Hackers steal OTPs sent by S'pore banks to make $500k in fake deals

Affected customers who had protected their credentials will not have to pay up

Hackers abroad have been able to pose as 75 bank customers here to make about $500,000 in fake credit card payments.

This was done by a sophisticated method of hijacking the one-time passwords (OTPs) sent through SMS text messages by banks.

The hackers had diverted the SMS OTPs from the banks to overseas mobile network systems, the Infocomm Media Development Authority (IMDA), the Monetary Authority of Singapore (MAS), and the police said yesterday.

They added that the SMS diversion method "requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks".

The fraudulent transactions happened between September and December last year.

The bank customers said they did not initiate the transactions and did not get the SMS OTPs needed to complete the transactions.

The authorities gave an assurance that Singapore's banking and telecommunication systems were not compromised.

Affected customers who had taken steps to protect their credentials will not have to pay for any of the fake transactions as a gesture of goodwill by the banks, "given the unique circumstances of these cases", said the authorities.

So far, UOB has said that it "proactively reviewed" the cases involving its customers and worked with each of them on a case-by-case basis to offer the payment waiver.

It is understood that customers from DBS and OCBC, as well as some foreign banks, were affected too. The banks would have informed affected customers.

The method used by the cyber criminals involved their getting hold of the victims' credit card details and mobile phone numbers.

They also hacked into the systems of overseas telcos and used them to change the location information of the mobile phones used by the Singapore victims.

By doing so, the hackers tricked Singapore telco networks into thinking the Singapore numbers were roaming on overseas networks. They then used the victims' stolen credit card details to make online card payments. When the banks sent out SMS OTPs to the victims to verify the transactions, the crooks diverted them to the overseas mobile networks.

The stolen OTPs were used to complete the fraudulent payments. This matches with the victims saying that they did not get the OTPs.

The compromised overseas telco networks have been notified, but the agencies did not say who they were or where they were from.

Investigations are ongoing to identify the criminals and bring them to justice. It is also unclear where the hackers are from.

Mr Eric Nagel, general manager for the Asia-Pacific at cyber-security firm Cybereason, said SMS OTPs rely on third-party technology on an operating system that is not immune to sophisticated attacks.

He added that the discovery of the SMS OTP diversion here is not surprising. Earlier this year, Cybereason found three Chinese threat groups, which recently attacked telcos in Asean, had previously carried out cyber attacks in other countries like the United States and the United Kingdom.

But Mr Nagel said that banks and telcos are trying to reduce reliance on third-party vendors: "This should diminish these types of attacks over time, as they take back control (of systems)."

While Singapore's telco networks were not compromised, IMDA has told them to put in place additional safeguards. They include specialised firewalls and system safeguards to monitor and block suspicious SMS diversions.

IMDA had earlier consulted the Cyber Security Agency of Singapore (CSA) on the additional telco measures.

When contacted, the agency said it has assessed that the controls in place are adequate to address the hackers' current methods. CSA added that cyber criminals are constantly developing new and sophisticated methods and tools to target victims and advised organisations and individuals to be vigilant.

IMDA, MAS and the police urged the public to be alert and vigilant against malware and phishing attempts that seek to steal their personal details, since the incident involved stolen credit card data.

A version of this article appeared in the print edition of The Straits Times on September 16, 2021, with the headline 'Hackers steal OTPs sent by S'pore banks to make $500k in fake deals'. Subscribe