Singapore's government has proposed making telcos compensate their customers if they're phished via text messages that should have been blocked.

The idea of making carriers culpable for crime emerged yesterday in a consultation paper prepared by Singapore's Monetary Authority and Infocomm Media Development Authority (IMDA).

The paper proposes a Shared Responsibility Framework (SRF) for phishing scams. Under the scheme, financial institutions would be required to operate a 12-hour cooling off period after issuing digital tokens to log in to accounts or verify transactions, during which no high risk activities could be conducted. The requirement is suggested as a means of slowing scammers if they compromise an account and try to perform actions on a new device.

Financial institutions would also be required to give customers real time alerts about activation of tokens, and of all outgoing transactions. Operation of a "kill switch" that consumers could use to lock accounts and prevent transactions is another proposed requirement.

Carriers' potential liability would kick in if they failed to operate appropriate filters to detect phishing texts.

The framework calls for carriers to connect with only authorized aggregators registered with local authorities as sources of Sender ID SMS messages, and to block messages from other sources.

Telcos would also be required to implement an anti-scam filter over all SMS to block any with known phishing links.

If financial institutions or carriers fail to implement any of those measures - or operate them properly - they would be on the hook for the full loss incurred due to phishing.

The consultation paper suggests the approach it describes would be a strong incentive to carriers and financial institutions to nail the job of detecting and deflecting potential scams.

Consumers get off lightly. Past government remarks suggested they could be held jointly liable, but the consultation paper omits such a suggestion - instead outlining duties including "practising good cyber hygiene and never giving away their personal or account credentials to anyone." Consumers should also take care not to click on links in emails or text messages "unless these are informational links that the account user is expecting to receive."

Phishing is a touchy subject in Singapore, after a 2021 attack targeted OCBC Bank and duped hundreds of customers. The island nation has since tried to combat scammers by blocking more websites and increasing regulation for banks. This consultation advances those efforts.

The idea that carriers could be held liable for phishing appears to be novel. Australia has suggested it intends to include carriers in a joint liability scheme that will also require social media platforms to clamp down on scam ads. ®

https://www.theregister.com//2023/10/26/singapore_shared_responsibility_phishing_consultation/