[sgbuffett]

yes..the digital ones that scammers stole in the phishing scam.
whole scam would not happen if they did not try to save the money....
According to article the also saved on sms which is part of mult factor authentication.

https://www.businesstimes.com.sg/compani...ity-tokens
OCBC has rolled out a digital "soft" token on its mobile banking app, in a move that is expected to save the bank some S$25 million in five years, by eliminating the issuance of hardware security tokens, and reducing SMS OTPs (one-time passwords). 
Since its January launch in Singapore, more than one in four digital customers have activated OCBC OneToken on their mobile devices, OCBC said. In addition, more than two million transactions have been performed and authenticated with OCBC OneToken.
The digital token is integrated for use with biometric authentication or access code and PIN, offering customers access to digital banking services on-the-go and on their desktop, the bank said. 

[kc172021]

yes..the digital ones that scammers stole in the phishing scam.
whole scam would not happen if they did not try to save the money....
According to article the also saved on sms which is part of mult factor authentication.

https://www.businesstimes.com.sg/compani...ity-tokens
OCBC has rolled out a digital "soft" token on its mobile banking app, in a move that is expected to save the bank some S$25 million in five years, by eliminating the issuance of hardware security tokens, and reducing SMS OTPs (one-time passwords). 
Since its January launch in Singapore, more than one in four digital customers have activated OCBC OneToken on their mobile devices, OCBC said. In addition, more than two million transactions have been performed and authenticated with OCBC OneToken.
The digital token is integrated for use with biometric authentication or access code and PIN, offering customers access to digital banking services on-the-go and on their desktop, the bank said. 

That is the trouble with the Banks. They try to save money for their benefits at the expense of the consumers. Like in the recent case, OCBC is not even come out to comment on the losses of the customers instead saying dont click the scam message, meaning you mind your own business

[singaporean1964]

if like that
the bank still has to pay for the losses
save 25m...losses paid maybe 3m

[Bigbluedot]

use part of the 20M to compensate the victims, pls.

[ysh02]

Gov always said go digital mah....Vouchers ,"ang pow "money and marriage certificate send by digital like not real one ...NRIC also can use ..

[ArielCasper]

To be fair to OCBC, all banks are moving out from physical token. So if want to blame, DBS, UOB, Maybank and more all share the same blame..

[ArielCasper]

yes..the digital ones that scammers stole in the phishing scam.
whole scam would not happen if they did not try to save the money....
According to article the also saved on sms which is part of mult factor authentication.

https://www.businesstimes.com.sg/compani...ity-tokens
OCBC has rolled out a digital "soft" token on its mobile banking app, in a move that is expected to save the bank some S$25 million in five years, by eliminating the issuance of hardware security tokens, and reducing SMS OTPs (one-time passwords). 
Since its January launch in Singapore, more than one in four digital customers have activated OCBC OneToken on their mobile devices, OCBC said. In addition, more than two million transactions have been performed and authenticated with OCBC OneToken.
The digital token is integrated for use with biometric authentication or access code and PIN, offering customers access to digital banking services on-the-go and on their desktop, the bank said. 

You want to explain how the digital token is the cause of the phishing scam??

For the scam, so far what some folks shared here is due to sms (OPT) hijack (ss7 attack)..

I am still trying to find a good article or website that clearly explain how the digital token was compromised in this case.

I am concerned because all banks are using the digital token approach now.. I can run, but I can't hide from the problem unless I keep my money in tin can like folks here suggested.

[debono]

You want to explain how the digital token is the cause of the phishing scam??

For the scam, so far what some folks shared here is due to sms (OPT) hijack (ss7 attack)..

I am still trying to find a good article or website that clearly explain how the digital token was compromised in this case.

I am concerned because all banks are using the digital token approach now.. I can run, but I can't hide from the problem unless I keep my money in tin can like folks here suggested.

You know as a fact that those that suggested keeping their money in tin cans are just pulling your leg, and not to be taken seriously.....

[sgbuffett]

You want to explain how the digital token is the cause of the phishing scam??

For the scam, so far what some folks shared here is due to sms (OPT) hijack (ss7 attack)..

I am still trying to find a good article or website that clearly explain how the digital token was compromised in this case.

I am concerned because all banks are using the digital token approach now.. I can run, but I can't hide from the problem unless I keep my money in tin can like folks here suggested.

Yes. Because it is a digital token, the scammers could move the digital token to their own device and use it to empty the customer accounts. To move the digital tokens all they needed were the credentials the victims key in at the fake site.

This would not be possible if physical tokens were used.

If banks allow sms for transactions customers will be exposed to fraud as sms messages  can be rerouted to the scammers.

The safest OTP is the physical token..To save money they phase this out.

All our brokerage accounts use only sms. Hackers can exploit this and enter these.accounts.

The authorities don't seem to bother that they are putting us at risk.

I pointed this out to one brokerage, they said MAS allowed them to drop OneKey physical token.

Now things happen.....like nobody in charge.

[ArielCasper]

Yes. Because it is a digital token, the scammers could move the digital token to their own device and use it to empty the customer accounts.

This would not be possible if physical tokens were used.

So what are the steps required to 'move' a digital token?

I used OCBC as a reference. To 'move'/activate a digital token, there are 3 levels

1) Login to the OCBC app
2) SMS OTP to your phone
3) Key in Bank ATM pin

Even if hacker know your userid/password, SS7 can hijack your OTP, how the hack will the hackers know your Bank ATM pin??

https://www.youtube.com/watch?v=YC2ccldT95c

[dynamite]

I thought DBS is the first to do so? I suspect they want save cost when that was announced and I was pretty worried at that time but no choice. But if someone is keying in OTP from token into fake website, physical token will still cause the crime to take place.

[sgbuffett]

So what are the steps required to 'move' a digital token?

I used OCBC as a reference. To 'move'/activate a digital token, there are 3 levels

1) Login to the OCBC app
2) SMS OTP to your phone
3) Key in Bank ATM pin

Even if hacker know your userid/password, SS7 can hijack your OTP, how the hack will the hackers know your Bank ATM pin??

https://www.youtube.com/watch?v=YC2ccldT95c

You forget one social engineering aspect the hackers can use. Thus was also published in a 2014 conference paper that study bank customer behavior....

Most used their PiN as their password...once password was captured they had all they need.

I believe many DBS customers also use PIN as log in password.

[ArielCasper]

You forget one social engineering aspect the hackers can used. Thus was also published in a 2014 conference paper that study bank customer behave.....

Most used their PiN as their password.

I believe many DBS customers also use PIN as log in password.

If that is the case, is it still the bank's fault?

[debono]

If that is the case, is it still the bank's fault?

The banks will not agree that it is their fault, they will come out with many excuses to avoid being the guilty one....

[sgbuffett]

You forget one social engineering aspect the hackers can use. Thus was also published in a 2014 conference paper that study bank customer behavior....

Most used their PiN as their password...once password was captured they had all they need.

I believe many DBS customers also use PIN as log in password.

Even the website asks for PIN instead of a password as a result customers used their ATM PIN as login password by right these 2 should be forced to be different by forcing the login password to have both characters and numbers.

[sgbuffett]

If that is the case, is it still the bank's fault?

The systenn has many flaws...many ways to exploit...it is really quite horrible.

[debono]

Even the website asks for PIN instead of a password as a result customers used their ATM PIN as login password by right these 2 should be forced to be different by forcing the login password to have both characters and numbers.

You are right in saying this, once the customers PIN is used, then the scammer will be at liberty to access to your account.......

[ArielCasper]

Even the website asks for PIN instead of a password as a result customers used their ATM PIN as login password by right these 2 should be forced to be different by forcing the login password to have both characters and numbers.

You are just picking on things.. Even DBS IB is also using PIN instead of password.

If a customer is smart enough to use IB, but think password PIN is referring to ATM PIN, then is it a bank issue?

But if you really find it is bothering you, feedback to OCBC to say they should use password instead of PIN..

After all, with all these negative publicity, I am sure OCBC will take your feedback seriously.

[ArielCasper]

The banks will not agree that it is their fault, they will come out with many excuses to avoid being the guilty one....

I am sure the banks will not agree it is their fault..

This is just like at work. If you do what the others generally are doing, even if things failed, you can blame it is an industry standard..

I am not saying banks should be off the hook, but till now, who can clearly explained where the flaw is.. All I want is to know what is the flaw and see how I can mitigate it.

You see how SGBuffet say there is a lot of flaws, but when drilled further, he don't even know what he is talking.

If his point is people uses easy to guess PIN, then we just make sure our PIN cannot be easily guessed..

Apart from that, how can I better safeguard my saving (in the bank) from scams.

[keys]

I love the digital token

Bec the HW one is either missing or no batt

[p1acebo]

Yes. Because it is a digital token, the scammers could move the digital token to their own device and use it to empty the customer accounts. To move the digital tokens all they needed were the credentials the victims key in at the fake site.

This would not be possible if physical tokens were used.

If banks allow sms for transactions customers will be exposed to fraud as sms messages  can be rerouted to the scammers.

The safest OTP is the physical token..To save money they phase this out.

All our brokerage accounts use only sms. Hackers can exploit this and enter these.accounts.

The authorities don't seem to bother that they are putting us at risk.

I pointed this out to one brokerage, they said MAS allowed them to drop OneKey physical token.

Now things happen.....like nobody in charge.

MAS is useless.  Always behind the curve.  Now behind closed doors chenghu knocking heads.  SGX should be next.  Useless regulatory bodies with no bite and ineffective.  Look at where our stock market has been for the past 2 decades. S chips made fun of sinkies but Sg authorities say it’s your own fault.  This will also be the same time for those scammed by OCBC phishing.

Heng I use Horlicks tin only