[Notdumb]

What about DBS? Paylah all this?

[sgbuffett]

1. If you go around impersonating DBS, is DBS responsible for your act?

2. If you impersonating DBS sending out msg to others, is the bank responsible your act?  

3. The money stolen from DBS because you give your userID and password to thief through fake website by the thief, the bank DBS responsible?    

.

Banks are responsible to have a secure process in place so that it reduces the risk on customers.

If physical tokens are used this would not have happened.
If the sms chain is secure it won't be spoofed.
If it can be spoof it should not be used because it js dangerous.

[starbugs]

I'm sure OCBC was targeted for a reason, which is that for many years, it has been difficult to call and speak to a human at OCBC. There is a survey page at HWZ that has ranked OCBC as the worst bank in Singapore for customer service for several years prior to the scam.

A victim would not be able to reach OCBC in time to stop any fraudulent transfers. The scammers knew this and exploited this weakness. So, OCBC is partly responsible.

[sgbuffett]

What about DBS? Paylah all this?

Better be cautious for all digital transactions..we don't know what we don't know.

When something happens the customer loses ...Banks refuse to take responsibility.

[sgbuffett]

The bank is requiring the customer to know more than its own IT experts who never foresaw thsi scan coming to prevent it by using physical tokens.

It is ridiculous.

[starbugs]

One of the victim had money transferred by the scammer from her easicredit account in addition to her savings account. Everybody better close your easicredit account if not using.

[winbig]

PHP Code:

      In just a few minutes, almost $100,000 was gone.

We have since made a police report but we have been told that even though accounts are insured by up to $50,000, we are unlikely to have any of our funds returned to us as it was my mistake for clicking on the link.

How can the blame be pinned entirely on me when OCBC's scam prevention measures are poorly equipped to urgently deal with a case as it is happening? 


No wonder ocbc stock price is less than half of dbs and uob.

OCBC got stock split b4

[kc172021]

I'm sure OCBC was targeted for a reason, which is that for many years, it has been difficult to call and speak to a human at OCBC. There is a survey page at HWZ that has ranked OCBC as the worst bank in Singapore for customer service for several years prior to the scam.

A victim would not be able to reach OCBC in time to stop any fraudulent transfers. The scammers knew this and exploited this weakness. So, OCBC is partly responsible.

I totally agree that OCBC is at fault for the following reasons,

1 their IT is not secure enough to be hacked
2 the verification through SMS and not responding to scam call--report is already the biggest issue here
3 putting the responsibilities to users is a way to say you die your business --trying to push away their responsibility to have a more secure internet banking-- so they can be lax on the internet securities, this is totally irresponsible
4 many a time they have internet issues already showed their lagging on internet platform.
5 how can they not securing the spending limit which is meant to be secured?? Allowed scammer to change the limit in itself is faulty.
6 The least they can do is to secure the spending limit by neccessitate customer to go through a verification process through phone call from OCBC staff.

[pinkypanther]

I am Siti, a mother of seven wonderful children. A wife to a caring educator. And a victim of the recent scam targeting OCBC Bank customers.

On Dec 28 last year, at 11.47am, I received an SMS which looked very much like the other ones I have received from the OCBC SMS system, which read: "The transaction function of your OCBC account will be suspended. To prevent the account from being locked out, update it on December 28. Access [url=http://bit.ly/3q****."]bit.ly/3q****."[/url]

At that time, I was occupied with my children and did not act upon it. At 2pm, I reread the SMS and followed the instructions and clicked on the link. It brought me to an authentic-looking site with the OCBC name.

As I was anxious about the account being suspended and I had some transactions to make to my children's accounts later in the day, I did not think further, and keyed in my username and password and other relevant details and checked into my account.

A few moments later, I received a notification stating that my transfer limit had been increased to $100,000. When I noticed that, I immediately called OCBC as I had not approved this.

However, OCBC's hotline is not equipped to immediately handle scams which are in progress.

I had to navigate an automated system for a long time before reaching a person.


More at https://shrtco.de/jND6Yz (scroll down to read)

[kc172021]

I am Siti, a mother of seven wonderful children. A wife to a caring educator. And a victim of the recent scam targeting OCBC Bank customers.

On Dec 28 last year, at 11.47am, I received an SMS which looked very much like the other ones I have received from the OCBC SMS system, which read: "The transaction function of your OCBC account will be suspended. To prevent the account from being locked out, update it on December 28. Access [url=http://bit.ly/3q****."]bit.ly/3q****."[/url]

At that time, I was occupied with my children and did not act upon it. At 2pm, I reread the SMS and followed the instructions and clicked on the link. It brought me to an authentic-looking site with the OCBC name.

As I was anxious about the account being suspended and I had some transactions to make to my children's accounts later in the day, I did not think further, and keyed in my username and password and other relevant details and checked into my account.

A few moments later, I received a notification stating that my transfer limit had been increased to $100,000. When I noticed that, I immediately called OCBC as I had not approved this.

However, OCBC's hotline is not equipped to immediately handle scams which are in progress.

I had to navigate an automated system for a long time before reaching a person.


More at https://shrtco.de/jND6Yz (scroll down to read)

The purpose of placing spending limit is to protect the customer in case the account is being hacked. How can they allow the spending limit to be increase without third party verification before the spending limit changed??

[Bigbluedot]

Singapore is a country where something goes wrong even before investigation responsibility is pushed...

1. Such a scam would not happen if physical tokens are used.

2. So when digital tokens are allowed, who made the assessment to allow. Whi ensuref the security? How come no one is responsible?

3. Regulators allow sms OTP and digital tokens did they audit the cyber vulnerability issues?

How come when something happens all the highly paid people who are supposed to ensure process security and protection of consumers are not responsible....and responsibility is pushed to the one who is not supposed to have expertise....


Is the housewife supposed to know they will launched such a scam...how can it be when the experts did not see it coming to prevent it!!

I have always said that it is a myth that Singapore is well governed.  ..just look at the scandals on SGX.

Once upon a time, Singapore was well governed...

not now.... in a mess. enemy can invade and destroy without much efforts.

[dynamite]

Once upon a time, Singapore was well governed...

not now.... in a mess. enemy can invade and destroy without much efforts.

They still want ownself check ownself. Many civil servants want do that to take easy pay monthly.

[sgbuffett]

Once upon a time, Singapore was well governed...

not now.... in a mess. enemy can invade and destroy without much efforts.

Priority is not security? Not safety? ..

[sgbuffett]

VISA AND Mastercard left many security flaws like using magnetic strip that can be copied, .. However when a fraud is proven, it was their policy to take the loss.

Here is a fraud taken place ...and it took place because OCBC adopted a particular technology and process.

I feel they have to compensate.

https://www.todayonline.com/singapore/oc...ts-1789236

[sgbuffett]

When the Bank adopt a technology that scammers can use to exploit 96% of customers....who is negligent?

The bank or customers?

[Sharexchange]

Why sg bank so lousy no capability to use blockchain.

[Bigbluedot]

Why sg bank so lousy no capability to use blockchain.

many people still unaware that IT capability in sg is damn weak.  it has no capable world class IT experts. everything relies on FT.

you think FT will have your safety in mind?? isnt it 'you die your business', i go back to build my big kampong house can la.

[webinarian]

Banks are responsible to have a secure process in place so that it reduces the risk on customers.

If physical tokens are used this would not have happened.
If the sms chain is secure it won't be spoofed.
If it can be spoof it should not be used because it js dangerous.

Even if physical token is used, it also can be copied and posted by the thief.  

.

[Dan]

If insider's job is not efficient then I worry

[Niubee]

If insider's job is not efficient then I worry

Many of their IT also Ah Neh

[Sticw]

Own self click link is at fault. But bank sms system got hacked is both bank and telco at fault. Bank internal system and check on suspicious action and transfer is bank at fault. You cannot run away from the fact that as a bank you have to provide the security else there will be a bank run cos money is not safe with the banking system.

[Tangsen]

I dun understand how they hijack. Example, I only uses SingPass to login and 2FA token issued by the bank or bank issued apps for authentication on my phone.
Also I set a limit of all online transactions and only can change with my 2FA and set alert

[ArielCasper]

I dun understand how they hijack. Example, I only uses SingPass to login and 2FA token issued by the bank or bank issued apps for authentication on my phone.
Also I set a limit of all online transactions and only can change with my 2FA and set alert

"I only uses SingPass??" I guessed you only have OCBC account?

Coz OCBC is the only banking website that allow Singpass login..

[Niubee]

"I only uses SingPass??" I guessed you only have OCBC account?

Coz OCBC is the only banking website that allow Singpass logic..

Ya man... I have dbs and stanchart acct. They look really strict with add new payee or change of limit. Many counter checks.

[Blasterlord2]

I thought to increase the limit the bank will send you an otp?

[Oasis]

If you want to withdraw money from any Malaysia bank you need your original NRIC , signature and your fingerprint to match bank record
You just need to present  your NRIC and signature when you withdraw money from any Singapore bank.
Which method is safer?
Of course install another device involved cost and maintenance fees.

Ever worked in vital installation, there is one red phone solely for emergency use.
No dial number is required.
The phone is connected to xxx command center. There is SOP and penalty imposed for any breach.

Scenario:
Victim calls xxx center (Can be other authorised agent)
Xxx centre directs the message to bank's red phone 
No more press 1 for English and press 2 for xxxx all our operators are  busy please hold xxxxxx

No value added for kpkb and pointing fingers.
Find solutions.

[ArielCasper]

So far, DBS and OCBC allowed users to use the banking apps in their phone to serve and a token and approved transactions/login etc..

In that case, how did the scammer managed to bypass the token authentication (using phone), or is the victim's phone/apps compromised as well?

The ST article wasn't clear on that..

Of the 3 local banks, only UOB don't even have an option to use your phone as token (ie still rely on sms to authenticate), wonder is that good or bad?

[ArielCasper]

If you want to withdraw money from any Malaysia bank you need your original NRIC , signature and your fingerprint to match bank record
You just need to present  your NRIC and signature when you withdraw money from any Singapore bank.
Which method is safer?
Of course install another device involved cost and maintenance fees.

Ever worked in vital installation, there is one red phone solely for emergency use.
No dial number is required.
The phone is connected to xxx command center. There is SOP and penalty imposed for any breach.

Scenario:
Victim calls xxx center (Can be other authorised agent)
Xxx centre directs the message to bank's red phone 
No more press 1 for English and press 2 for xxxx all our operators are  busy please hold xxxxxx

No value added for kpkb and pointing fingers.
Find solutions.

Our job here is to kpkb..

It is the bank's job to find the solutions.

[Galilo_l]

https://captain-sinkie.com/articles/2022...ngaporeans

[Oasis]

If any account holder sets limitation of withdrawal, any request to increase the withdrawal amount
Say from $1k to $100 K there is system to ask the account holder to call bank staff for assistance. No auto pilot 
Any better idea?