Skip to main content

Advertisement

Advertisement

Authorities working on requiring all banks, telcos, SMS aggregators to join anti-spoof registry

SINGAPORE — The authorities are working on getting all telcos, banks and SMS aggregators in Singapore to sign up for a national registry that allows businesses to block spoofed scam messages from being sent to customers.

The authorities move to work on requiring telcos, banks and SMS aggregators to join the registry follows a series of phishing scams affecting OCBC customers.
The authorities move to work on requiring telcos, banks and SMS aggregators to join the registry follows a series of phishing scams affecting OCBC customers.
Follow TODAY on WhatsApp
  • The authorities said that they will roll out an anti-spoof national registry to all telcos, SMS aggregators and banks that use SMS for retail customers
  • TODAY understands that this will be made a requirement for these companies
  • When a fraudster tries to send messages using a registered sender name, the registered company will be able to block them

SINGAPORE — The authorities are working on getting all telcos, banks and SMS aggregators in Singapore to sign up for a national registry that allows businesses to block spoofed scam messages from being sent to customers.

TODAY understands that this will be made a requirement for these companies and organisations, as part of a suite of security measures announced earlier that were designed to combat scams such as the recent OCBC bank phishing scam. 

In response to TODAY's queries, spokespersons from the Infocomm Media Development Authority (IMDA) and the Monetary Authority of Singapore (MAS) said in a joint statement on Thursday (Jan 20) that they will "roll out the registry to all telcos, SMS aggregators, and banks that use SMS services for retail customers". 

"The recent surge in spoofing attacks involving banks underlines the need for robust defences at the ecosystem level against spoofing attacks," the statement read. 

The registry, called the Singapore SMS SenderID protection registry, had been in its pilot phase since last August. 

Following the OCBC phishing scam, there have been calls to make it mandatory for firms to be part of the registry. 

As of Thursday, more than 2,100 people have signed an online petition to get IMDA to require all organisations in Singapore to register with the authorities before being allowed to send SMS messages with sender IDs. Earlier this week, IMDA had also urged more organisations to sign up. 

A slew of measures were announced on Wednesday evening by MAS and the Association of Banks in Singapore to tighten the security of digital banking and protect account holders from phishing scams.

These include banks removing clickable links in emails or SMS messages sent to retail customers and having dedicated customer assistance teams to deal with feedback on potential fraud cases.

The OCBC phishing scam claimed nearly 470 victims who lost at least S$8.5 million in all. The bank has said that it will fully reimburse all customers who lost money to the scam. 

Many of these victims had been tricked by fake SMS messages that appeared in the same thread as legitimate text messages from OCBC for one-time passwords and transaction alerts.

The swindlers impersonated the bank by putting their sender ID as “OCBC”, claiming that there were issues with the customer’s bank accounts or credit cards and instructing them to click on a link in the SMS message that led the customer to a fake banking website.

Sender IDs are names that identify the sender of an SMS message so that a word or phrase (such as "OCBC"), instead of a number, is displayed on the recipient's mobile phone.

To combat these forms of scams, the registry allows organisations to register their sender ID. When fraudsters try to send messages using a sender ID that is registered, these organisations may choose to block them from being sent.

IMDA previously said that "some banks" signed up when the pilot registry was started and named e-commerce platform Lazada and Singapore Post as being on it as well. OCBC is understood to be part of the pilot registry project. 

“We urge more businesses and organisations that use SMS sender IDs to do so,” IMDA wrote in reply to a reader’s letter to The Straits Times on Monday.

The SMS SenderID protection registry is run by global trade body Mobile Ecosystem Forum (MEF), which developed and ran a registry in the United Kingdom where the firm is based.

Speaking to TODAY earlier, MEF’s registry project director Mike Round previously explained how the registry works.

He also said that the initial monitoring and discovery phase for the registry in Singapore is “working well”, but stressed that the registry is not foolproof in rooting out SMS phishing attacks.

Cybersecurity experts also said that the registry's success may be limited, given the known vulnerabilities of SMS messages, suggesting instead that banks do away with communicating important information such as verification codes via SMS.

Related topics

IMDA phishing OCBC MAS scam SMS bank telco

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.