Major banks in Singapore will begin phasing out the use of one-time passwords (OTP) for bank account logins by customers who are digital token users.
These banks include DBS, OCBC, and UOB.
The move, which will be implemented within the next three months, will protect bank users against phishing scams, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) said in a press release on Tuesday (July 9).
Bank customers who are using physical tokens will not be affected.
Customers who have activated their digital token on their mobile device will have to use them for bank account logins via the browser or the mobile banking app, MAS and ABS said.
The digital token will authenticate customers’ logins without the need for an OTP, which scammers can steal or trick them into disclosing, they added.
“Customers who have not activated their digital tokens are strongly encouraged to do so to lower the risk of having their credentials phished,” MAS and ABS said.
$14.2 million was lost to phishing scams last year.
Introduced in the 2000s, OTPs were seen as a multi-factor authentication option to strengthen online security.
But technological developments and more sophisticated social engineering tactics have since enabled scammers to phish for customers’ OTP, MAS, and ABS.
Phishing scams were among the top five ruses in Singapore last year, with at least $14.2 million lost, according to data released by the Singapore Police Force earlier this year.
“This latest measure will strengthen the authentication process, making it harder for scammers to fraudulently access a customer’s account and funds without the customer’s explicit authorization using his mobile device,” they added.
The director of ABS, Ong-Ang Ai Boon, said that while this measure may give rise to some inconvenience, it is necessary to help prevent scams and protect customers.
“MAS continues to work closely with banks to protect consumers by leaning hard against digital banking scams,” Loo Siew Yee, MAS’s assistant managing director (policy, payments, and financial crime), added.
“This latest measure will complement good cyber hygiene practices that customers must continue to practice, such as safeguarding their banking credentials.”
