Jump to content

Why kena scam become bank faults?


The_King

Recommended Posts

SINGAPORE - Hackers abroad have been able to pose as 75 bank customers here to make about $500,000 in fake credit card payments.

This was done by a sophisticated method of hijacking the one-time passwords (OTPs) sent through SMS text messages by banks.

The hackers had diverted the SMS OTPs from the banks to overseas mobile network systems, explained the Infocomm Media Development Authority (IMDA), Monetary Authority of Singapore (MAS), and Singapore Police Force in a joint statement on Wednesday (Sept 15).

 

They said the SMS diversion method "requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks".

The fraudulent transactions happened between September and December last year.

The bank customers said they did not initiate the transactions and did not receive the SMS OTPs needed to complete the transactions.

 
 

The authorities gave an assurance that Singapore's banking and telecommunication systems were not compromised.

 

Affected customers who had taken steps to protect their credentials will not have to pay for any of the fake transactions as a gesture of goodwill by the banks, "given the unique circumstances of these cases", said the authorities. The identities of the banks involved were not revealed.

So far, UOB has said that it has "proactively reviewed" the cases involving its affected customers and will work with each of them on a case-by-case basis to offer the payment waiver.

It is understood that customers of DBS and OCBC, as well as some foreign banks, were affected too. The banks would have informed affected customers.

 

The method used by the cyber criminals in this incident involved their getting hold of the victims' credit card details and mobile phone numbers.

They also hacked into the systems of overseas telcos and used them to change the location information of the mobile phones used by the Singapore victims.

By doing so, the hackers tricked Singapore telco networks into thinking that the Singapore numbers were roaming overseas on the networks of other countries.

The hackers then used the victims' stolen credit card details to make fraudulent online card payments.

So when the banks sent out SMS OTPs to the victims to verify the transactions, the crooks were able to divert these text messages to the overseas mobile network systems.

The stolen OTPs were then used to complete the fraudulent card payments. This matches with the victims saying they did not get the OTPs.

The compromised overseas telecommunication networks have been identified and notified, but the agencies did not reveal who they were or where they were from.

Investigations are ongoing to identify the criminals and bring them to justice. It is also unclear where the hackers are from.

Mr Eric Nagel, general manager for the Asia-Pacific at cyber-security firm Cybereason, said SMS OTPs rely on third-party technology on an operating system that is not immune to sophisticated attacks.

One such technology that can be hacked is that used for text-messaging management services.

Such services can be hired by businesses for US$16 (S$21) in the United States to redirect SMSes, business news outlet Business Today reported. So besides hacking them, cyber criminals can also hire these services.

Mr Nagel added that the discovery of the SMS OTP diversion here is not surprising.

Earlier this year, Cybereason found that three Chinese threat groups, which recently attacked telcos in Asean, had previously carried out cyber attacks in other countries like the United States and the United Kingdom.

But Mr Nagel said that banks and telcos are trying to reduce reliance on third-party vendors.

"This should diminish these types of attacks over time, as they take back control (of systems)," he said.

While Singapore's telco networks were not compromised, IMDA has told them to put in place additional safeguards. They include specialised firewalls and system safeguards to monitor and block suspicious SMS diversions.

IMDA had earlier consulted the Cyber Security Agency of Singapore (CSA) on the additional telco measures.

When contacted, CSA said it has assessed that the controls in place are adequate to address the hackers' current methods.

"Cyber criminals are constantly developing new and sophisticated methods and tools to target their victims," said the agency. "Organisations and individuals must continue to stay vigilant and take steps to keep their assets and information secure."

The authorities' statement comes after the Government said in July that a review would be done by the end of the year to provide clearer guidelines on what happens to consumers and banks in the event of scams.

MAS will be working with financial institutions to fine-tune the existing framework on fraudulent payment transactions, covering the responsibilities and liabilities of banks and consumers in such situations.

At the time, it was reported the police had received 89 reports of fraudulent card transactions performed with SMS OTPs, where the victims said they did not make the transaction or receive the OTP to authorise it, between September last year and February this year.

The amount stolen in these cases was $550,500.

Finance Minister Lawrence Wong, who is MAS' deputy chairman, said in Parliament that while these cases represented less than 0.1 per cent of fraudulent online card transactions reported, and the number of cases has come down since March 2021, "it is nevertheless concerning".

IMDA, MAS and the police urged the public to be alert and vigilant against malware and phishing attempts that seek to steal their personal details, since the incident involved stolen credit card information.

For instance, consumers should keep their bank account, credit and debit card details safe at all times. They should never disclose to anyone these details, as well as their personal identification numbers, passwords and codes like OTPs.

They can also set low thresholds for payment transaction alerts, which can allow unauthorised activities to be detected early. Consumers should alert their banks as soon as possible if there are any discrepancies or unauthorised transactions.

They should keep their devices updated with the latest security patches and anti-virus software.

Consumers should use only credible online services, download apps from official app stores, and make online purchases through trustworthy platforms.

Members of the public should also never click on suspicious links from unknown sources

 

 

 

 

 

 

I am Siti, a mother of seven wonderful children. A wife to a caring educator. And a victim of the recent scam targeting OCBC Bank customers.

On Dec 28 last year, at 11.47am, I received an SMS which looked very much like the other ones I have received from the OCBC SMS system, which read: "The transaction function of your OCBC account will be suspended. To prevent the account from being locked out, update it on December 28. Access bit.ly/3q****."

At that time, I was occupied with my children and did not act upon it. At 2pm, I reread the SMS and followed the instructions and clicked on the link. It brought me to an authentic-looking site with the OCBC name.

As I was anxious about the account being suspended and I had some transactions to make to my children's accounts later in the day, I did not think further, and keyed in my username and password and other relevant details and checked into my account.

A few moments later, I received a notification stating that my transfer limit had been increased to $100,000. When I noticed that, I immediately called OCBC as I had not approved this.

However, OCBC's hotline is not equipped to immediately handle scams which are in progress.

I had to navigate an automated system for a long time before reaching a person.


By this wasted time, I had already received multiple notifications stating that monies were transferred out of my savings accounts and six of my children's savings accounts.

In just a few minutes, almost $100,000 was gone.

We have since made a police report but we have been told that even though accounts are insured by up to $50,000, we are unlikely to have any of our funds returned to us as it was my mistake for clicking on the link.

How can the blame be pinned entirely on me when OCBC's scam prevention measures are poorly equipped to urgently deal with a case as it is happening?

  • Like 1
Link to comment
Share on other sites

if you follow my this method

 

step 1: alway set the limit to $0. only increase when you buy something, after paying fast hand fast leg to disable. usually a few min only

 

step 2: have a standalone account just for online. all other account, prefer not to have those all in one card, phone banking, online banking etcc... (simple if you inconvenience yourself, you inconvenience the scammer too) if bank say althey have all in one card only,  then call them to disable the DC account but maintain the atm or net function only.  if cant then set the limit to 0

 

step 3: prefer your standalone online account to have less then $20. if dont want to pay the service charge then keep it at $500.

 

step 4: set alert to sms you if there any deduction, for me i set at 0.01cent

 

 

the scammer cant steal what you dont have. if your debit card got only $20 at the most you lose $20. that if all the step 1, step 2, step 3 and step 4 failed.

 

* some paying like amazon if not immediately. so if you have $500 and the item is $80. then transfer the rest of the money or withdrawn out first. hacker cant steal if there no money inside 

 

 

  • Like 1
Link to comment
Share on other sites

Need to uupdate my step 3 to,

 

step 3: prefer your standalone online account to have less then $20, even other account to have less then $20 and if dont want to pay the service charge then keep it at min balance (at your own risk)

 

 

the scammer cant steal what you dont have. if your debit card got only $20 at the most you lose $20. that if all the step 1, step 2, and step 4 failed.

 

 

 

The recent scam proof my step 1, 2 and 4 failed which only step 3 remain which is scammer can't steal what you don't have

 

Money put where, invest, Safety Deposit Boxes

Edited by The_King
  • Like 1
Link to comment
Share on other sites

Others might laugh why i don't use online banking. Not that i'm outdated just that i don't trust in the website security.

 

Me and @The_King is doing the same thing.

 

Only top up my debit card amount when going to do purchases online (i use the atm to manually put $)

My steam/razor account all use top-up card purchased from 7-11/game shop/cheers.

 

I even don't have paylah,paynow,etc app. I prefer cold hard cash....

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

Mugentech.net uses cookies to ensure you get the best experience on our website. By using this site you agree to Privacy Policy