A year ago, news first emerged that hackers may have found a new way to outsmart our banks in their security measures, even after they introduced their 2-FA authentication protocol where consumers would have to key in a One-Time Password (OTP) sent to their mobile phone whenever they make an online transaction using their credit card(s).

Their method? Just hack into the victims' mobile phone, where the hackers can then access both credit card details and OTPs at one go. Apps or websites where the consumer have previously keyed in their credit card information can reveal the card details, whereas the SMS would give the OTP required to make sure the transaction goes through.

I'm not making it up. Take a look at this case as reported by The Straits Times last year:


When he woke up on Sept 30 last year, his phone was still "updating". He forcibly rebooted it by removing the battery, only to find SMS alerts from UOB on the purchases, as well as the one-time passwords (OTPs) used to authenticate them.
Mr Loh appears to be one of the victims of a malicious program that the Association of Banks in Singapore (ABS) warned the public about last month. He insists he has entered his credit card details on his phone only twice or thrice in the past year - to buy movie tickets online.
He was told by the bank that one of the reasons the payments could not be waived was that they were made under the "3D secure payment system" - which authenticates online transactions by sending an OTP to the customer's cellphone. The Straits Times understands that because the hackers obtained the OTPs, the payment system was not compromised.
UOB said: "We review each customer dispute case thoroughly and take into account a number of contributing or mitigating factors. These include whether a customer had provided his credit card information on a phishing site or if transactions were authorised with an SMS OTP. In this present case, the bank's security measures were not compromised."
UOB is asking him to pay $5,000 of the $12,327, having reduced the amount out of goodwill, or it would take legal action.
Case executive director Seah Seng Choon said banks need to keep in mind shifting security vulnerabilities. "If a third party can hack into the system and perform transactions in this manner, it shows that the system needs to be reviewed to protect consumer interests."
Information technology lawyers said crooks are starting to get the better of two-factor authentication systems. 

Source: Man in row with bank over hacked phone (The Straits Times)


A year on, have our local banks failed to do anything about this?

I would have thought that with this scam being made public and ABS having warned everyone, the banks would have already made steps to further strengthen their security systems and outwit the hackers. However, my friend was recently the victim of such a fraud case, which seems to be similar to Mr Loh's case...and OCBC basically told her to pay for a transaction she never made.

OCBC claims that the transaction was approved as the (OTP) provided matched the one that was sent to her mobile phone as part of their 2-FA protocol.

Now, this worries me.

As consumers, we bank with our local banks believing their claims that their security systems are highly secure. But incidents like these clearly show that they are not. Furthermore, it shows that our banks have failed to keep up with the hackers even after their ways of outsmarting their security systems have been made known.

We're heading towards a cashless society, but what implications will that bring? While Paywave, Apple Pay, Android Pay and a whole load of other cashless technologies promise us convenience, at what cost will this come at?

Even when some folks were complaining about the 2-FA system being a hassle, I gladly welcomed it as I saw it to be a necessary hassle to prevent fraud whenever we transact online. However, now that I know hackers can simply outsmart the system by hacking into our mobile phones, we may no longer be safe even with 2-FA authentication methods.

You might want to disable mobile apps that have your credit card details autosaved and clear your cookies / history as well if you want to prevent this from happening to you. 

Any of us could be the next victim.

With love and concern,
Budget Babe


  1. This comment has been removed by the author.

  2. So the safest is to disable SMS OTP and use their token for OTP?

    1. Maybe? I'm not very sure about IT and how security works, but one thing is for sure - if phones can be hacked, then SMS OTPs aren't safe anymore!

  3. OCBC is a really lousy bank...