back to article Singapore gives banks two-week deadline to fix SMS security

A widespread phishing operation targeting Southeast Asia's second-largest bank – Oversea-Chinese Banking Corporation (OCBC) – has prompted the Monetary Authority of Singapore (MAS) to introduce regulations for internet banking that include use of an SMS Sender ID registry. Singapore banks have two weeks to remove clickable …

  1. Pascal Monett Silver badge

    "remove clickable links in text messages or e-mails sent to retail customers"

    They're still doing that ?

    My Luxembourg bank never sends me SMSs, and actually practically never sends me mail to my email address. All communications are held on the banking portal I have access to (ID, password and OTP token), and are held in the Message area, with a little red bell when there's something I haven't read.

    On the other hand, my bank does call me when there is an unusual transaction of more than €2,000 to ensure that it was me and that I authorize the movement.

    I appreciate that.

    1. Anonymous Coward
      Anonymous Coward

      I ENVY that.

      Once again the US is sucking it's own exhaust pipe thanks to lack of things like your data protection/security laws, GDPR aside.

      Because of the influence of our (Large, Corrupt, Inept, Expensive-Choose 3) carriers lobbied hard to kill any form of MFA other than SMS and our banks are security inept and rely on insurance to lay of their laibility it's a little different out here.

      SMS codes have been required to log into both the mobile and desktop sites as well as the app. There is no opt out. There is no alternate if your line doesn't support SMS, or you work in a basement. There is no support for TOPT/Authenticator or FIDO/yubikeys. In addition, many still send clickable links, and at least one major US carrier, Verizon, attempts to hijack and re-write both HTTP and HTTPS traffic. When I was in the EU the last three times, I was able to get a local SIM, and a months call/data/sms for less than a third of what I pay for monthlies here. In addition, to make things easy for local law enforcement to spy on me, the carriers still push config profiles onto almost all of our phones that enable an SS7 downgrade attacks to succeed. They also require people to fill out "Security Questions" most of which are either re-usued by every other site and service in the world, are easily guessable or public information, or are vague and could change over time. Because my favorite song isn't the same today as it was when I opened my account decades ago when I graduated high school.

      So while I thing that some of stuff in the article sounds like the government overreacting over stuff that it's leaders ship does not fully grasp, most of it is solid, and change clearly won't happen by its self. Sadly, in the US we aren't even that far along.

      It's not that hard, and we literally can copy the moves the better players in the EU have already made, using off the shelf solutions they already sell. If I wasn't a victim of the american education system I'd emmigrate, but not for the SMS stuff. You all might have notices we got other problems.

      ...and your food is better. That we can get here though.

      1. Kernel

        Re: I ENVY that.

        "They also require people to fill out "Security Questions" most of which are either re-usued by every other site and service in the world, are easily guessable or public information, or are vague and could change over time. "

        You do realize that the answers you provide when setting up security question responses don't have to be correct, or even remotely related to the question, don't you?

        My approach is to provide unrelated nonsense answers to security questions eg., Security question: "What is your mother's maiden name?" Expected response: "I'll have a whale burger with extra fries please."

        The only downside to this is that you need to keep track of your answers in a good password saver, but if you're doing passwords properly then you're probably already using one of them.

      2. ShadowSystems

        Re: I ENVY that.

        I like to pick random non-obvious answers to the security-theater-questions they ask.

        "What's your mother's maiden name?" Mercedes-Benz.

        "What was your favorite sport in school?" Chocolate fudge.

        "When were you born?" January 1st, 2000BCE.

        Those style answers that are an obvious lie, recorded for later regurgitation if needed, so that they can't be easily socially engineered.

        Because it's fun to answer the phone rep's question "How old were you when you got married?" with "Negative One!"


    2. gnasher729 Silver badge

      Re: "remove clickable links in text messages or e-mails sent to retail customers"

      Barclays sends me a notification for anything, within seconds. But through iOS push notifications to their app, not SMS, so that should be pretty hard to forge - a fraudster would have to convince Apple that a push notification comes from Barclays, and they would need a token for the combination (my phone, Barclays app) that Apple sent me.

  2. anthonyhegedus Silver badge

    I'm glad that the authority involved has put more onus on the banks. The only way these banks will learn to beef up their security as well as educate their customers is if they're forced to refund people their full loss every time someone is scammed. That'll focus their attention on education programmes (for example big posters saying "we never send a text with a link to a website" or "never give your 2FA code to anyone, ever"), and systems to ensure that spoof texts can't be sent. That might mean them paying the mobile networks to do it.

    1. Anonymous Coward
      Anonymous Coward

      My bank bans giving passwords to third parties, even going so far as to name Payment Express and similar (in a web page you might be able to find behind a disused basement lavatory)

      They don't however, simply block these services or otherwise take steps to stop them. If it all goes wrong, they'll just say "we told you not - see, here, behind this disused dunny"

    2. Anonymous Coward Silver badge

      And if the customers are fully refunded every time, where is their incentive to pay attention?

      People need to stop giving crooks details, and some form of financial penalty for doing so seems reasonable to me.

      1. Anonymous Coward
        Anonymous Coward

        Victim blaming isn't an answer by itself either.

        A big part of the problems these changes are correcting is the banks creating opportunities for a third party to drain your accounts or ruin your credit. Even in the case of link spoofing, if the bank regularly sends links in emails or SMS, and the mobile devices rarely let a non technical user see the raw link, it's not just the users fault if they punch their password into a convincing fake site.

        The banks can by and large prevent most of that, so they should own a chunk of liability as big as the door they held open for the fraudsters. Also, the penalties on the bank need to be big enough that the banks don't just write the cost of fraud/fines off as expense or a rounding error.

  3. Mike 137 Silver badge

    Some 'experts' never learn

    "Good, now my bank has to stop sending me links in SMSes suggesting installment plans for my $20 purchases."

    Nevertheless, in the UK, banks are busy implementing SMS tokens to authenticate card not present transactions, despite evidence of their fragility. EUROPOL make two key recommendations:

    ● Try to use two-factor authentication for your online services, rather than having an authentication code sent over SMS

    ● When possible, do not associate your phone number with sensitive online accounts

    What a pity the banks' 'security experts' haven't caught on.

    1. Anonymous Coward
      Anonymous Coward

      Re: Some 'experts' never learn

      Yeah, experts. Like our former and current government here stateside, and the BoJo show over there?

      The issue isn't just a lack of experts, it's a lack of motivation or consequences. SMS won because the carriers will still charging per text and every companies marketing weasels were drooling over building a database of people's cell phone numbers to sell to the highest bidder.

      They learned, just that they could get away with it. We're the ones who didn't learn. They said the sky would fall down if they were forced to stop doing it the dumb way. Even when we can just point across the pond at where it's working just fine, they still insist that it's impossible. Also that masks are evil, up is down, and Santa is real and will deliver a functional representative democracy if you just vote conservative one more time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like