Banks in Singapore to phase out one-time passwords in 3 months


The Monetary Authority of Singapore (MAS) has announced a new requirement impacting all major retail banks in the country to phase out the use of one-time passwords (OTPs) within the next three months.

This initiative was agreed upon between the government and the Association of Banks in Singapore (ABS) to protect consumers against phishing and other scams.

“The use of OTP was introduced in the 2000s as a multi-factor authentication option to strengthen online security,” reads the MAS announcement.

“However, technological developments and more sophisticated social engineering tactics have since enabled scammers to more easily phish for customers’ OTP, for example through setting up fake bank websites that closely resemble the genuine websites.”

In addition to phishing sites, OTPs have been the target of Android malware for many years, helping their operators bypass two-factor authentication protections on target accounts.

This has prompted Google to take more aggressive action against the abuse of the ‘RECEIVE_SMS,’ ‘READ_SMS,’ and ‘BIND_Notifications’ permissions this year, with Singapore being among the first countries to receive the new protections.

Additionally, OTPs can be intercepted by man-in-the-middle attacks, and if they’re SMS-based, they can be intercepted by threat actors who conduct SIM-swapping attacks.

Singapore bank customers will now use digital tokens instead of OTPs, which they must activate on their mobile devices.

According to ABS, digital tokens are already activated for 60% to 90% of the customers of the country’s three major banks: DBS, OCBC, and UOB.

“The digital token will authenticate customers’ login without the need for an OTP that scammers can steal, or trick customers into disclosing,” explains MAS.

Those who have not activated their digital tokens are strongly encouraged to do so soon to benefit from better security against phishing actors and scammers.

Customers who don’t activate digital tokens will continue to receive OTPs as before, but those are expected to be an increasingly dwindling minority.




Source link