Yahoo Finance 
SMS OTP: MAS to set deadline for banks to phase it out as sole authentication factor
Complete removal of the SMS one-time password (OTP), however, would "limit the authentication toolkit that the banks have".
SINGAPORE — The Monetary Authority of Singapore (MAS) will set a deadline for all retail banks to phase out the use of Short Messaging Service (SMS) one-time passwords (OTP) as a sole authentication factor for high-risk transactions, said MAS Chairman and Senior Minister Tharman Shanmugaratnam.
Tharman said this in a written response on behalf of the Prime Minister to parliamentary questions raised by Member of Parliament (MP) for Aljunied Group Representation Constituency (GRC) Gerald Giam and MP for Jurong GRC Tan Wu Meng on Wednesday (5 July).
Giam had asked how many fraudulent bank transactions have been made in the past year as a result of SMS OTP diversions, whether MAS has a timeline for requiring banks to phase out the use of SMS OTPs in favour of other multi-factor authentication (MFA) methods, and whether MAS will require banks to provide customers with the option to stop the use of SMS OTPs if they are already using other MFA methods.
Tan had asked if MAS will consider reviewing previously closed cases of customer disputes with banks where unauthorised transactions were reported despite one-time passwords not being divulged or received.
In his response, Tharman stated that the risk of SMS OTPs being diverted has now been "largely addressed" given the implementation of additional security safeguards by local telecommunication operators to mitigate the risk of being compromised.
He added that the Singapore Police Force (SPF) had not found any confirmed cases of SMS OTP diversions since January 2021.
However, the Senior Minister acknowledged the vulnerability of the SMS channel and said that the transition by banks in Singapore to phase out SMS OTP as a sole authenticating factor for high-risk banking activities, such as adding payees and changing fund transfer limits, is already underway.
No option to opt out of SMS OTP
On whether bank customers would have the option to opt out of SMS OTPs, Tharman said that MAS does not currently see the need to require banks to provide such an option, as it "would limit the authentication toolkit that the banks have" and "dilute the effectiveness of multi-layered security for protecting customers".
"When used in combination with other authentication factors such as biometrics or digital tokens, SMS OTP provides an additional layer of security that fraudsters have to overcome," said Tharman.
He added that the SMS OTP authentication method is accessible by all customers as it can be received on any type of mobile device, hence allowing all banking customers to perform low-risk activities such as viewing account balances and paying bills without the need for an additional device.
"Removing SMS OTPs entirely will exclude a significant number of online banking customers who do not own mobile devices that can install digital tokens," said Tharman.
Also read: Banking-related malware scams: 16 year old among 13 arrested for suspected involvement
Also read: OCBC phishing scam: Only 9 out of 120 money mules charged
Also read: Online home rental scams in Singapore increased by over 400 per cent in 2022
Transition will not address other scam types
Tharman also noted that the transition away from having SMS OTP as the sole authentication factor for high-risk banking activities would not address other scam types, in particular, those related to phishing and malware to steal banking credentials.
He expressed concern that in more recent cases where scammers gained the ability to control customers' devices through malware, customers may not even be aware that SMS OTPs had been delivered to their mobile devices or that unauthorised transactions have been performed. This is because the scammer who has obtained control over the device can delete both the SMS OTPs and transaction notifications.
Members of the public are strongly urged to heed the advisory published by the Cyber Security Agency of Singapore on an ongoing malware campaign targeting Android devices in May 2023:
(a) Pay attention to the security permissions requested by the application and be wary of applications that ask for unnecessary permissions on mobile devices.
(b) Install applications only from the official Google Play Store.
(c) Uninstall any unknown applications that are found on mobile devices immediately.
(d) Perform anti-virus scans and keep regular backups of important data.
(e) Ensure that mobile devices' operating systems and applications are updated regularly to be protected by the latest security patches.
Bank customers are also advised to immediately contact the bank or activate the "kill switch" provided by banks to freeze their accounts upon discovering that unauthorised transactions have been made or suspecting that their devices have been compromised by malware.
Fraudulent activities should also be reported to the police.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688. Anyone with information on such scams may call the Police Hotline at 1800-255-0000 or submit information online at www.police.gov.sg/iwitness.
Follow us on Facebook, Instagram, TikTok and Twitter.
