The Financial Authority of Singapore (MAS) has introduced a brand new requirement impacting all main retail banks within the nation to section out the usage of one-time passwords (OTPs) inside the subsequent three months.
This initiative was agreed upon between the federal government and the Affiliation of Banks in Singapore (ABS) to guard customers towards phishing and different scams.
“The usage of OTP was launched within the 2000s as a multi-factor authentication choice to strengthen on-line safety,” reads the MAS announcement.
“Nevertheless, technological developments and extra refined social engineering ways have since enabled scammers to extra simply phish for patrons’ OTP, for instance by organising faux financial institution web sites that intently resemble the real web sites.”
Along with phishing websites, OTPs have been the goal of Android malware for a few years, serving to their operators bypass two-factor authentication protections on course accounts.
This has prompted Google to take extra aggressive motion towards the abuse of the ‘RECEIVE_SMS,’ ‘READ_SMS,’ and ‘BIND_Notifications’ permissions this 12 months, with Singapore being among the many first nations to obtain the brand new protections.
Moreover, OTPs may be intercepted by man-in-the-middle assaults, and in the event that they’re SMS-based, they are often intercepted by risk actors who conduct SIM-swapping assaults.
Singapore financial institution clients will now use digital tokens as an alternative of OTPs, which they have to activate on their cellular units.
Based on ABS, digital tokens are already activated for 60% to 90% of the purchasers of the nation’s three main banks: DBS, OCBC, and UOB.
“The digital token will authenticate clients’ login with out the necessity for an OTP that scammers can steal, or trick clients into disclosing,” explains MAS.
Those that haven’t activated their digital tokens are strongly inspired to take action quickly to profit from higher safety towards phishing actors and scammers.
Clients who do not activate digital tokens will proceed to obtain OTPs as earlier than, however these are anticipated to be an more and more dwindling minority.
