Banks in Singapore waive S$500,000 stolen via fraudulent card payments

BANKS in Singapore have had to waive S$500,000 stolen from 75 customers after fraudsters diverted and used SMS one-time passwords meant for verifying credit card transactions.

The fraudulent transactions occurred between September and December 2020, said a joint statement from the Infocomm Media Development Authority (IMDA), Monetary Authority of Singapore (MAS), and Singapore Police Force (SPF) on Wednesday.

Malicious actors overseas had gained unauthorised access to the systems of overseas telecommunications operators and used them to modify the location data of the mobile phones used by Singapore victims.

This allowed them to divert SMS OTPs sent by banks to their customers to overseas mobile network systems. Separately, they obtained the victim's card details and authenticated the fraudulent transactions with the SMS OTPs.

Customers had reported that they did not initiate the transactions nor received the SMS OTPs needed to perform them. Meanwhile, banks also found their systems secure, uncompromised and not the cause of these incidents.

IMDA, MAS and SPF said the compromised overseas telecommunication networks have already been identified and notified, while investigations are ongoing to identify the perpetrators and bring them to justice.

Although local telecommunication networks are secure and uncompromised, IMDA, in consultation with the Cyber Security Agency of Singapore (CSA), has required operators to put in place additional safeguards.

This includes specialised firewalls and system safeguards to monitor and block suspicious diversions of SMS.

"Given the unique circumstances of these cases, banks will provide a goodwill waiver to affected customers who had taken care to protect their credentials," the joint statement said.