OCBC phishing scam: Banks should stop using SMS to communicate with customers, experts say
SINGAPORE — In the wake of a recent phishing scam involving hundreds of OCBC bank customers, some cybersecurity experts are suggesting that banks here do away with communicating important information such as verification codes via SMS.
This is because SMS, which stands for Short Message Service and is sent via mobile phones, have been known to be insecure for a very long time and have led to several forms of scams in the past, they told TODAY on Tuesday (Jan 18).
Many of the nearly 470 affected OCBC customers, who lost in all to the phishing scams, were fooled by fake SMS messages that appeared in the same thread as legitimate text messages by OCBC for one-time passwords (OTPs) and transaction alerts.
The swindlers impersonated the bank by having their sender name as “OCBC”, claiming that there were issues with the customer’s bank accounts or credit cards and instructing them to click on a link in the SMS message that led the customer to a fake banking website.
Mr Kevin Reed, chief information security officer at cybersecurity firm Acronis, told TODAY that a much better approach would be for banks not to use SMS at all for such notifications.
If banks stopped communicating important information via SMS, customers would be more alert and wary when they receive a text message purportedly from the bank.
Without SMS messages, customers would more likely log in to the bank’s official portals, applications or websites to view messages from the bank.
OCBC, on its part, has been reminding customers not to click on links in SMS messages purportedly sent by the bank, adding that the bank will never send one to inform them about account closures or reactivation.
However, it is hard for customers to remember these instructions, Mr Reed said.
“I still see people who are security professionals being successfully phished, so it's hard and we cannot expect the consumers to make (the right) decisions, especially in a situation like the one that happened,” he added.
“I think the banks and the telcos are the ones that need to step up and not just publish instructions on a website.”
OCBC did not respond to a request to comment for this story. TODAY has also asked the Infocomm and Media Development Authority (IMDA) and the Monetary Authority of Singapore (MAS) about what steps they are taking to prevent such attacks from happening again.
HOW SMS ONE-TIME PASSWORDS ARE EXPLOITED
One weakness pointed out by experts who spoke to TODAY was that banks are using SMS to provide customers with OTPs, which are codes that customers use to verify their identity.
However, hackers have used several methods of obtaining such OTPs in past attacks:
- A hacker can call up the telecommunications company of a victim’s mobile phone plan and convince the telco to send him a new SIM card for the phone number, with personal information he has obtained about the victim
- Some malware disguised as applications have also been known to steal OTPs from a user’s phone
- Hackers have been able to intercept text messages containing OTPs by targeting flaws in the international telecommunications network
The experts suggested that banks revert to using physical tokens that generate OTPs as they had in the past, or rely on other forms of software authentication such as Google Authenticator or the Government’s SingPass authentication system.
Mr Lim Yihao, head of intelligence for Asia Pacific at cybersecurity firm Mandiant, said that doing away with SMS OTPs will reduce SMS scams, but warned that it will not put a stop to attacks on bank customers’ money.
“Most likely, (hackers) will shift their tactics to target the new authentication mechanism instead.”
WHAT'S BEING DONE TO STEM SPOOF TEXTS
On Monday, OCBC bank outlined how fraudsters were able to send spoofed messages to its customers via an SMS aggregator, which are intermediaries that handle SMS for businesses.
When customers click on the phishing link in the SMS message and key in their log-in details — including their OTP — on the fake website, the fraudsters then use those details to log in to the victims’ bank accounts.
From there, the fraudsters are able to request to activate a digital token that allows them to receive OTPs from the bank on their device, allowing them to make transactions.
This scam tactic is not entirely new. In 2020, the police said that at least S$600,000 was lost between January and May that year to spoofed SMS messages from “banks” claiming that the customer’s accounts had been suspended or deactivated.
Last August, IMDA and MAS launched the Singapore SMS SenderID protection registry.
The registry allows organisations to register their sender ID, which are the names that appear on SMS messages instead of mobile numbers. When fraudsters try to send messages using a sender ID that is registered, the message will be blocked.
In reply to a reader’s letter to The Straits Times on Monday, IMDA said that “some banks” signed up when the registry was started. E-commerce platform Lazada and Singapore Post are also on the registry.
“We urge more businesses and organisations that use SMS sender IDs to do so,” IMDA wrote.
Mr Tobias Gondrom, United Overseas Bank’s group chief information security officer, told TODAY that it was among the first Singapore banks to join the pilot for the registry.
"Given the possibility of scammers to spoof SMS sender names in the current telecommunications infrastructure, we see this pilot as a positive step towards preventing scammers exploiting consumers," he added.
More than 1,500 people have signed an online petition to get IMDA to require all organisations in Singapore to register with the authorities before being allowed to send SMS messages with sender IDs.
The SMS SenderID protection registry is run by global trade body Mobile Ecosystem Forum (MEF), which developed and ran a registry in the United Kingdom where it is based.
Besides Singapore and the UK, similar registries are being run by MEF in Ireland and Spain.
In response to TODAY’s queries, MEF’s registry project director Mike Round explained how the registry works:
- Participating merchants register the sender IDs they use in SMS, such as “OCBC”
- SMS aggregators provide information to MEF and the participating merchants whenever they get a request to send an SMS using a sender name that is registered to a merchant
- The merchant can then choose whether to allow or block that message from being sent
In the UK, 23 merchants have signed up to be part of the registry. They include the major banking groups, postal service Royal Mail, retailers as well as five government agencies.
Mr Round said that the initial monitoring and discovery phase for the registry in Singapore is “working well”, but stressed that the registry is not foolproof in rooting out SMS phishing attacks.
“The success of the project relies on changing the behaviour of fraudsters. To this end, our experience in the UK and Ireland proves the registry to be extremely effective,” he said.
However, Mr Reed from Acronis said he “highly doubts” that such a measure will be successful.
One way hackers can bypass the registry's checks, he said, could be by getting access to a telco, such as one in a developing country that may not have strong security.
That way, the hackers will be able to send spoofed messages directly to customers via the compromised telco.
Mr Lim from Mandiant said that requiring businesses to register their sender IDs could work in the short term, but cyber criminals’ tactics change constantly.
Ultimately, he added, all organisations must be kept up to date on the latest methods employed by these criminals and update their security systems accordingly.
Choo, D. (2022, January 19). OCBC phishing scam: Banks should stop using SMS to communicate with customers, experts say. TODAY. https://www.todayonline.com/singapore/ocbc-phishing-scam-banks-should-stop-using-sms-communicate-customers-experts-say-1793541