It is refreshing to see someone who is part of the establishment push for this as the elites have always made the masses shoulder all sorts of problems when things go wrong with their system.
Han Fook Kwang is the author of the book LKY the man and his ideas. ..something we all should read.
https://www.straitstimes.com/opinion/mak...cam-losses
I won't call HFK an establishment person. His articles have always been quite objective. Unlike his colleague...a certain Chua XX who also regularly writes opinion pieces.
All banks are the same, fair weather
You die your own business
And OCBC is the worst
Whoever still deal with OCBC, you deserve what shit you get
Serves you right
(16-01-2022, 11:06 AM)starbugs Wrote: [ -> ]I won't call HFK an establishment person. His articles have always been quite objective. Unlike his colleague...a certain Chua XX who also regularly writes opinion pieces.
True, I concur.
You will only know if you have been reading the papers consistently.
HFK is objective enough to comment on things which a government mouth piece will never dare to mention.
I remember clearly his impartial article relating to mask wearing and vaccination written sometime ago.
The thing is how do you proof that it is the bank's fault and not user's fault. After all, user did clicked on the link in the SMS.
The tricky thing here is whichever bank that is involved, did they used a industry wide accepted technology/standard? If they did, then it may be hard to fault the bank, since every bank else is doing the same thing. If an industry standard is found to be wrong, then it will be like opening up a can of worms where every bank can be sued..
If the banks are made to pay, vested shareholders will never be happy.
The onus of payment should be on the top echelon of the entities.
When it is out of their own pockets they will feel the pinch, and do what is absolutely necessary to prevent a similar or potential flaw.
The elites are well paid and compensated.
They should be responsible enough to earn and "unearn" their keeps.
Someone from HWZ pasted the article from behind the paywall.
See especially what HFK said about his friend warning OCBC about the scam SMS on Dec 17. No action by OCBC to warn its customers until 4 Jan.
Quote:If you receive an SMS from your bank telling you there is a problem with your account and that to fix it, you need to go to its website through the link provided, what would you do?
Okay, you have a suspicious mind and you do not ordinarily fall for the usual online scams like helping a Nigerian get his money out of the country.
You look at the SMS again and find that it comes from the same thread as previous bank messages.
In fact, it is in the same thread which the bank has been sending you one-time passwords (OTPs) for all the online transactions you have been making.
How can it not be legitimate?
So you click on the link and it takes you to what looks like the bank's log-in website, with its logo and all the usual features in place, as professionally done as what you would expect from a rock-solid bank.
You log in with the OTP which has been sent to your mobile phone in that same SMS thread.
And that is when your entire savings get transferred out, leaving you with exactly zero dollars in your account.
It is as if you have gone to the physical bank to withdraw all your money and somewhere in the bank - or maybe it was just outside the bank, you are so confused you don't know exactly where - someone points a gun at you and relieves you of all your cash.
I think this must have been how those 469 OCBC Bank customers felt when they fell for this scam last month, losing $8.5 million altogether.
Among them: a 38-year-old software engineer who lost $250,000 that he had been saving since 2010; a young couple whose $120,000 was money to start a family; and a mother of seven whose savings of $100,000 disappeared, out of which $60,000 was in her children's Young Savers Account.
The tragedy is that this fraud, using what is known as spoofed telephone numbers that impersonate caller IDs to trick victims into thinking the text messages originate from OCBC, isn't new or terribly sophisticated.
It has been used for some time, especially over the last two years, and both the police and banks were well aware of the increased prevalence.
As a result, in July last year, the police issued a statement that these scams affecting banks' customers had re-emerged, resulting in 374 of them losing $1.07 million from January to May.
This was what it said: "As the scammers had spoofed the bank's SMS accounts, the scammers' message might appear in the same SMS conversation thread as a bona fide SMS message from the bank."
This was five months before the December OCBC incident. Same old trick, yet so many still fell for it.
It raises the question whether banks have done enough to take preventive and pre-emptive steps to safeguard their customers' money when they knew the danger was clear and present.
I do not have an account with OCBC, but when I checked my DBS SMS thread from July when that police statement was issued, there was not a single message from it warning me of this threat.
A friend had a closer shave.
He received the same scam message as those 469 on Dec 17, which meant that he might have been one of the earliest targeted.
He immediately informed OCBC about it, adding that it should alert all its customers.
Alas, according to him, he did not hear from it until Jan 4, when he received an SMS text from the bank alerting him of these scams.
This was almost three weeks after his first call to the bank and well after those 469 had been robbed.
In fact, of those three persons cited above who lost their entire life savings, two were scammed on Dec 28 and one on Dec 21, quite some time after my friend alerted OCBC.
If the bank had been more alert to the problem and warned its customers more proactively, they might not have fallen victim.
Are banks too complacent and slow in taking the necessary steps to safeguard their clients' money?
It baffles me why so many of them did not send SMS messages to their clients warning them of the impending danger.
What will prod them to be more proactive in dealing with the problem?
I can think of one way - make them pay, if not all, at least a substantial amount of the losses suffered by their clients.
Under existing laws, they are not obliged to, as they will argue that the customers were negligent in falling for the scam.
In fact, they are always quick to say that their security systems were not compromised. No one hacked into and broke through their defences.
In other words, they were not at fault as all the trickery took place outside of the bank and inside their customers' own mobile phones.
But this is not satisfactory, and it is unfair for unsuspecting people to have to bear all the burden of having to look out for devious crooks who know everything about what makes a person vulnerable to these tricks.
To be fair, the Government recognises that more should be done to address these issues, particularly over the question of how to define more clearly where banks' and customers' liabilities and responsibilities fall.
In July, Finance Minister Lawrence Wong announced that the Monetary Authority of Singapore (MAS) was reviewing the matter and that it will take till the end of that year.
He also added that banks were already flexible in reimbursing their clients' losses, taking into account the merits of each case.
All eyes will now be on how OCBC deals with its affected clients and demonstrates exactly how flexible it is.
MAS should use this latest scam as a case study and seek a fairer balance that takes into account the vulnerability of customers to the increasing sophistication of online scammers.
If banks are held to a higher standard of accountability, even when there is no security breach in their own systems, they will have a greater incentive to do more to prevent such fraud.
If they are liable for some or all of these losses, you can bet they will do more to outsmart the crooks.
But there is also the danger that if customers believe they are completely insured against all losses, they will let their guard down and not do their bit to ensure safe banking.
There is a moral hazard which needs to be addressed and the balance set appropriately.
The most important issue is public confidence in the banking system which is even more critical now that Singapore has moved aggressively into the digital world, involving more and more activities and transactions.
We are constantly told by the authorities that digitalisation is the way forward for the country and will give it a competitive advantage.
Those pushing this transformation have a duty to make this new world safe for all, and to provide for adequate redress when banks and other financial institutions fail to do so.
For those 469 cheated bank customers, their confidence in the banking system has been completely shattered.
It needs to be restored quickly.
• Han Fook Kwang is also senior fellow at the S. Rajaratnam School of International Studies, Nanyang Technological University.
(16-01-2022, 11:25 AM)ArielCasper Wrote: [ -> ]The thing is how do you proof that it is the bank's fault and not user's fault. After all, user did clicked on the link in the SMS.
The tricky thing here is whichever bank that is involved, did they used a industry wide accepted technology/standard? If they did, then it may be hard to fault the bank, since every bank else is doing the same thing. If an industry standard is found to be wrong, then it will be like opening up a can of worms where every bank can be sued..
It is responsibility of the bank to trace the electronic trail and report the receiver of the money to the police even if it is overseas.
Is OCBC doing it ?
1. Customer did "click ' by being tricked by scammer. But why scammer can change limit and add a payee so easily. ? Bcoz the security is not tight enough. Some banks dont allow limit to be changed auto online.
Example is cimb bank requires me to email them abt the req change and they call back to confirm. Not online thingy.
2. Even if the banks use the industry standard software solutions, they cannot just sleep there.
You should know that softwares change at near lightning speed.
Your solution is obsolete but you still kooning whereas scammers can take advantage of the new capabilities.
Depends on what's lacking in OCBC compared to other banks that lead to this. But for sure, I know OCBC doesn't value its customers well since their banking app is crap. Feedback to them many times and it's still crap.
No matter how many times the money is transferred, the electronic trail will be recorded until the money is cashed out.
Even if the money is cashed out ,the person identity will be known because he owns the final bank account.
It is up to OCBC and the police to go after the person who cash out the money.
No one can steal bank money using online account without exposing their own identity
(16-01-2022, 11:36 AM)starbugs Wrote: [ -> ]Someone from HWZ pasted the article from behind the paywall.
See especially what HFK said about his friend warning OCBC about the scam SMS on Dec 17. No action by OCBC to warn its customers until 4 Jan.
thanks seems the bank has very relax complacent attitude towards such incidents.
even after customers alerted them they sat on it....causing mor customers to be victims.
there is sense of urgency to protect or fix...probably because they can just blame customers and lose nothing
(16-01-2022, 10:15 AM)sgbuffett Wrote: [ -> ]It is refreshing to see someone who is part of the establishment push for this as the elites have always made the masses shoulder all sorts of problems when things go wrong with their system.
Han Fook Kwang is the author of the book LKY the man and his ideas. ..something we all should read.
https://www.straitstimes.com/opinion/mak...cam-losses
That’s what I thought
This will make the banks be more vigilant and less slack
(16-01-2022, 11:06 AM)starbugs Wrote: [ -> ]I won't call HFK an establishment person. His articles have always been quite objective. Unlike his colleague...a certain Chua XX who also regularly writes opinion pieces.
an estalishment person does not mean he is not objective. when i say establishment i mean he was part of the scolar elite system like Chua mui hoong.
because such scholar elites benefitted fr the system so much they wont rock the boat.
unforunately chua sisters became apologists frequently defending it...they fail to see the system is skewed to. benefit people like them may not be good for others.
HFk only wrotr "objective articles" after he left his editor. post in sph.
after my third read of lky the man and his ideas .....i feel that many of the ideas are flawed and unsustainable...its only masked by singapore's early success.
yes bank responsible
they should have checks and balances
how can bank no control over cyber thieves
(16-01-2022, 11:42 AM)Bigbluedot Wrote: [ -> ]1. Customer did "click ' by being tricked by scammer. But why scammer can change limit and add a payee so easily. ? Bcoz the security is not tight enough. Some banks dont allow limit to be changed auto online.
Example is cimb bank requires me to email them abt the req change and they call back to confirm. Not online thingy.
2. Even if the banks use the industry standard software solutions, they cannot just sleep there.
You should know that softwares change at near lightning speed.
Your solution is obsolete but you still kooning whereas scammers can take advantage of the new capabilities.
I don't know about your guys.
But because of this, I tried changing my ATM withdraw limit for OCBC.. It did a 2FA authentication with my phone (I am using my phone as 'token', so I am assuming adding a payee will need the same authentication). Maybe some of you can try and let the rest know.
As for whether to allow change of limit online, it depend on individual. Some wants the convenience.
I don't know if OCBC solution is obsolete, but it allows me to use my phone to authenticate instead of SMS. DBS and UOB also have similar features.. So if OCBC solution is obsolete, then it is a industry wide problem.
Maybe we should all go back to our parent's days, all transactions must go to the bank to carry out.. Safer..
Can a person move the fund from fixed deposit account to saving account using Internet banking? If can, I better go to the bank and to close my Internet banking account.
(16-01-2022, 12:45 PM)ArielCasper Wrote: [ -> ]I don't know about your guys.
But because of this, I tried changing my ATM withdraw limit for OCBC.. It did a 2FA authentication with my phone (I am using my phone as 'token', so I am assuming adding a payee will need the same authentication). Maybe some of you can try and let the rest know.
As for whether to allow change of limit online, it depend on individual. Some wants the convenience.
I don't know if OCBC solution is obsolete, but it allows me to use my phone to authenticate instead of SMS. DBS and UOB also have similar features.. So if OCBC solution is obsolete, then it is a industry wide problem.
Maybe we should all go back to our parent's days, all transactions must go to the bank to carry out.. Safer..
in the ocbc scam, the customer keyed in hs login id, password and otp from his phone digital token at fake site
once the scammer get this 3 things his uses it to shift digital token to his own device.
now scammer can generate otp from his device.
basically he can do anything he wants.
the dbs system has an extra step:
1. it sends sms to your phone with code.
2. you key in code to token to generate new code.
ths new code is needed.
for the dbs system the hacker need to capture both sms and token.
this is harder because you need sms plus token to move the token.
(16-01-2022, 12:45 PM)ArielCasper Wrote: [ -> ]I don't know about your guys.
But because of this, I tried changing my ATM withdraw limit for OCBC.. It did a 2FA authentication with my phone (I am using my phone as 'token', so I am assuming adding a payee will need the same authentication). Maybe some of you can try and let the rest know.
As for whether to allow change of limit online, it depend on individual. Some wants the convenience.
I don't know if OCBC solution is obsolete, but it allows me to use my phone to authenticate instead of SMS. DBS and UOB also have similar features.. So if OCBC solution is obsolete, then it is a industry wide problem.
Maybe we should all go back to our parent's days, all transactions must go to the bank to carry out.. Safer..
Yes, we should all go back to our parent's days, where things are done using hardcopy, like cheques and personally going down the bank to do big transactions.....It may seem regressive but it better than to be scammed by the hundreds of thousands........
(16-01-2022, 01:01 PM)sgbuffett Wrote: [ -> ]in the ocbc scam, the customer keyed in hs login id, password and otp from his phone digital token at fake site
once the scammer get this 3 things his uses it to shift digital token to his own device.
now scammer can generate otp from his device.
basically he can do anything he wants.
the dbs system has an extra step:
1. it sends sms to your phone with code.
2. you key in code to token to generate new code.
ths new code is needed.
for the dbs system the hacker need to capture both sms and token.
this is harder because you need sms plus token to move the token.
Not true. DBS also send SMS to the HP and with OTP via sms, you can transact online and change limit. My concerns is that if the internet bank account can be so easily hacked, then they Banks should add in another layer of protection on the changing of transacted limit by either a email confirmation or phone call verification in order to change the limit.
Main reason to set the transacted limit is to protect your bank account but if the Banks are so handoff to allow one to change the limit transacted limit online, once the account is being hacked, all gone your saving.
The banks need to put in extra secure step before transacted limit can be changed : either to personally do it at the bank or any other extra steps, its a bit inconvenient, but its safer way to protect ones money in the bank
This scam is easily solved even if the scammer has all my passwords and tokens.
why OCBC cannot solve ?
why are we even asking/saying this
of course the bank have to pay for the losses
it was the bank's poor security that led to scammers able to take the money
(16-01-2022, 01:55 PM)forum456 Wrote: [ -> ]This scam is easily solved even if the scammer has all my passwords and tokens.
why OCBC cannot solve ?
Bro can please advise here so that we at least can protect each own internet bank account. thanks
(16-01-2022, 11:06 AM)starbugs Wrote: [ -> ]I won't call HFK an establishment person. His articles have always been quite objective. Unlike his colleague...a certain Chua XX who also regularly writes opinion pieces.
IMO she is Shit Times best journo whose writing skills can match those from established ang mo news agencies. However I do agree she also tends to side with her paymasters when it comes to commentaries on policy making. In the real world iz hard to say no to good money and still maintain your integrity unless you have something else going on for you.
Stop dreaming man, EVEN 2 dollars they also want ok, if your bank account less than the min sum.
(16-01-2022, 02:14 PM)kc172021 Wrote: [ -> ]Bro can please advise here so that we at least can protect each own internet bank account. thanks
very easy.
scammer can take your money because you are not aware that your money is being transferred.
if you are notified that your money is being transferred, you will not approve of your transfer.
OCBC can SMS to you that your money is being transferred and ask for your approval.
once you receive SMS that your money is being transferred, you reject the request and report to police.
no one can transfer your money if they have all your passwords and tokens.
the sms will only send to your phone, your phone will control the approval of money transfer.
scammer can have all your passwords and tokens but still need your phone to approve the money transfer.
(16-01-2022, 11:53 AM)forum456 Wrote: [ -> ]No matter how many times the money is transferred, the electronic trail will be recorded until the money is cashed out.
Even if the money is cashed out ,the person identity will be known because he owns the final bank account.
It is up to OCBC and the police to go after the person who cash out the money.
No one can steal bank money using online account without exposing their own identity
https://youtu.be/EZDDJ1d5Vt4
(16-01-2022, 03:07 PM)forum456 Wrote: [ -> ]very easy.
scammer can take your money because you are not aware that your money is being transferred.
if you are notified that your money is being transferred, you will not approve of your transfer.
OCBC can SMS to you that your money is being transferred and ask for your approval.
once you receive SMS that your money is being transferred, you reject the request and report to police.
no one can transfer your money if they have all your passwords and tokens.
the sms will only send to your phone, your phone will control the approval of money transfer.
scammer can have all your passwords and tokens but still need your phone to approve the money transfer.
Isn't what you describe already there right now, as in the transaction will be completed if you press the accept button on my phone banking app?
Come to think of these scam cases, all the scammers needed are just three things to take over your account completely..
1. Phone number. This is obtained by trial and error by sending you a phishing message with a link for you to click. Once you click the link and responded, the scammers confirmed a fish is caught with this phone number. Once he got your phone number, he can imitate bank and send OTP to you by SMS.
2. User ID. This is obtained by you clicking his phishing link and logging into your OCBC or whatever bank fake bank site .
3. Password. Same as 2 above this is obtained by you clicking the fake bank link and logging in.
So that's it, your account is being hijacked. So the lesson learnt is dun and never click any link send by bank on SMS which I believe banks dun do this.
If the phishing message comes from email asking you to click a link, this will not expose your phone number and scammers cannot send fake OTP to you by SMS. ....
What Bank need just installed one emergency button for all online transactions if anything go wrong just send SMS with another’s password or go to nearest ATMs machine to temporarily locked the account … soooooo simple tio BOH?!!