Banks in Singapore to phase out login OTPs for digital token users
Customers who have activated digital tokens on their mobile phones will have to use these tokens for bank account logins.
A man using his smartphone. (Photo: iStock)
This audio is generated by an AI tool.
SINGAPORE: Major banks in Singapore will phase out the use of one-time passwords (OTPs) for bank account logins by customers who are digital token users.
This will be implemented progressively over the next three months and is aimed at better protecting customers against phishing scams, said the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) on Tuesday (Jul 9).
The move will not affect customers using physical tokens. Major banks include the three Singapore banks – DBS, OCBC and UOB.
Almost 60 to 90 per cent of the "digital-active customer base" of the three local banks use digital tokens for internet banking logins, said ABS on Friday (Jul 12) in response to CNA's query.
It added that banks have continued to advise customers to switch to digital tokens through campaigns and reminders. Those who have yet to do so are strongly encouraged to do so.
"The digital token will authenticate customers’ login without the need for an OTP that scammers can steal or trick customers into disclosing," said MAS and ABS.
DBS stopped issuing physical tokens in February 2021 although customers may request replacement tokens. OCBC and UOB customers can similarly replace their physical tokens but the banks recommend switching to digital tokens.
OTPs were introduced in the 2000s as a multi-factor authentication option to strengthen online security.
However, technological developments and more sophisticated social engineering tactics have enabled scammers to more easily phish customers’ OTPs. MAS and ABS cited the example of scammers setting up fake bank websites that closely resemble genuine ones.
"This latest measure will strengthen the authentication process, making it harder for scammers to fraudulently access a customer's account and funds without the customer’s explicit authorisation using his mobile device," they added.
When asked if banks plan to phase out physical tokens and OTPs entirely, ABS said that the banks will "continue to introduce new anti-scam measures and enhancements in an agile manner".
According to the Singapore Police Force's annual report on scams and cybercrime, at least S$14.2 million (US$10.5 million) was lost to phishing scams last year.
A total of 5,938 phishing scams were reported last year, down from 7,097 the year before.
Ms Loo Siew Yee, assistant managing director for policy, payments and financial crime at MAS, said: “MAS continues to work closely with banks to protect consumers by leaning hard against digital banking scams.
"This latest measure will complement good cyber hygiene practices that customers must continue to practise, such as safeguarding their banking credentials."
ABS director Ong-Ang Ai Boon added: "This measure provides customers with further protection against unauthorised access to their bank accounts.
"While they may give rise to some inconvenience, such measures are necessary to help prevent scams and protect customers."
Citibank Singapore's head of digital channels and experience Nilesh Kumar said that since 2023, SMS OTPs have been phased out in place of authentication via the digital token for enrolled customers.
"This has enabled our customers to bank more securely while retaining the convenience of using our services digitally."
Customers transacting with 3D-Secure merchants or through self-service phone banking will receive push notifications on their Citi mobile app for authentication, while customers transacting on the website can use the same app to scan a QR code, said Mr Kumar.
In a written parliamentary answer in July 2023, then-Senior Minister Tharman Shanmugaratnam, who was also Minister-in-charge of MAS, said the authority had required banks to phase out SMS OTPs as a sole factor to authenticate high-risk transactions.
This was due to the "inherent vulnerability of the SMS channel", he added.
“Banks in Singapore have already moved away from sole reliance on SMS OTP for high-risk online banking activities, like adding of payees and changing of fund transfer limits,” Mr Tharman said, adding that this also applies to high-risk card transactions like authorising online card payments.
“The transition has commenced, and MAS will set a deadline for all retail banks to complete this,” he added.
