SINGAPORE, Sept 15 — Hackers overseas cheated 75 bank customers here of a total of S$500,000 (RM1.5 million) through fraudulent credit card transactions performed between September and December last year.
The perpetrators had diverted and used one-time passwords sent via short message service (SMS) to perform the fraudulent credit card transactions, the Monetary Authority of Singapore (MAS), the Infocomm Media Development Authority (IMDA), and the police said in a joint statement today.
Investigations by the affected banks found that their systems were uncompromised and had not been the cause of these incidents.
Joint investigations by the police and IMDA later found that the perpetrators from abroad had gained unauthorised access to the systems of overseas telecommunication operators and used them to modify the location data of the mobile phones used by the victims in Singapore, the authorities said.
They were then able to receive through the overseas mobile network systems the SMS one-time passwords sent by the banks to the victims.
Having already obtained the victims’ credit card details, the perpetrators were then able to make the fraudulent online card payment transactions and authorised them using the one-time passwords they retrieved.
MAS, IMDA and the police said the compromised overseas telecommunication networks have already been identified and notified.
Investigations are underway to identify and prosecute the perpetrators, they said.
The affected banks have reviewed the case and will provide a goodwill waiver to the affected customers who had taken care to protect their credentials.
The authorities said SMS diversion “is a mode of attack that requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks”.
“While our local telecommunication networks are secure and have not been compromised, IMDA, in consultation with the Cyber Security Agency of Singapore, has required operators to put in place additional safeguards, including specialised firewalls and system safeguards to monitor and block suspicious diversions of SMS,” they said.
The authorities advised members of the public to be alert and vigilant against malware and phishing attempts seeking to obtain personal information, including their credit card details.
They should keep bank account, credit and debit card details safe at all times and never disclose these details, along with personal identification numbers, passwords and codes to anyone else.
The public should also keep their electronic devices updated with the latest security patches and anti-virus software.
They should only use credible online services, including only downloading applications from official online application stores and making online purchases through trustworthy platforms.
Individuals should also refrain from clicking on suspicious links from unknown sources, and set low thresholds for payment transaction alerts so as to flag any unauthorised activities early.
They should then alert their banks as soon as possible should they discover any discrepancies or unauthorised transactions. — TODAY