Sharks in the Digital Waters – What will it take to Stop the Latest Bank Phishing Attacks?
By John Petersen, SVP Global Business Development
The recent spate of SMS-based phishing attacks on Singapore banks is intriguing in several ways.
- The exact nature of the attack.
- The local population’s awareness of these attacks.
- The response from the relevant authorities.
It seems that the preferred method of security for Internet banking transactions in Singapore is SMS-based OTPs, not dissimilar to many banks elsewhere in the world. But, unfortunately, and as many banks have found to their and their customers’ detriment, SMS isn’t very secure as a security medium.
What appears to be different in these recent cases is the method of attack. Normally fraudsters who have already gained access to a victim’s online account only need the OTP to complete a funds transfer, for instance. Typically in such attacks, the weapon of choice is a SIM Swap attack, or in some confirmed cases, even a direct breach of the network itself through vulnerabilities in the SS7 protocol.
In the case of the Singapore banks, no mention was made of SIM Swapping but rather, there appeared to be a human form of Man-in-the-Middle attacks. The fraudsters were on the back end of a fake website, relaying the required information into a genuine banking app. This triggered the requirement for an OTP which was sent as an SMS to the victim’s mobile and which the victim promptly inputted back into the fake website for use by the fraudster. And voila, the scam was complete. In the instance of at least one bank the fraudsters would appear to be downloading the bank’s OTP generating app, activating it with the stolen OTP and from this point onwards were able to generate their own OTPs. The man in the middle cutting out the middle man as it were!
So how did the victims end up on the fake website? Unfortunately, a lack of awareness for phishing scams duped customers into clicking on the link. Such lack of awareness is consistent with the results of a poll conducted by the Singaporean government’s Cyber Security Agency in 2020, which found that only 4% of citizens could identify such phishing attempts.
With such a low percentage of people able to spot a scam, a strategy of protecting them regardless of whether they fall for a phishing scam would be one way of ensuring trust and reducing fraud losses.
The Singapore regulator and banks have resorted to severe measures to reduce this problem: They have decided to remove links from all legitimate text messages and emails, reduce the default funds transfer limit to $100 or less and introduce delays in processing certain requests.
The problem, as ever, is reliance on proxy authentication – in this case possession of a PIN and an OTP. Whoever has possession, no matter how that’s achieved, becomes the legitimate owner in the eyes of the application.
The strategic solution is to use precision voice biometrics as an overlay in conjunction with the PIN and OTP. It must then be the legitimate customer’s voice speaking the PIN and OTP which stops this type of fraud dead. The PIN or OTP is rendered useless to the fraudster since they will fail the voice biometrics check. The banks can then continue to send links for convenience and usability, fund transfer amounts can remain unchanged, and transactions can be processed without self-imposed delays.
The Need for Voice Biometrics
Voice is the only biometric that is inherently two-factor (voice + knowledge). Therefore, it remains the only form of true identity assurance that is mathematically accurate and precise to guarantee the integrity of both the customer and the transaction. Reliance on knowledge-based authentication, of which PINs and OTPs are, will always lead to breaches, loss of funds, and even more importantly, loss of trust in the channel.