It has been announced that all major retail banks in Singapore must phase out the use of one-time passwords (OTPs) within the next three months. This initiative is being mandated by the Monetary Authority of Singapore (MAS) and was developed in collaboration with the Association of Banks in Singapore (ABS). The move is intended to protect consumers from phishing and other scams.
The National Institute of Standards and Technology (NIST, US Department of Commerce) deprecated the use of SMS for 2FA as early as 2016 and the move away from OTP’s has been picking up steam since then.
CEO Ted Miracco of Approov, a mobile security company, offers insight:
“OTPs, once seen as a robust two-factor authentication (2FA) method, are now frequently targeted by cybercriminals using advanced social engineering tactics and Android malware. Android malware can exploit permissions to intercept OTPs sent via SMS. Android users are often targeted by phishing campaigns that mimic legitimate banking apps or websites, tricking users into revealing their OTPs. Despite improvements in app store security, these fake apps can still infiltrate and deceive users while Google’s efforts to restrict certain permissions, malicious apps continue to find ways to bypass these controls.
“The shift to digital tokens aims to offer a more secure alternative to OTPs, but it comes with its own set of challenges. Despite the significant security enhancements, ensuring the integrity of banking apps requires robust measures such as mobile app attestation and runtime application self-protection (RASP) to prevent tampered or cloned apps from functioning.
“The long overdue phase-out of OTPs is a positive step towards enhancing the security of online banking in Singapore. However, banks must remain vigilant and proactive concerning Android vulnerabilities, to protect their customers effectively.
Related
This entry was posted on July 16, 2024 at 8:37 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Singapore Banks To Phase Out The Use Of One Time Passwords In The Next 3 Months
It has been announced that all major retail banks in Singapore must phase out the use of one-time passwords (OTPs) within the next three months. This initiative is being mandated by the Monetary Authority of Singapore (MAS) and was developed in collaboration with the Association of Banks in Singapore (ABS). The move is intended to protect consumers from phishing and other scams.
The National Institute of Standards and Technology (NIST, US Department of Commerce) deprecated the use of SMS for 2FA as early as 2016 and the move away from OTP’s has been picking up steam since then.
CEO Ted Miracco of Approov, a mobile security company, offers insight:
“OTPs, once seen as a robust two-factor authentication (2FA) method, are now frequently targeted by cybercriminals using advanced social engineering tactics and Android malware. Android malware can exploit permissions to intercept OTPs sent via SMS. Android users are often targeted by phishing campaigns that mimic legitimate banking apps or websites, tricking users into revealing their OTPs. Despite improvements in app store security, these fake apps can still infiltrate and deceive users while Google’s efforts to restrict certain permissions, malicious apps continue to find ways to bypass these controls.
“The shift to digital tokens aims to offer a more secure alternative to OTPs, but it comes with its own set of challenges. Despite the significant security enhancements, ensuring the integrity of banking apps requires robust measures such as mobile app attestation and runtime application self-protection (RASP) to prevent tampered or cloned apps from functioning.
“The long overdue phase-out of OTPs is a positive step towards enhancing the security of online banking in Singapore. However, banks must remain vigilant and proactive concerning Android vulnerabilities, to protect their customers effectively.
Share this:
Like this:
Related
This entry was posted on July 16, 2024 at 8:37 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.