Security News > 2024 > July > Singapore Banks to Phase Out OTPs for Online Logins Within 3 Months

Retail banking institutions in Singapore have three months to phase out the use of one-time passwords for authentication purposes when signing into online accounts to mitigate the risk of phishing attacks.

The decision was announced by the Monetary Authority of Singapore and The Association of Banks in Singapore on July 9, 2024.

"Customers who have activated their digital token on their mobile device will have to use their digital tokens for bank account logins via the browser or the mobile banking app," the MAS said.

While OTPs were originally introduced as a form of second-factor authentication to bolster account security, cybercriminals have devised banking trojans, OTP bots, and phishing kits that are capable of harvesting such codes using lookalike sites.

"Victims then face advanced antibot systems using Cloudflare's CAPTCHA, filtering out security tools. A clever redirection system obscures true destinations, while page expiration settings hinder analysis and aid campaign management."

The rise of mobile malware over the years has since also prompted Google to unveil a new pilot program in Singapore that aims to prevent users from sideloading certain apps that abuse Android app permissions to read OTPs and gather sensitive data.

News URL

https://thehackernews.com/2024/07/singapore-banks-to-phase-out-otps-for.html