criminals and bring them to justice. It is also unclear where the hackers are from.

Mr Eric Nagel, general manager for the Asia-Pacific at cyber-security firm Cybereason, said  SMS OTPs rely on third-party technology on an operating system that is not immune to sophisticated attacks. 

One such technology that can be hacked is that used for text-messaging management services.

Such services can be hired by businesses for US$16 (S$21) in the United States to redirect SMSes, business news outlet Business Today reported. So besides hacking them, cyber criminals can also hire these services.

Mr Nagel added that the discovery of the SMS OTP diversion here is not surprising.

Earlier this year, Cybereason found  that three Chinese threat groups, which  recently attacked telcos in Asean, had previously carried out cyber attacks in other countries like the United States and the United Kingdom.

But Mr Nagel said that banks and telcos are trying to reduce reliance on third-party vendors.

“This should diminish these types of attacks over time, as they take back control (of systems),” he said.

While Singapore’s telco networks were not compromised, IMDA has told them to put in place additional safeguards. They include specialised firewalls and system safeguards to monitor and block suspicious SMS diversions.

IMDA had earlier consulted the Cyber Security Agency of Singapore (CSA) on the additional telco measures.

When contacted, CSA said it has assessed that the controls in place are adequate to address the hackers’ current methods.

“Cyber criminals are constantly developing new and sophisticated methods and tools to target their victims,” said the agency. “Organisations and individuals must continue to stay vigilant and take steps to keep their assets and information secure.”

The authorities’ statement comes after the Government said in July that a review would be done by the end of the year to provide clearer guidelines on what happens to consumers and banks in the event of scams.

MAS will be working with financial institutions to fine-tune the existing framework on fraudulent payment transactions, covering the responsibilities and liabilities of banks and consumers in such situations.

At the time, it was reported the police had received 89 reports of fraudulent card transactions performed with SMS OTPs, where the victims said they did not make the transaction or receive the OTP to authorise it, between September last year and February this year.

The amount stolen in these cases was $550,500.

Finance Minister Lawrence Wong, who is MAS’ deputy chairman, said in Parliament that while these cases represented less than 0.1 per cent of fraudulent online card transactions reported, and the number of cases has come down since March 2021, “it is nevertheless concerning”.

IMDA, MAS and the police urged the public to be alert and vigilant against malware and phishing attempts that seek to steal their personal details, since the incident involved stolen credit card information.

For instance, consumers should keep their bank account, credit and debit card details safe at all times. They should never disclose to anyone these details, as well as their personal identification numbers, passwords and codes like OTPs.

They can also set low thresholds for payment transaction alerts, which can allow unauthorised activities to be detected early. Consumers should alert their banks as soon as possible if there are any discrepancies or unauthorised transactions.

They should keep their devices updated with the latest security patches and anti-virus software.

Consumers should use only credible online services, download apps from official app stores, and make online purchases through trustworthy platforms.

Members of the public should also never click on suspicious links from unknown sources.