Their method? Just hack into the victims' mobile phone, where the hackers can then access both credit card details and OTPs at one go. Apps or websites where the consumer have previously keyed in their credit card information can reveal the card details, whereas the SMS would give the OTP required to make sure the transaction goes through.
I'm not making it up. Take a look at this case as reported by The Straits Times last year:
Source: Man in row with bank over hacked phone (The Straits Times)
A year on, have our local banks failed to do anything about this?
I would have thought that with this scam being made public and ABS having warned everyone, the banks would have already made steps to further strengthen their security systems and outwit the hackers. However, my friend was recently the victim of such a fraud case, which seems to be similar to Mr Loh's case...and OCBC basically told her to pay for a transaction she never made.
OCBC claims that the transaction was approved as the (OTP) provided matched the one that was sent to her mobile phone as part of their 2-FA protocol.
Now, this worries me.
As consumers, we bank with our local banks believing their claims that their security systems are highly secure. But incidents like these clearly show that they are not. Furthermore, it shows that our banks have failed to keep up with the hackers even after their ways of outsmarting their security systems have been made known.
We're heading towards a cashless society, but what implications will that bring? While Paywave, Apple Pay, Android Pay and a whole load of other cashless technologies promise us convenience, at what cost will this come at?
Even when some folks were complaining about the 2-FA system being a hassle, I gladly welcomed it as I saw it to be a necessary hassle to prevent fraud whenever we transact online. However, now that I know hackers can simply outsmart the system by hacking into our mobile phones, we may no longer be safe even with 2-FA authentication methods.
You might want to disable mobile apps that have your credit card details autosaved and clear your cookies / history as well if you want to prevent this from happening to you.
Any of us could be the next victim.
With love and concern,