Singapore introduces potent anti-scam measures
Plans to block more scam sites, share liability between banks and customers
Singapore will step up up efforts to stamp out phishing and spoofing, ministers told the island nation's parliament on Tuesday.
The topic earned ministerial attention after instances of attacks and scams soared recently. The standout example is the attack on Southeast Asia's second-largest bank, the Oversea-Chinese Banking Corporation (OCBC). In the OCBC bank scam, threat actors stole a combined SG$13.7 million ($10.2M) from 790 customers by spoofing text messages in what minister of finance Lawrence Wong referred to as "by far the most serious phishing scam seen" in Singapore.
Wong detailed [VIDEO] several ways banks would be expected to improve security, including using more diverse machine learning algorithms to strengthen fraud detection tools to identify suspicious transactions. Banks will also be required to block suspicious transactions in a more consistent fashion, require additional customer confirmations for high-risk transactions or changes to account details, expand biometric technology, and accelerate adoption of – and preference for – mobile banking apps.
"These [measures] will introduce some frictions to customers undergoing genuine transactions," Wong predicted, "but we will all need to adapt and get used to these inconveniences."
Furthermore, Wong said customers and banks would have a shared responsibility for any losses in the future in order to prevent a "weaken[ed] incentive to be vigilant" on the part of the customer.
Communications and information minister Josephine Teo then highlighted new and future measures to prevent cyberscams – including an enhanced effort by the government to block malicious websites.
"In 2020, we blocked about 500 suspected scam websites, by 2021 the net was cast much more widely and 12,000 were blocked,” said Teo. She noted the government had the capacity to block more, but that it could become a futile game of whack-a-mole as scammers react quickly and dynamically to circumvent the measures.
Teo revealed that at the peak of the OCBC phishing expedition, which lured customers to a website identical to the bank's and incentivized them to input their credentials, the government blocked 52 sites related to the scam in one day.
- Beware the big bang in the network room
- IBM looked to reinvigorate its 'dated maternal workforce'
- IT technician jailed for wiping school's and pupils' devices
- Reality check: We should not expect our communications to remain private
- Microsoft veteran demystifies Abort, Retry, Fail? DOS error
Another new measure will see Singapore's National Crime Prevention Council crowdsource information from the public, to harvest citizens' reports of scams to learn more about ongoing scams via a WhatsApp channel expected to go live in the third quarter of 2022. Within Asia, Whatsapp is often the digital texting service of choice and has been adopted by many governments to disseminate information.
The city-state is also plagued by scam calls from foreign countries that spoof local numbers and identify the caller as a local authority or agency. Telecommunication companies are improving analytic tools to block such calls. Currently one in seven international calls coming into Singapore – 15 million per month – are blocked by a telco. Teo said this is expected to rise up to 55 million per month.
The country is also creating an alphanumeric ID registry to prevent threat actors from sending out SMS messages using a business's identity – as happened in the OCBC scam. To get on the registry of approved businesses, an organization must be a registered business with the government.
"Given the implications, IMDA (Infocomm Media Development Authority) will study the matter carefully before deciding whether or not to mandate the registration of all alphanumeric IDs," said Teo, adding that organizations should rethink how they use SMS.
Ms Teo said SMS was never meant for secure communication and compared it to the postal service – which she said is "generally safe, but we would not send very valuable items even using registered post."
Coincidentally, Singapore Post was also plagued by a phishing scam before Christmas 2021. Targets were told they owed money and needed to pay to receive packages, only to have their card number stolen when they complied.
Teo was careful not to call scams like the OCBC incident a cyberattack or cybersecurity breach, instead describing them as acts of deception committed at speed and scale.
"In the digital world where we have become so used to instant communications and transactions, our guard is down," said Teo.
Minister of state for home affairs Desmond Tan then revealed that the Singapore police have frozen 121 bank accounts and recovered SG$2 million ($1.5M) in relation to the OCBC scam. An additional SG$2.2 million ($1.6M) of victims' funds have been traced to 89 foreign bank accounts. Some 107 Singapore and 171 overseas IP addresses were linked to unauthorized access to the victims' accounts.
Following the threat of action from the Monetary Authority of Singapore, OCBC offered goodwill paybacks to all the victims of the scam bearing its name, under nondisclosure agreements. Wong said 90 per cent of the victims had already received reimbursement. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust