Singapore: SMS one-time passwords diverted to perform fraudulent card payments

17 septembrie 2021

The Infocomm Media Development Authority (IMDA), Monetary Authority of Singapore (MAS), and Singapore Police Force (SPF) announced that malicious actors overseas had diverted and used SMS one-time passwords (OTPs) to perform fraudulent credit card transactions affecting 75 bank customers in Singapore. These transactions, amounting to approximately S$500,000 in total, occurred between September and December 2020. Customers had reported that they had not initiated the transactions nor received the SMS OTPs required to perform these transactions.

Investigations by the banks found that their systems were secure, uncompromised, and not the cause of these incidents. 

Subsequent joint investigations by SPF and IMDA, with the support of the banks, revealed that malicious actors abroad had gained unauthorised access to the systems of overseas telecommunication operators and used them to modify the location data of the mobile phones used by the victims in Singapore. The malicious actors were thus able to divert to overseas mobile network systems the SMS OTPs sent by the banks to their customers. 

Having separately obtained their victims’ card details, the malicious actors then made fraudulent online card payment transactions and authenticated these transactions using the diverted SMS OTPs. The compromised overseas telecommunication networks have already been identified and notified, while investigations are ongoing to identify the perpetrators and bring them to justice.

SMS diversion is a mode of attack that requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks. While our local telecommunication networks are secure and had not been compromised, IMDA, in consultation with the Cyber Security Agency of Singapore (CSA), has required operators to put in place additional safeguards, including specialised firewalls and system safeguards to monitor and block suspicious diversions of SMS. 

As card details would be needed to perform the fraudulent card payments, we urge members of the public to be alert and vigilant against malware and phishing attempts that seek to obtain their personal details.

Banks have reviewed these cases with the assistance of SPF. Given the unique circumstances of these cases, banks will provide a goodwill waiver to affected customers who had taken care to protect their credentials. 

Adauga comentariu

Cifra/Declaratia zilei

Mihai Draghici – CEO PayByFace

„Dupa ce oamenii creeaza un cont PayByFace si au adaugat cardul, selfi-ul si PIN-ul, si au avut un pic de curaj sa se duca sa incerce, daca au incercat o data plata prin recunoastere faciala nu mai folosesc altceva (n.r. ca modalitate de plata). 80% dintre ei numai asta folosesc. Le place la nebunie.” 

Afla aici rezultatele in adoptia platii prin recunoastere faciala.


In 23 septembrie 2019, BNR a anuntat infiintarea unui Fintech Innovation Hub pentru a sustine inovatia in domeniul serviciilor financiare si de plata. In acest sens, care credeti ca ar trebui sa fie urmatorul pas al bancii centrale?