Hackers successfully intercepted one-time passwords (OTPs) sent via SMS by banks in Singapore to customers, executing fraudulent credit card transactions that totaled S$500,000.
The scheme, carried out late last year by criminals operating from abroad, impacted 75 bank customers, as reported by the Monetary Authority of Singapore and the local police force. Investigations revealed that the breaches were not due to vulnerabilities in bank systems. Instead, the hackers gained unauthorized access to overseas telecommunications providers’ systems, allowing them to alter the location data of mobile phones belonging to victims in Singapore.
This manipulation enabled the criminals to redirect the SMS OTPs intended for bank customers to foreign mobile networks. Upon separately obtaining the victims’ card details, the hackers conducted fraudulent online transactions, using the diverted OTPs to authenticate those actions.
In response, the Infocomm Media Development Authority has urged mobile operators to implement specialized firewalls and system safeguards. The public is also being advised to remain vigilant against malware and phishing threats.
In light of the unique circumstances surrounding these incidents, banks have committed to providing a goodwill waiver for the affected customers who had taken appropriate measures to protect their credentials.