Three major retail banks in Singapore are slated to retire the use of one-time passwords (OTPs) for customers who have digital tokens, in a move that aims to combat phishing scams.
To be phased out within the next three months, OTPs will remain available to customers of the three banks — DBS, OCBC, and UOB — who still rely on physical tokens. These users, however, are “strongly encouraged” to activate their digital tokens to better safeguard their credentials against phishing attacks, according to a joint statement released Tuesday by industry regulator Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS).
Also: Banks must move past PIN, OTP to ensure mobile security
With the phasing out of OTPs, customers will have to use their digital tokens on their mobile devices for authentication when they log into their bank account or mobile banking app.
OTPs were launched in Singapore in the 2000s as an MFA (multi-factor authentication) option, but social engineering tactics since then have grown more sophisticated alongside technological advancements. These have enabled scammers to gain access more easily to customers’ OTPs via phishing attacks — for example, through fraudulent bank websites created to resemble genuine ones.
Retiring the use of OTPs will enhance the user authentication process and make it more difficult for scammers to access customer bank accounts and funds, without customers’ explicit authorization through their mobile devices.
Phishing attacks were among the top five scam categories last year in Singapore, accounting for SG$14.2 million ($10.52 million) lost through these scams, according to Singapore Police Force’s (SPF) annual scams and cybercrime 2023 report.
Local banks have been working with MAS and law enforcement to implement measures that address this threat landscape, the industry regulator said.
“While they may give rise to some inconvenience, such measures are necessary to help prevent scams and protect customers,” said ABS director Ong-Ang Ai Boon.
Also: Banks defending their right to security are missing the point about consumer trust
MAS last October laid out a framework detailing parties that should be held responsible for phishing scams, with banks and telcos taking on accountability for the first line of defense.
Scams and cybercrime cases in Singapore climbed 49.6% last year, with the number of cases hitting 50,376, up from 33,669 cases in 2022. Scams accounted for 92.4% of overall cases, SPF’s numbers revealed.
The police force works with various institutions, including fintech companies and cryptocurrency platforms, via its Anti-Scam Command office to freeze accounts and recover funds to reduce losses. More than 19,600 bank accounts were frozen in 2023 based on investigations by the Anti-Scam Command Centre, recovering more than SG$100 million.
The center also works with local telcos and e-commerce platforms on anti-scam measures, terminating more than 9,200 mobile lines and 29,200 WhatsApp lines last year that were suspected of being used in scams.
