The Monetary Authority of Singapore (MAS) has announced that all major retail banks in the country will replace one-time-passwords (OTPs) with the digital tokens within the next three months. This move, in collaboration with the Association of Banks in Singapore (ABS), aims to protect consumers against phishing and other scams.

Incident Details:

The use of the OTP was introduced in the 2000s as a multi-factor authentication (MFA) option to to build strong online security. However, technological advancements and sophisticated social engineering attacks have enabled more scammers to easily phish for customers’ OTPs through the fake bank websites. Therefore, to protect customers and banks, digital token system is going to be enabled. The digital token will authenticate customers’ login without the need for an OTP that scammers can steal, or trick customers into disclosing. These digital tokens will be activated on customer’s mobile devices, for logging into their bank accounts through a safe browser or mobile banking app.

Vulnerabilities of OTPs:

OTPs have been a target for Android malware and man-in-the-middle attacks MitM), making them weaker for online security in banking systems. This has prompted the Google to take aggressive action against the abuse of ‘RECEIVE_SMS,’ ‘READ_SMS,’ and ‘BIND_Notifications’ permissions this year, with Singapore being among the first to receive these new protections. Moreover, threat actors have used SIM-swapping attacks to intercept SMS-based OTPs.

Execution of Digital Tokens:

According to ABS, digital tokens are already activated for 60% to 90% of customers at DBS, OCBC, and UOB. These tokens authenticate logins without needing an OTP, which scammers can steal or trick customers into disclosing. Customers who haven’t activated their digital tokens are strongly encouraged to do so for better security against phishing and scams. Those who don’t will continue receiving OTPs, but this group is expected to diminish.

For more information on digital security in banking, visit the Monetary Authority of Singapore and the Association of Banks in Singapore. Learn more about digital security in banking and read our guide on how to stop phishing scams? You can also get your free consultation for your Digital Banking Security to maximize the full potential of Network and Cyber Security.