Singapore’s banking sector is set to phase out the use of one-time passwords (OTPs) for online transactions. The transition marks a critical step in the city-state’s ongoing efforts to fortify its financial systems against evolving cyber threats.
The Monetary Authority of Singapore (MAS) announced the initiative, highlighting the increasing vulnerabilities associated with OTPs. The move is part of a broader strategy to adopt more robust multi-factor authentication (MFA) mechanisms.
“Customers who have activated their digital token on their mobile device will have to use their digital tokens for bank account logins via the browser or the mobile banking app,” the MAS said. “The digital token will authenticate customers’ login without the need for an OTP that scammers can steal, or trick customers into disclosing.”
Retail banking institutions have a three-month deadline to discontinue the use of one-time passwords (OTPs) for online account authentication, aiming to reduce the risk of phishing attacks.
The decision comes amid a backdrop of rising cyberattacks targeting financial institutions worldwide, with attackers frequently exploiting weaknesses in OTP-based systems.
Phishing scams were among the top five scam types last year according to the Singapore Police Force Annual Scams and Cybercrime Brief 2023, with at least $14.2 million stolen from customer accounts.
In addition to phishing sites, OTPs have been the target of Android malware for many years, helping their operators bypass two-factor authentication protections on target accounts. The new authentication method aims to strengthen security, making it significantly more difficult for unauthorized parties to access customers’ accounts and funds.
OTPs were first implemented in the early 2000s as part of a multi-factor authentication strategy to enhance online security. However, technological advancements and increasingly sophisticated social engineering tactics used by scammers have made it easier for them to intercept or Fraudulently obtain OTPs.
Singapore bank customers will now use digital tokens instead of OTPs, which they must activate on their mobile devices. Under the new guidelines, banks will transition to more secure authentication methods. These measures are expected to provide a higher level of security by leveraging unique identifiers that are harder to replicate or steal.
For customers who have enabled digital tokens on their mobile devices, these tokens will be required for logging into their bank accounts through browsers or mobile banking apps. The digital tokens will authenticate logins without the need for OTPs, which are vulnerable to theft and can be exploited by scammers through tactics such as fake banking websites.
The MAS is also advising customers to activate their digital tokens to protect against credential-stealing attacks and account hijacking aimed at committing financial fraud.
Do you have any story or press releases you want to share? Send tips to editor@envestreetfinancial.com
Follow us on Twitter, Facebook, or LinkedIn to ensure you don’t miss out on any