Singapore Banks Planning to Eliminate OTPs for Online Logins in the Next 3 Months

Jul 15, 2024NewsroomCybersecurity / Mobile Security

In Singapore, retail banking organizations have been given a three-month timeframe to eliminate the usage of one-time passwords (OTPs) for verifying access when logging into their internet accounts to reduce the dangers associated with phishing attempts.

The announcement was made jointly by The Association of Banks in Singapore (ABS) and the Monetary Authority of Singapore (MAS) on July 9, 2024.

“Users who have enabled their digital token on their cellular device will be required to employ their digital tokens for bank account logins via the web browser or the mobile banking application,” according to the MAS statement.

“The digital token will authenticate users’ logins without relying on an OTP that malicious individuals could pilfer or deceive users into revealing.”

Furthermore, the MAS is encouraging users to activate their digital tokens to protect against assaults meant to extract credentials and seize their accounts for perpetrating financial fraud.

“This strategy offers consumers added defense against unauthorized entry to their bank accounts,” mentioned Ong-Ang Ai Boon, an ABS director. “Although this may lead to some inconvenience, such protocols are essential in combating scams and ensuring user safety.”

In their initial rollout, OTPs were intended as an extra layer of security (2FA) to reinforce account safety; however, cybercriminals have come up with banking trojans, OTP bots, and phishing kits with the ability to obtain such codes using counterfeit websites.

OTP bots, available through Telegram and marketed for costs ranging from $100 to $420, bring social manipulation to new levels by telephoning users and persuading them to input the 2FA code on their smartphones in order to override account protections.

It is crucial to remember that these bots are mainly geared towards seizing a victim’s OTP code, necessitating that fraudsters secure legitimate credentials via other methods including data breaches, datasets available for purchase on the dark web, and credential phishing web pages.

“The primary responsibility of the OTP bot is to call the target. Scammers rely on phone calls because verification codes have a limited validity period,” as detailed by Kaspersky threat analyst Olga Svistunova in a recent report.

“While a message might go unnoticed for some time, making a call to the target enhances the likelihood of obtaining the code. A phone call also provides scammers an opportunity to manipulate the victim’s response through their tone of voice.”

Not too long ago, SlashNext disclosed details about an “end-to-end” phishing toolkit named FishXProxy, which, ostensibly for “educational purposes,” simplifies the technological requirements for budding threat actors seeking to launch large-scale phishing attacks while avoiding detection.

“FishXProxy equips cybercriminals with a potent toolkit for sophisticated email phishing operations,” the organization highlighted. “Campaigns start with uniquely generated links or dynamic attachments to evade initial scrutiny.”

“In addition, victims face sophisticated antibot systems using Cloudflare’s CAPTCHA to block security tools. A smart redirection system conceals actual destinations, and page expiration settings impede analysis and assist campaign management.”

Another notable feature of FishXProxy is its utilization of a cookie-based tracking mechanism that enables attackers to identify and monitor individuals across various phishing undertakings or campaigns. It can also create malicious file attachments using HTML smuggling tactics, which enable evading detection.

“HTML smuggling is remarkably effective at evading perimeter security controls like email gateways and web proxies because it exploits the legitimate capabilities of HTML5 and JavaScript as well as various encoding and encryption methods,” as stated by Cisco Talos in a report.

The surge in mobile malware in recent years has prompted Google to initiate a pilot program in Singapore aimed at preventing users from sideloading specific applications that abuse Android app privileges to access OTPs and collect sensitive information.