The Financial Authority of Singapore (MAS) has introduced a brand new requirement impacting all main retail banks within the nation to part out the usage of one-time passwords (OTPs) inside the subsequent three months.
This initiative was agreed upon between the federal government and the Affiliation of Banks in Singapore (ABS) to guard customers in opposition to phishing and different scams.
“The usage of OTP was launched within the 2000s as a multi-factor authentication choice to strengthen on-line safety,” reads the MAS announcement.
“Nevertheless, technological developments and extra subtle social engineering techniques have since enabled scammers to extra simply phish for purchasers’ OTP, for instance via establishing faux financial institution web sites that intently resemble the real web sites.”
Along with phishing websites, OTPs have been the goal of Android malware for a few years, serving to their operators bypass two-factor authentication protections on course accounts.
This has prompted Google to take extra aggressive motion in opposition to the abuse of the ‘RECEIVE_SMS,’ ‘READ_SMS,’ and ‘BIND_Notifications’ permissions this 12 months, with Singapore being among the many first nations to obtain the brand new protections.
Moreover, OTPs will be intercepted by man-in-the-middle assaults, and in the event that they’re SMS-based, they are often intercepted by risk actors who conduct SIM-swapping assaults.
Singapore financial institution prospects will now use digital tokens as a substitute of OTPs, which they have to activate on their cell gadgets.
In accordance with ABS, digital tokens are already activated for 60% to 90% of the shoppers of the nation’s three main banks: DBS, OCBC, and UOB.
“The digital token will authenticate prospects’ login with out the necessity for an OTP that scammers can steal, or trick prospects into disclosing,” explains MAS.
Those that haven’t activated their digital tokens are strongly inspired to take action quickly to profit from higher safety in opposition to phishing actors and scammers.
Clients who do not activate digital tokens will proceed to obtain OTPs as earlier than, however these are anticipated to be an more and more dwindling minority.
