Malicious Actors Overseas Used Diverted OTPs To Make Fraudulent Online Payments
As Singaporeans are increasingly shopping online with credit cards, they’ll be familiar with the various security measures necessary.
One of these measures is a One-Time Password (OTP) that’s sent to your phone to make sure it’s really you making the transaction.
However, fraudsters have now managed to bypass this protection by diverting the OTPs to themselves.
This resulted in 75 Singapore bank customers falling victim to unauthorised transactions on their credit cards.
Culprits are malicious actors from overseas
The news was revealed in a media release on Wednesday (15 Sep) by the Infocomm Media Development Authority (IMDA), Monetary Authority of Singapore (MAS) and Singapore Police Force (SPF).
The culprits behind these dark deeds are “malicious actors” from overseas, they said.
All was uncovered thanks to joint investigations by the SPF and IMDA, with the support of local banks.
The authorities also explained how the perpetrators did it.
Victims’ card details, access to overseas telcos obtained
At the outset, the credit card details of victims were obtained, though the authorities didn’t say how that was done.
Separately, the malicious actors also gained unauthorised access to the systems of overseas telecommunications operators.
It wasn’t mentioned whom these telcos were, or which country they were from.
SMS OTPs diverted to overseas mobile networks
With control of the overseas telcos, the malicious actors could then modify the location data of the Singaporean victims’ mobile phones.
That means when banks sent their customers OTPs via SMS, they were diverted to overseas mobile network systems controlled by the perpetrators.
They could then make fraudulent online card payments with the victims’ card details, and authorise these payments with the OTPs sent to them.
This mode of attack that involves diverting SMSes requires “highly sophisticated expertise”, said the authorities, as overseas telcos need to be compromised.
$500,000 lost by victims
As a result of these unauthorised transactations, $500,000 was lost by 75 bank customers in Singapore.
The fraudulent payments occurred between Sep and Dec 2020.
The victims had said that they didn’t initiate any of the transactions, neither did they receive any OTPs to authorise them.
After reviewing the cases with the SPF, the relevant banks have decided to provide a goodwill waiver to those affected who had taken care to protect their credentials.
Local banks, telcos are secure
As for the security of our local banks and telcos, the authorities have said that all is well.
The banks’ investigations have found that their systems were secure and uncompromised. They didn’t cause these incidents.
Our local telcos’ networks are also secure and haven’t been compromised, the authorities said.
However, IMDA has told the telcos to implement additional safeguards like specialised firewalls and system safeguards.
These will help monitor and block suspicious SMS diversions.
Public advised to be alert & vigilant
The authorities also advised members of the public to be alert and vigilant against criminals trying to get their personal details via malware and phishing.
One way would be to safeguard our bank account and credit card details by:
- Keeping them safe at all times and not revealing them to anyone, including passwords and codes like OTPs
- Updating our security patches and anti-virus software regularly
- Using online services that are credible and trustworthy, especially when downloading apps and shopping online
- Not clicking on suspicious links from unknown sources
- Setting alerts from the bank whenever payments are made even for small amounts, so that unauthorised activities can be detected early.
- Alerting banks immediately when discovering discrepancies or unauthorised transactions
The overseas telcos that were illegally accessed have been identified and notified, the auhorities said.
They’re now trying to identify the malicious actors and so they can be brought to justice.
Singapore woman claims unauthorised card payments made
In Jun, MS News reported that a Singapore woman claimed 7 transactions were made on her credit card, amounting to $10,150, without her authorisation.
She also said that she didn’t get any OTP from DBS Bank for any of the payments.
After making a police report, Ms Danica Alena Choo said she found out that the transactions were made via a website that enables overseas money transfers.
It was also revealed that the money was allegedly wired to a Malaysian company and processed in ringgit.
In response to MS News queries, a DBS spokesperson directed us to its security guide and reminded customers not to click on links or install any programs from suspicious sources.
Now that the deeds of these malicious overseas actors have been revealed, it’s uncertain whether Ms Choo was one of their victims.
Do safeguard your precious info
Almost every younger Singaporean has bought stuff online with a card.
Thus, the advisories for safeguarding our precious info must be taken seriously.
While you might think it won’t happen to you, bad but very skilled people do exist. And they’re trying their hardest to cheat your money.
The only way to stop them is by being vigilant.
Have news you must share? Get in touch with us via email at firstname.lastname@example.org.
Featured image adapted from Firmbee.com @ Unsplash.