Singapore Banks Fight Phishers by Phasing Out One-Time-Passwords for Account Logins

Banks in Singapore are phasing out one-time-passwords (OTP) for account logins to combat phishing scams.

As we note in our short guide “Why Use an Authenticator App Instead of SMS?”, two-factor authentication has become imperative, as criminals have learned to compromise almost any password. While SMS-based 2FA is better than no 2FA at all, authenticator apps provide stronger safeguards against threat actors looking to hack into your online accounts.

But even that’s not enough now.

Better protection against phishing scams

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) this week announced that major retail banks in Singapore will “progressively phase out” reliance on OTPs for customers who use the bank’s official “digital token” app on their phone.

Rolling out over the next three months, the initiative will "better protect" against phishing.

“Customers who have activated their digital token on their mobile device will have to use their digital tokens for bank account logins via the browser or the mobile banking app,” according to the announcement. “The digital token will authenticate customers’ login without the need for an OTP that scammers can steal, or trick customers into disclosing.”

Customers who have yet to activate their digital tokens are “strongly encouraged to do so, to lower the risk of having their credentials phished.”

Phishing was among the top five types of scams targeting e-citizens last year, with at least $14.2 million lost to them, according to Singapore police figures.

Ever-more sophisticated social engineering tactics have enabled scammers to more easily phish for customers’ OTPs, for example by setting up fake websites that closely resemble the real bank portal, says the joint statement by MAS and ABS.

“This latest measure will strengthen the authentication process, making it harder for scammers to fraudulently access a customer's account and funds without the customer’s explicit authorisation using his mobile device.”

Always be proactive

According to the results of the Bitdefender 2024 Consumer Cybersecurity Assessment Report, text-borne scams are the most common cyber threat consumers face today.

Credit: Bitdefender

If you're suspicious about a certain phone call, email or SMS, Bitdefender offers Scamio as a fast and efficient way to find out if you’re being scammed. Simply describe the situation to our clever chatbot and let it guide you to safety. You can share with Scamio the exact item you want to check: a screenshot, PDF, QR code or link. Scamio lets you know in seconds if it’s a scam. Use it anywhere via web browser, Facebook Messenger, or WhatsApp. Scamio is localized for use in the USA, France, Germany, Spain, Italy, Romania, Australia and the UK.

And don’t forget the powerful Scam Alert features in Bitdefender Mobile Security. Scam Alert for iOS includes two layers of protection that monitor scams delivered through SMS/MMS messages and calendar invites. On Android, we warn users when we detect link-based mobile attacks delivered through SMS and popular messaging apps (Discord, Telegram, Facebook Messenger, WhatsApp), or notifications.