Adrian Johnson
TLDR:
- Singapore banks are phasing out OTPs for online logins within 3 months to mitigate the risk of phishing attacks.
- The move is to encourage customers to activate digital tokens for authentication instead of relying on OTPs.
Retail banking institutions in Singapore have three months to phase out the use of one-time passwords (OTPs) for authentication purposes when signing into online accounts to mitigate the risk of phishing attacks. The decision was announced by the Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) on July 9, 2024. Customers who have activated their digital token on their mobile device will have to use their digital tokens for bank account logins via the browser or the mobile banking app. The MAS is urging customers to activate their digital tokens to safeguard against attacks that are designed to steal credentials and hijack their accounts for conducting financial fraud. While OTPs were originally introduced as a form of second-factor authentication to bolster account security, cybercriminals have found ways to harvest such codes using various methods like OTP bots and phishing kits. Last week, SlashNext disclosed details of an “end-to-end” phishing toolkit dubbed FishXProxy that allows attackers to lower the technical bar for launching phishing campaigns at scale. Google has also unveiled a pilot program to prevent users from sideloading certain apps that abuse Android app permissions to read OTPs.
