OCBC Saga

[abbby]

Not OCBC's fault but they have certainly been too lax on answering calls, calls take 20 minutes or so to reach the staff, they don't have dedicated numbers to fraud complaints. And their system never flagged any irregularities and large numbers of transactions in such a short time?

Its because they're a bank, I think they could have a responsibility to better secure the payment gateways and their customers money..

[smoulder]

So in the present day, banks are "required" to have robust systems and methods in place to detect fraudulent transactions.

https://www.google.com/url?sa=t&source= ... Tg6YK2VZAR


As a bank, it would be treading dangerous ground when you start washing your hands off such incidents.

14.3 Fraud Monitoring
14.3.1 The FI should implement real-time fraud monitoring systems to identify and
block suspicious or fraudulent online transactions.
42
14.3.2 A process should be established to investigate suspicious transactions or
payments and to ensure issues are adequately and promptly addressed.
14.3.3 The FI should notify customers of suspicious activities or funds transfers above a
threshold that is defined by the FI or customers. The notification should contain
meaningful information such as type of transaction and payment amount, as well as
instructions to report suspicious activities or unauthorised transactions.

[Pal]

Phishing is common nowadays.

I think consumers should be more careful on clicking on links. Always verify the website domain name before clicking or keying in any sensitive information.

When the url does not shows OCBC.com, it is more likely a phishing site. The gov can do much more in educating the public about this.

[abbby]

Yes and also people are encouraged to use Fingerprint access to log in their phones ..that would be safer.

[PNGMK]

None of this would have happened if the SMS SenderID hadn't allowed the fraudulent SMS to be "grouped" together with legitimate SMS's from a bank. That is a government regulators fault. Full stop.

Now I agree "don't click links" but OCBC has sent legitimate links about their business before.

I agree that you should check the URL and make sure it is the right one but some URL's are damn difficult to verify and DNS entries (that is how the URL is converted) are not 100% secure either and not all institutions keep their security certificates for HTTPS updated.

This is a classic cyber security event. Someone has found a vulnerability (SenderID) and socially engineered a message that has gotten through people's psychological defenses and the institution (the bank) has been far too slow and lax in dealing with what was clearly a staged attack - they really should have shut down all systems when they knew that they had a mass fraud event ongoing.

[Lisafuller]

Phishing is common nowadays.

I think consumers should be more careful on clicking on links. Always verify the website domain name before clicking or keying in any sensitive information.

When the url does not shows OCBC.com, it is more likely a phishing site. The gov can do much more in educating the public about this.

I believe the issue is that most Singaporeans aren’t able to distinguish a scam message from a legitimate one. Moreover, scammers are getting better and better nowadays, what used to be clearly fraudulent texts riddled with grammatical and spelling errors are now quite convincing.

[Lisafuller]

None of this would have happened if the SMS SenderID hadn't allowed the fraudulent SMS to be "grouped" together with legitimate SMS's from a bank. That is a government regulators fault. Full stop.

Now I agree "don't click links" but OCBC has sent legitimate links about their business before.

I agree that you should check the URL and make sure it is the right one but some URL's are damn difficult to verify and DNS entries (that is how the URL is converted) are not 100% secure either and not all institutions keep their security certificates for HTTPS updated.

This is a classic cyber security event. Someone has found a vulnerability (SenderID) and socially engineered a message that has gotten through people's psychological defenses and the institution (the bank) has been far too slow and lax in dealing with what was clearly a staged attack - they really should have shut down all systems when they knew that they had a mass fraud event ongoing.

As of today it was announced that banks are phasing out text notifications, to be entirely obsolete by next month in order to prevent such incidents from happening again. Seems like a good initiative, but a little too late since so much theft and destruction has already taken place. At the very least, it will help ensure future incidents are prevented from taking place.

[smoulder]

So there is a lot more to financial fraud than phishing through SMS. This is just the tip of the iceberg.

There's a whole market segment comprising of sophisticated software, some with machine learning capabilities, that can detect the various techniques employed by fraudsters.

If the focus is purely on protecting against one technique, then that is going to prove woefully inadequate.

Some banks are using some of these softwares, but in the end, it also depends on how well you can use it. Imagine the analogy of a highly trained commando with a firearm vs a typical every day civilian. Guess who's more effective.

[therat]

due to present situation, Bank/company/government is pushing for ebanking, paylah, all kind of wallet.
They only educate ppl to use but didn't educate ppl how to spot the scam/phishing.

[tiktok]

The government will be banning clickable links in all bank messaging. Unfortunately this doesn't solve the root issue of people being vulnerable.

[smoulder]

The government will be banning clickable links in all bank messaging. Unfortunately this doesn't solve the root issue of people being vulnerable.

It doesn't. What solves it is for banks to invest in systems and processes that address a whole range of fraudulent transactions. Which is what MAS have mandated to do. That's the TRM pdf I referenced above.

[tiktok]

Luckily I know what MAS and PDF is, but sorry no clue what TRM stands for.

[smoulder]

Technology Risk management

[Lisafuller]

So there is a lot more to financial fraud than phishing through SMS. This is just the tip of the iceberg.

There's a whole market segment comprising of sophisticated software, some with machine learning capabilities, that can detect the various techniques employed by fraudsters.

If the focus is purely on protecting against one technique, then that is going to prove woefully inadequate.

Some banks are using some of these softwares, but in the end, it also depends on how well you can use it. Imagine the analogy of a highly trained commando with a firearm vs a typical every day civilian. Guess who's more effective.

I see… clearly the scamming is not as rudimentary as it used to be, so the preventive measures can’t be either. If anything I’m surprised that these huge banks aren’t using their resources to do more about it.

[Lisafuller]

due to present situation, Bank/company/government is pushing for ebanking, paylah, all kind of wallet.
They only educate ppl to use but didn't educate ppl how to spot the scam/phishing.

Exactly, although if you think about it, how is the government supposed to educate the public? It’s a great idea in theory, but much harder to execute.