Identity & Access Management , Security Operations
Singapore to Phase Out One-Time Passwords in Banking
Monetary Authority Responds to Surge in Phishing Scams That Impersonate BanksThe Monetary Authority of Singapore said Tuesday that major retail banks will phase out one-time passwords for bank account logins over the next three months for customers who use secure digital tokens to authenticate their identity.
See Also: Conversational Cyber Insurance: How Cybersecurity and Cyber Insurance are Interwined
The authority said digital token users will no longer have to rely on auto-generated, one-time passwords to log in to their bank accounts through a web browser or mobile app, and it strongly advised online banking users to activate digital tokens for their banking accounts.
The announcement followed the Singapore Police issuing a warning about the reemergence of phishing scams that involved scammers impersonating banks to make victims divulge their banking account usernames, passwords and one-time passwords. In December, scammers defrauded 103 people in Singapore out of at least S$161,000.
The problem appears to be growing. In the first two weeks of January, scammers defrauded 219 people out of at least S$446,000. Many of these attacks involved scammers impersonating banks in SMS messages in which they directed users to click on links to verify their identities or cancel phony transactions.
President of Singapore Tharman Shanmugaratnam, who served as the chairman of the Monetary Authority of Singapore till July 2023, told Parliament shortly before stepping down from the post last year that the financial authority would set a deadline for phasing out one-time passwords as a sole authentication factor for high-risk transactions.
He said Singapore banks had already started phasing out SMS-based authentication for banking activities such as adding payees or changing fund transfer limits, reported Yahoo Finance Singapore. Shanmugaratnam, however, ruled out giving banking users the option to opt out of SMS OTPs, warning that such a move could dilute banks' multilayered security for protecting customers.
The monetary authority in its Tuesday announcement said that unlike one-time passwords, scammers cannot phish for customers' digital tokens by setting up fake bank websites, nor can they access a bank account or funds without the customer's explicit authorization.