Singapore banks to phase out use of OTPs to prevent online fraud

The development of technology has led to an increase in fraud, of which, impersonating bank websites to steal OTP codes is one of the most dangerous tricks. To protect customers from these threats, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) have implemented new authentication measures to enhance security and effectively prevent fraudulent activities.

To enhance information security, major banks in Singapore including DBS Bank, OCBC Bank and UOB will officially stop supporting OTP logins in November. All customers will be required to switch to using digital tokens, a more secure and convenient authentication method.

Customers of other banks who are using physical tokens can continue to use them normally. However, to enjoy superior convenience and enhanced security, the authorities recommend switching to using digital tokens.

To protect online transactions, banking apps send push notifications asking users to confirm before completing each transaction. This is an additional layer of security that helps prevent fraudulent activities.

With digital tokens, account protection becomes more secure, as fraudsters cannot make transactions remotely without the user's device.

Unlike digital tokens, OTP codes are vulnerable to fraudsters. They can steal users' OTP codes through scam calls, fake messages or install malware, thereby making unauthorized transactions.

What is a digital token?

Digital Tokens are used to authenticate logins and transactions on mobile banking apps and essentially replace physical tokens issued by banks.

Customers with activated digital tokens on their mobile devices will need to use these tokens to log in to their bank accounts via a browser or mobile app.

Once the digital token is set up, the customer no longer needs to use the physical token. Through the digital token, the user will only authenticate through the prompt generated by the application, which the user must tap to approve the transaction.

How will eliminating OTP codes make banking safer?

OTP codes were introduced in the 2000s to enhance online security, but social engineering tactics and technological advancements have made it easier for fraudsters to steal customers' OTP codes through fake banking websites.

Victims of cyber fraud are often tricked into revealing login information, such as usernames and passwords, as well as OTP codes. OTP codes are often generated using security devices such as hardware tokens or mobile applications to ensure the security of transactions. However, when this information falls into the wrong hands, it can be used to steal the victim's assets.

The security of sending OTP codes via SMS is very limited. SMS messages are easily shared by mistake or intercepted by malware, allowing criminals to take advantage of them to make unauthorized transactions.

Removing OTP codes and replacing them with detailed transaction notifications not only increases user security but also gives them more proactive control over their accounts. This is why authorities recommend users to switch to digital tokens.

Are users completely safe when using digital tokens?

Phishing sites often prey on users’ lack of vigilance by creating fake authentication prompts. If users are not careful, they can unwittingly approve transactions, giving the attacker the power to hijack digital tokens and make illegal transactions.

With digital tokens, transaction authentication becomes simpler and more secure. With just one tap, you can complete the authentication process, while OTP codes require many manual steps and pose many security risks.

Therefore, users should always carefully review the content of the prompt generated by the digital token and only confirm the transaction if they are sure about the purpose of that transaction.

With a single-device pairing mechanism and intelligent virus scanning capabilities, digital tokens form a solid layer of security, protecting users' accounts from threats such as login information theft and malware attacks. Unlike traditional authentication methods, digital tokens provide a multi-layered layer of security, giving users peace of mind when transacting online.

The single-device pairing feature of the digital token creates a significant barrier to fraudulent activity. By forcing fraudsters to wait 12 hours to reactivate the token on another device, we have significantly reduced the risk of being attacked, said Beaver Chua, Head of Anti-Fraud at OCBC Bank.

Regarding this issue, Ms. Ong-Ang Ai Boon, Director of the Association of Banks in Singapore, said: “We understand that new security measures may cause some inconvenience to customers. However, with the increasingly sophisticated fraud situation, strengthening authentication is extremely urgent to protect your accounts and money.”

Meanwhile, Ms Loo Siew Yee, Assistant Managing Director of Policy, Payments and Financial Crime at the Monetary Authority of Singapore, said: “We are working closely with banks to build a strong defence system to protect consumers from the growing threat of cybercrime. This new measure will provide an additional layer of protection, giving customers greater peace of mind when transacting online.”

Previously, in 2023, Citibank - a multinational bank headquartered in the US - also proactively implemented the conversion of transaction authentication methods for customers, in order to improve security and user experience. Instead of sending OTP codes via text messages, the bank switched to using digital tokens.

Digital tokens are randomly generated and have a short expiry date, effectively preventing counterfeit attacks. This conversion aims to improve the security of online transactions, reduce the risk of information theft and give customers more peace of mind when making financial transactions.