About S$500,000 stolen in fraudulent card payments involving diversion of SMS one-time passwords
SINGAPORE: "Malicious actors" overseas have stolen about S$500,000 through fraudulent credit card transactions involving the diversion of SMS one-time passwords (OTPs) to overseas mobile network systems.
About 75 bank customers in Singapore were affected by the transactions from September to December 2020, the Infocomm Media Development Authority (IMDA), Monetary Authority of Singapore (MAS) and Singapore Police Force (SPF) said on Wednesday (Sep 15).
SPF and IMDA conducted joint investigations with support from the banks, which showed that malicious actors abroad gained unauthorised access to the systems of overseas telecommunications operators.
They used this to modify the location data of the mobile phones used by the victims in Singapore, said the authorities.
"The malicious actors were thus able to divert to overseas mobile network systems the SMS OTPs sent by the banks to their customers," said IMDA, MAS and SPF.
"Having separately obtained their victims' card details, the malicious actors then made fraudulent online card payment transactions and authenticated these transactions using the diverted SMS OTPs."
The compromised overseas telecommunication networks have been identified and notified, and investigations are ongoing to identify the perpetrators, said authorities.
IMDA, MAS and SPF said the investigations by the banks found that their systems were "secure, uncompromised and not the cause of the incidents". The banks were not identified in the joint media release.
Victims reported that they did not initiate the transactions and did not receive the SMS OTPs needed to perform the transactions, added the authorities.
"Given the unique circumstances of these cases, banks will provide a goodwill waiver to affected customers who had taken care to protect their credentials," said the authorities.
SMS diversion requires "highly sophisticated expertise" to compromise the systems of overseas telecommunication networks, said authorities.
"While our local telecommunication networks are secure and had not been compromised, IMDA, in consultation with the Cyber Security Agency of Singapore (CSA), has required operators to put in place additional safeguards, including specialised firewalls and system safeguards to monitor and block suspicious diversions of SMS."
PROTECT CARD DETAILS
As credit card details are needed to perform the fraudulent transactions, the authorities reminded people to be vigilant against malware and phishing attempts to obtain their personal details.
Bank account, credit card and debit card details should be kept safe at all times, and their details - including personal identification numbers (PIN), passwords and codes - never disclosed.
Devices should be updated with the latest security patches and anti-virus software, said authorities.
People should only use credible online services, including downloading applications only from official application stores and making online purchases through trustworthy platforms. They should not click on suspicious links from unknown sources.
Bank customers should also set low thresholds for payment transaction alerts so that unauthorised activities are detected early, and alert the banks as soon as possible if there are any discrepancies or unauthorised transactions, said authorities.