About 75 bank customers in Singapore were faked by overseas hackers to steal over $500,000 of fake credit card payments. Hijacking of OTP or one-time-password techniques that are sent through text messages by banks was implemented in this incident.
A joint statement by Infocomm Media Development Authority (IMDA), Monetary Authority of Singapore (MAS), and Singapore Police Force last September 15, 2021, stated that the attackers had sidetracked the text message OTPs from the banks towards foreign mobile network systems.
In addition, also with the joint statements, the method of SMS diversions entails complex skills to compromise and intrude the systems to foreign telecommunication networks. The transactions regarding the fraud issue have happened between September and December of 2020.
The banks’ customers expressed that they are not the ones who conducted the transactions and have not received any OTP through text messages required to complete these bank transactions.
As a result of this issue, authorities have assured Singapore’s banking and telecommunication systems that they were not compromised. The customers affected by the issue are not obliged by the banks to pay for any damages it has caused them as a form of goodwill. However, the affected bank identities were concealed.
The attacker’s method involving this issue is how they got ahold of their targets’ credit card information and cellphone numbers. They were also able to hack into foreign telecommunication systems and utilize them to change the location information of the phones used by the Singapore victims. Through that, the attackers could trick the Singaporean telecommunication networks into seeing the phone numbers as roaming number networks from other countries. Afterward, the attackers used the credit card information stolen from the victims to conduct fraudulent online payments. As the banks will naturally send the OTPs through text in verifying transactions, the attackers can divert the OTPs towards the foreign mobile network systems.
Even though the compromised foreign telco networks have already been identified and alerted, the agencies chose not to reveal the identities of the firms for privacy and protection. Meanwhile, investigations regarding the issue are actively at hand, and authorities assure the affected parties that the matter will be brought to justice.
Currently, it remains unclear where exactly are the attackers located.