Singapore’s Mobile Wallet Scam – Another Case of OTP Theft

A recent report out of Singapore states that the Singapore Police Force (SPF) is warning of an increase in scams involving stolen card credentials and mobile wallets, predominantly Apple Pay. This is yet another highly avoidable example of the weakness of keyed OTPs on websites.

How Scammers Exploit Mobile Wallets for Fraud

This particular scam is based around fake e-commerce-related websites. When an unsuspecting victim attempts to purchase goods or services through one of these sites with their card details, the scammers capture the card details and add them to a mobile wallet.

The Role of OTPs in Mobile Wallet Takeovers

Adding a card to a wallet in Singapore necessitates an OTP being sent by the Issuer to the phone number registered for that card. However, the victim, thinking the OTP they receive on their phone is related to their fictitious purchase, simply types it back into the fake website, where the scammers retrieve it and use it to authorize the addition of the card to the wallet.

This is a one-off process, so the card has now been taken over and is connected to the scammer’s mobile wallet, ready for making fraudulent transactions.

Rising Cases of Mobile Wallet Fraud in Singapore

The SPF claims that in Q4 2024, 656 reports were lodged where cards were phished using this technique and provisioned to scammers’ mobile wallets. The losses amounted to at least $1.2 million.

Why Traditional OTP-Based Authentication Fails for Mobile Wallets

This is simply a variation on a theme of covertly obtaining OTPs to commit fraud. Other variations include SIM Swapping, social engineering phone calls or messages, and even SS7 Hacking. They all work, and the reason is that anyone with possession of the OTP can use it; it is not explicitly bound to the intended recipient and is therefore transferable through any of the aforementioned means.

How Voice Biometrics Can Secure Mobile Wallets

The Singapore mobile app scam gets stopped in its tracks if voice biometrics are deployed and the OTP, while still being used as part of the authorization process, is spoken into the mobile wallet rather than keyed, as occurs currently. This has the immediate effect of binding the OTP to its intended recipient, in this case, the victim of the fake website, and makes mere possession of the OTP useless to the scammer. It is now no longer the case of an anonymous person typing in 4 or 6 digits, as the anonymity is removed. The digits must be spoken by the correct and unique owner of the digits.

Binding an OTP to its owner is the only way to prevent these myriad scams, where possession of some digits is all that’s required for fraud to succeed. ValidSoft’s See-Say® solution protects online transactions and mobile wallets with the highest security and user ease. Get a demo today!